The realm command and various other realmd clients should not do a join without authentication unless specifically requested. We should not try to do a join with a preset computer account without authentication (such as an OTP or an admin password). The security of kerberos relies on the shared secret. This currently occurs with the 'realm' command when used against AD.
Created attachment 113699 [details] [review] service: Refactor to support per domain supported cred types This is so specific domains can be configured to support things like automatic authentication.
Created attachment 113700 [details] [review] Disable automatic AD joins by default We only offer them as an option to clients if they have been configured in the realmd.conf file. This is because automatic AD joins do not have the mutual authentication we usually expect with kerberos. The computer account secret is predictable and not secure enough to be on by default.
Merged.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.