[Samba] Inconsistent results while attempting to preset a computer with a one-time-password
Dan Oriani
dan at reportallusa.com
Tue Feb 6 20:36:27 UTC 2018
Quoting Rowland Penny via samba <samba at lists.samba.org>:
> On Tue, 06 Feb 2018 14:09:08 -0500
> Dan Oriani via samba <samba at lists.samba.org> wrote:
>
>>
>> I'm not opposed to the idea. Does 'net ads join' support supplying
>> the machine name as the user, and the one-time-password given to it?
>> The only reason I'm using adcli at all is the preset-computer option
>> which I couldn't find an analogue to in 'net ads'.
>>
>>
>
> I have never tried this, but there is the 'createcomputer=OU' option:
>
> Precreate the computer account in a specific OU.
> The OU string read from top to bottom without RDNs
> and delimited by a '/'.
> E.g. "createcomputer=Computers/Servers/Unix"
> NB: A backslash '\' is used as escape at multiple
> levels and may need to be doubled or even
> quadrupled. It is not used as a separator.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
So I have the computer precreated in the OU. Lets call this host
'ruby'. I also pass 'machinepass' so that it can join itself later (I
think?). On 'ruby' I run 'net ads join', except it asks me for a
password still. If I try to run 'net ads join -U RUBY$%onetimepass -v
-d 5' it seems as if it tries to create the machine again, as in the
logs I get 'machine account creation failed', then 'failed to
precreate account in ou ....: Insufficient accesssigned SMB2 message'.
Should I be specifying something else? The man page seems to suggest
that if the machine already exists, it'll use that entry. Having 'net
ads join' prompt me for a password is a no-go, as it brings me right
back to manually doing this all by hand.
More information about the samba
mailing list