-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Doug,
>>> I was saying dns domain not equal realm dropped >>> and rewrite ads join code >> >> No it wasn't. I run with this on a daily basis. >> Perhaps something else is attributing to your failures. >> > First, I'm not having failures. I was commenting information > I believed I read. So what did you mean in this post: > http://marc.theaimsgroup.com/?l=samba&m=115193492903190&w=2 ... > Did you mean if one joins with non-admin credentials > it no longer works, but if one's credentials are > administrative it still works? > > I understand previously joined machines still work. > > Not trying to be a wise guy, just trying to understand. No problem. I spent a couple of days just staring at traces and reading to try to track down the corner cases. It's pretty confusing. The best thing to do is to read here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/control_access_rights.asp and then use ADSIedit to view the default security descriptor on a machine account object. A non-admin (and the machine itself) only has validated-write access to the dNSHostName and servicePrincipalName attributes. This means that the dNSHostName value has to be with the AD realm and the SPN has to match the dNSHostName. Try to join a WinXP box to a domain using a non-admin account with the dns suffix outside of the AD realm and you will see what I mean. It fails to joins and tells you to contact the administrator to relax the rules (or something similar). If you are a domain admin, the you have full control to these attributes and can do whatever you like. Samba 3.0.22 did all the ads join operations using LDAP requests which required you to be a Domain Admins. As part of the join, the machine SID was given full control over the object in AD so again you could do whatever you liked with 'net ads keytab add -P'. The code in 3.0.23 uses a mixture of RPC and LDAP just like Windows 2000/XP. The advantage is that a non-admin can now join a Samba box to a domain given the same privileges as required by Windows. The disadvantage is that we can no longer assume we have admin rights to set any property we like. This is why for example, we no longer try to create a UPN by default (although I added a new option to net ads join in 3.0.23a that will do that) or set the operatingSystem attribute value. Hope this helps clear up some of the confusion. Note that I've added in a fair amount of new code in 3.0.23a for (a) deriving the DES salt (b) generating the keytab file (c) optionally creating the UPN as part of the join. Please give it a whirl and let me know how it goes. Our Krb5 code is over 3 years old spreading about multiple MIT and heimdal versions. It's time for some spring cleaning but I don't want to loose functionality if we can help it. cheers, jerry ===================================================================== Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEwALEIR7qMdg1EfYRAqxYAKCEtHnMHWcM0jfe8rEW+qMDHtq+/ACgqoSp 8h+xhVsePFFBKvjfXYisoXQ= =540H -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
