Re: [Samba] Permissions on ou for net join to ADS
On Wed, 2004-02-25 at 03:16, Unix Service (ANTS) wrote: Hi I have noticed the following behaviour: If I get a kerberos ticket as a domain admin user using kinit and then do a net join to an ADS domain, then this works fine and net ads testjoin and net ads leave work too. However if I do it as a user with full control on a particular ou within the AD tree, net join gives the following: net join /Global Administration/Samba Servers [2004/02/24 14:33:48, 0] libads/ldap.c:(1072) Warning: ads_set_machine_sd: NT_STATUS_INVALID_PARAMETER Using short domain name -- AD Joined 'host1' to realm 'AD.ME.CO.UK' net ads test join still returns ok but net ads leave returns failed to delete host from dd realm ( I do a net join again it deletes the old entry and re adds the host ok ). It's not causing any problems as such, but I just wondered if there was any explanation for the above behaviour as I assumed full control on an ou would be equivlaent to domain admin within the scope of that ou. Not quite - it does not allow us to set security descriptors.We need to return better errors there, but that's what is going on. So, we allow the join to work, but we can't remove our account on domain leave. (We normally modify the SD to permit exactly that). Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Permissions on ou for net join to ADS
Hi I have noticed the following behaviour: If I get a kerberos ticket as a domain admin user using kinit and then do a net join to an ADS domain, then this works fine and net ads testjoin and net ads leave work too. However if I do it as a user with full control on a particular ou within the AD tree, net join gives the following: net join /Global Administration/Samba Servers [2004/02/24 14:33:48, 0] libads/ldap.c:(1072) Warning: ads_set_machine_sd: NT_STATUS_INVALID_PARAMETER Using short domain name -- AD Joined 'host1' to realm 'AD.ME.CO.UK' net ads test join still returns ok but net ads leave returns failed to delete host from dd realm ( I do a net join again it deletes the old entry and re adds the host ok ). It's not causing any problems as such, but I just wondered if there was any explanation for the above behaviour as I assumed full control on an ou would be equivlaent to domain admin within the scope of that ou. tim *** This communication (including any attachments) contains confidential information. If you are not the intended recipient and you have received this communication in error, you should destroy it without copying, disclosing or otherwise using its contents. Please notify the sender immediately of the error. Internet communications are not necessarily secure and may be intercepted or changed after they are sent. Abbey National Treasury Services plc does not accept liability for any loss you may suffer as a result of interception or any liability for such changes. If you wish to confirm the origin or content of this communication, please contact the sender by using an alternative means of communication. This communication does not create or modify any contract and, unless otherwise stated, is not intended to be contractually binding. Abbey National Treasury Services plc. Registered Office: Abbey National House, 2 Triton Square, Regents Place, London NW1 3AN. Registered in England under Company Registration Number: 2338548. Regulated by the Financial Services Authority (FSA). *** -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
