I am building an automated workflow (using Saltstack) that delivers an encrypted password to a system that needs to be joined to a domain like this:
netdom join %computername% /domain:domain.com /UserD:user /PasswordD:passwrd
The encrypted password can be decrypted and fed into above line using another script. The difficulty is with the storage of this temporary encrypted password. So far, I can only think of two ways of doing this, neither of which is desirable:
- RAMDISK - no built-in way to create one so there is a reliance on third party, no good
- Environmental variables - persistent variables live in registry aka on disk so still no good
Any suggestions?
CodePudding user response:
It sounds like this password should be stored in an encrypted pillar.
#!yaml|gpg
net_password: |
-----BEGIN PGP MESSAGE-----
hQEMAw2B674HRhwSAQgAhTrN8NizwUv/VunVrqa4/X8t6EUulrnhKcSeb8sZS4th
W1Qz3K2NjL4lkUHCQHKZVx/VoZY7zsddBIFvvoGGfj8 2wjkEDwFmFjGE4DEsS74
ZLRFIFJC1iB/O0AiQ oU745skQkU6OEKxqavmKMrKo3rvJ8ZCXDC470 i2/Hqrp7
KWGmaDOO422JaSKRm5D9bQZr9oX7KqnrPG9I1 UbJyQSJdsdtquPWmeIpamEVHb
VMDNQRjSezZ1yKC4kCWm3YQbBF76qTHzG1VlLF5qOzuGI9VkyvlMaLfMibriqY73
zBbPzf6Bkp2 Y9qyzuveYMmwS4sEOuZL/PetqisWe9JGAWD/O slQ2KRu9hNww06
KMDPJRdyj5bRuBVE4hHkkP23KrYr7SuhW2vpe7O/MvWEJ9uDNegpMLhTWruGngJh
iFndxegN9w==
=bAuo
-----END PGP MESSAGE-----
join domain:
cmd.run:
- name: netdom join %computername% '/PasswordD:{{ pillar["net_password"] }}' /domain:domain.com /UserD:user
If you already have it set up in e.g. a Vault instance, you can use sdb to access it instead.