I am building an automated workflow (using Saltstack) that delivers an encrypted password to a system that needs to be joined to a domain like this:
netdom join %computername% /domain:domain.com /UserD:user /PasswordD:passwrd
The encrypted password can be decrypted and fed into above line using another script. The difficulty is with the storage of this temporary encrypted password. So far, I can only think of two ways of doing this, neither of which is desirable:
Any suggestions?
It sounds like this password should be stored in an encrypted pillar.
#!yaml|gpg
net_password: |
-----BEGIN PGP MESSAGE-----
hQEMAw2B674HRhwSAQgAhTrN8NizwUv/VunVrqa4/X8t6EUulrnhKcSeb8sZS4th
W1Qz3K2NjL4lkUHCQHKZVx/VoZY7zsddBIFvvoGGfj8+2wjkEDwFmFjGE4DEsS74
ZLRFIFJC1iB/O0AiQ+oU745skQkU6OEKxqavmKMrKo3rvJ8ZCXDC470+i2/Hqrp7
+KWGmaDOO422JaSKRm5D9bQZr9oX7KqnrPG9I1+UbJyQSJdsdtquPWmeIpamEVHb
VMDNQRjSezZ1yKC4kCWm3YQbBF76qTHzG1VlLF5qOzuGI9VkyvlMaLfMibriqY73
zBbPzf6Bkp2+Y9qyzuveYMmwS4sEOuZL/PetqisWe9JGAWD/O+slQ2KRu9hNww06
KMDPJRdyj5bRuBVE4hHkkP23KrYr7SuhW2vpe7O/MvWEJ9uDNegpMLhTWruGngJh
iFndxegN9w==
=bAuo
-----END PGP MESSAGE-----
join domain:
cmd.run:
- name: netdom join %computername% '/PasswordD:{{ pillar["net_password"] }}' /domain:domain.com /UserD:user
If you already have it set up in e.g. a Vault instance, you can use sdb
to access it instead.