Vern might also redirect you to Dave S or Mike S, they
would probably be better help for the specific devices as they did some
work on them for integration and were involved with the vendor to work on the
code changes for delegated join. Obviously you know that those devices don't
have a good history there. When they first tried to bring them in I did a
quick check of what they were doing and wrote a very long bulleted list of
problems we would most likely encounter with them and if I recall, we
hit just about every, if not every item on my list after I was assured
by our storage people as well as the vendor's top technical people we
wouldn't hit them. All that really happened from what I pointed out is that
the storage manager Bob T got pissy with me though I was trying to save him a
lot of pain. They also seem to have a history of regressing their own fixes with
new fixes. I saw that a couple of times too if I recall correctly which I never
would have thought to write down as an issue.
Either way, the vendor should be able to tell you what is
hosed about it. Another issue they had there that could be involved is the
disjoint name space.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.)
Sent: Thursday, January 12, 2006 8:19 AM
To: [email protected]
Subject: RE: [ActiveDir] Rights needed for...
Thanks for
the info joe, I'm doing quite well. This is the same struggle...just
happens to be a couple years later. The vendor claims it works fine under
reduced permission and our environment is hosed up, yet I can consistently
reproduce it in multiple scenarios. I'll work with the guys listed to try
and get some resolution out of this. Thanks again!
-Brandon
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, January 11, 2006 8:22 PM
To: [email protected]
Subject: RE: [ActiveDir] Rights needed for...
Hey Brandon. How are you?
Just taking a guess but I would start with Change Password
since kpasswd I believe takes the old and new passwords right? You might want to
touch bases with Slav (see Vern) as he might know for sure having played with
that stuff for a couple of years to kerberize UX and Solaris. I recall there was
a join issue that was encountered that necessitated re-looking at the
permissions delegated to the machine accounts even for Windows joins from what
was previously assigned. Joining the SAN devices was always a pain in the rear
and I recall it had to be done by DA there for a bit but the vendors were
supposed to fix that. Again, ping Vern.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.)
Sent: Wednesday, January 11, 2006 3:27 PM
To: [email protected]
Subject: [ActiveDir] Rights needed for...
Does anyone know what rights are acutally used during a join to perform the kpasswd function on the computer object? This doesn't really affect windows host since the traces (at least in my environment) shows them using NTLM for the password change.
I'm told "Reset Password" should be it, but that’s only on the NTLM side… Any suggestions are very much appreciated. Thanks in advance!
-Brandon
