The realm command and various other realmd clients should not do a join without authentication unless specifically requested.
We should not try to do a join with a preset computer account without authentication (such as an OTP or an admin password). The security of kerberos relies on the shared secret.
This currently occurs with the 'realm' command when used against AD.
Created attachment 113699 [details] [review]
service: Refactor to support per domain supported cred types
This is so specific domains can be configured to support things
like automatic authentication.
Created attachment 113700 [details] [review]
Disable automatic AD joins by default
We only offer them as an option to clients if they have been configured
in the realmd.conf file.
This is because automatic AD joins do not have the mutual authentication
we usually expect with kerberos. The computer account secret is
predictable and not secure enough to be on by default.