On Mon, Sep 13, 2004 at 04:42:04PM -0300, Andreas wrote: > On Mon, Sep 13, 2004 at 10:57:22AM -0300, Andreas wrote: > > samba-3.0.6, win2k will all patches from windowsupdate as of last > > friday > > > > Should it be possible to join an AD domain (win2k) without a password > > on the client side if the machine is already created in the ou=Computers > > container? I seem to be unable to do this: either "net ads join" will ask > > for a password or it will try with the current user's kerberos ticket and > > fail if this user doesn't have the right privileges. > > > > This seemed to work with "net rpc join" when win2k is not in its native mode. > > Am I missing something? > > When I created the computer account in w2k, I selected the "Authenticated users" > to be permitted to join the machine to the domain. From a winxp pro workstation, > I could use any user to perform the joining, but from samba only administrators > or members of the account operators group could join the domain. Is samba doing > something differently that I'm not aware of?
Samba's "net ads join" is indeed different. I sniffed the join operation from winxp pro and samba-3.0.7. samba uses ldap to change attributes on AD (and it's here that is gets a permission denied error) and later on uses kerberos to change the machine's password. Winxp uses something completely different. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
