net ads join without an admin account

ndb at theghet.to ndb at theghet.to
Tue Dec 9 16:15:35 GMT 2003 

My colleague and I wrote a patch to modify the existing machine acount.

ndb

On Fri, Dec 05, 2003 at 11:05:36AM -0600, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> ndb at theghet.to wrote
> :
> >So my question is, is it possible that when you do a net ads join does
> >it have to delete the machine or can smbd just edit it?  
> >Does anyone else have another solution so that I dont have to give out 
> >admin accounts to the container?
> 
> It's on the list of things to implement but no ETA.
> 
> 
> 
> 
> cheers, jerry
>  ----------------------------------------------------------------------
>  Hewlett-Packard            ------------------------- http://www.hp.com
>  SAMBA Team                 ---------------------- http://www.samba.org
>  GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
>  "If we're adding to the noise, turn off this song" --Switchfoot (2003)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQE/0LrgIR7qMdg1EfYRAswgAJ9y0BNQV6Oxidan/skqLLR3I+YlmQCdGMfZ
> VRPt9CET/urBLS4lqCTHaFY=
> =+BhC
> -----END PGP SIGNATURE-----
> 
-------------- next part --------------
#       This allows a non-admin who has rights to the machine account but
#       not the container to do a net ads join. This won't delete the
#       machine account and then add it again with all the stuff samba
#       needs but modify the existing machine account.
#  
#       ndb at theghet.to
#       zifnab at iname.com
diff -uNr samba-3.0.0.original/source/libads/ldap.c samba-3.0.0/source/libads/ldap.c
--- samba-3.0.0.original/source/libads/ldap.c	2003-09-11 14:05:44.000000000 -0400
+++ samba-3.0.0/source/libads/ldap.c	2003-12-09 11:10:24.000000000 -0500
@@ -998,6 +998,14 @@
 	const char *servicePrincipalName[5] = {NULL, NULL, NULL, NULL, NULL};
 	char *psp, *psp2;
 	unsigned acct_control;
+	unsigned exists=0;
+	LDAPMessage *res;
+
+	status = ads_find_machine_acct(ads, (void **)&res, hostname);
+	if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) {
+		DEBUG(0, ("Host account for %s already exists - modifying old account\n", hostname));
+		exists=1;
+	}
 
 	if (!(ctx = talloc_init("machine_account")))
 		return ADS_ERROR(LDAP_NO_MEMORY);
@@ -1045,18 +1053,23 @@
 
 	if (!(mods = ads_init_mods(ctx)))
 		goto done;
-	
-	ads_mod_str(ctx, &mods, "cn", hostname);
-	ads_mod_str(ctx, &mods, "sAMAccountName", samAccountName);
-	ads_mod_strlist(ctx, &mods, "objectClass", objectClass);
+
+	if (!exists) {
+		ads_mod_str(ctx, &mods, "cn", hostname);
+		ads_mod_str(ctx, &mods, "sAMAccountName", samAccountName);
+		ads_mod_str(ctx, &mods, "userAccountControl", controlstr);
+		ads_mod_strlist(ctx, &mods, "objectClass", objectClass);
+	}
+	ads_mod_str(ctx, &mods, "dNSHostName", hostname);
 	ads_mod_str(ctx, &mods, "userPrincipalName", host_upn);
 	ads_mod_strlist(ctx, &mods, "servicePrincipalName", servicePrincipalName);
-	ads_mod_str(ctx, &mods, "dNSHostName", hostname);
-	ads_mod_str(ctx, &mods, "userAccountControl", controlstr);
 	ads_mod_str(ctx, &mods, "operatingSystem", "Samba");
 	ads_mod_str(ctx, &mods, "operatingSystemVersion", SAMBA_VERSION_STRING);
 
-	ret = ads_gen_add(ads, new_dn, mods);
+	if (!exists) 
+		ret = ads_gen_add(ads, new_dn, mods);
+	else
+		ret = ads_gen_mod(ads, new_dn, mods);
 
 	if (!ADS_ERR_OK(ret))
 		goto done;
@@ -1065,11 +1078,13 @@
 	 * it shouldn't be mandatory and probably we just 
 	 * don't have enough rights to do it.
 	 */
-	status = ads_set_machine_sd(ads, hostname, new_dn);
-
-	if (!ADS_ERR_OK(status)) {
-		DEBUG(0, ("Warning: ads_set_machine_sd: %s\n",
-				ads_errstr(status)));
+	if (!exists) {
+		status = ads_set_machine_sd(ads, hostname, new_dn);
+	
+		if (!ADS_ERR_OK(status)) {
+			DEBUG(0, ("Warning: ads_set_machine_sd: %s\n",
+					ads_errstr(status)));
+		}
 	}
 done:
 	talloc_destroy(ctx);
@@ -1309,6 +1324,7 @@
 	host = strdup(hostname);
 	strlower_m(host);
 
+	/*
 	status = ads_find_machine_acct(ads, (void **)&res, host);
 	if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) {
 		DEBUG(0, ("Host account for %s already exists - deleting old account\n", host));
@@ -1319,6 +1335,7 @@
 			return status;
 		}
 	}
+	*/
 
 	status = ads_add_machine_acct(ads, host, account_type, org_unit);
 	if (!ADS_ERR_OK(status)) {

More information about the samba-technical mailing list