joining an M$ NT Server Domain with TNG
Elrond
elrond at samba.org
Tue Aug 29 17:30:42 GMT 2000
On Tue, Aug 29, 2000 at 06:57:21PM +0200, Jens Skripczynski wrote:
[...]
> > Okay... The way, Luke wanted it to work:
> >
> > On your Linuxbox as root:
> >
> > rpcclient -S NTSERVER -U Administrator%adminpw
> > [...]$ createuser TNGBOX$ -j -L
> >
> >
> > Yes, you need to know a user on the domain, that is allowed
> > to create trust-accounts. If that isn't possible for you,
> > go and bug Luke. ;)
> *BUG* *BUG* :)
> Hm no. He did a good thing. No I wanted to try to see how TNG
> behaves in an NT Environment. And with the old versions I could join via
> smbpasswd. Why do I suddenly need the Adminpassword or why does the 2.0.7
> branch not need the pw ?
Luke wanted the stuff to be more secure.
In 2.0.x it works like this (and it works the same with
normal nt4 joining a domain):
- ntadmin creates the trust-account (MEMBER$)
- srvmgr sets the pw of that account to member
- MEMBER connects to the nt-box with that MEMBER$ and
member
- the connection is encrypted with the current pw (guess
what? That's "member" from above)
- MEMBER changes the pw for its trust-account.
If you want this scenario to be secure, you have to grab
your MEMBER-box and connect it to the PDC on a secure LAN.
With the method in TNG, you connect as Administrator and
the connection is encrypted with his pw (which shouldn't be
guessable). Then the trust-account is created and the new
random pw is set. It's more secure.
The problem, why there's currently no way for doing the old
method with TNG: We don't know the commands to remotely
join an NTBOX into a domain. This is possible, because a
util called netdom exists to do that. I simply haven't
enough spare boxes to trace, what it is doing...
(And we don't know yet, how passwords are encrypted for
lsa_set_secret, if (strlen(password) % 4) != 0.)
Elrond
>
> Ciao
>
> Jens Skripczynski
> --
> E-Mail: skripi at igd.fhg.de
>
> Computers are like airconditioners: They stop working
> properly if you open windows.
> Win95: A 32-bit patch for a 16-bit GUI shell running on top of an
> 8-bit operating system written for a 4-bit processor by a
> 2-bit company who cannot stand 1 bit of competition.
More information about the samba-ntdom
mailing list