net ads join without an admin account

ndb at ndb at
Mon Dec 1 15:59:55 GMT 2003

I've gotten Samba 3 ADS working but I have a question about the method
used for the net ads join.

When I use security=ads and add a machine to the realm via net ads join
"some/container" smbd shows that it tries to add it to the realm but
since it exists, it deletes it and then readds it.  When I do this is
as an Adminstrator, its not a problem because he has full access to the
Container.  So he can delete it and readd it without any problems.  In 
our network enviroment, we want to be able to give users the ability to
ladd their machines to the realm but not as an Administrator of the 
container so we give them admin rights to their machine. so they can 
delete the machine but not readd it.  When I was using winbind for 
authentication and doing something like smbpasswd -j domain -r host -U 
someuser it wouldnt delete the machine from the domain.  The users only 
had access to their own machine.

So my question is, is it possible that when you do a net ads join does
it have to delete the machine or can smbd just edit it?  
Does anyone else have another solution so that I dont have to give out 
admin accounts to the container?


More information about the samba-technical mailing list