net ads join without an admin account
ndb at theghet.to
ndb at theghet.to
Tue Dec 9 16:15:35 GMT 2003
My colleague and I wrote a patch to modify the existing machine acount.
ndb
On Fri, Dec 05, 2003 at 11:05:36AM -0600, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> ndb at theghet.to wrote
> :
> >So my question is, is it possible that when you do a net ads join does
> >it have to delete the machine or can smbd just edit it?
> >Does anyone else have another solution so that I dont have to give out
> >admin accounts to the container?
>
> It's on the list of things to implement but no ETA.
>
>
>
>
> cheers, jerry
> ----------------------------------------------------------------------
> Hewlett-Packard ------------------------- http://www.hp.com
> SAMBA Team ---------------------- http://www.samba.org
> GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc
> "If we're adding to the noise, turn off this song" --Switchfoot (2003)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQE/0LrgIR7qMdg1EfYRAswgAJ9y0BNQV6Oxidan/skqLLR3I+YlmQCdGMfZ
> VRPt9CET/urBLS4lqCTHaFY=
> =+BhC
> -----END PGP SIGNATURE-----
>
-------------- next part --------------
# This allows a non-admin who has rights to the machine account but
# not the container to do a net ads join. This won't delete the
# machine account and then add it again with all the stuff samba
# needs but modify the existing machine account.
#
# ndb at theghet.to
# zifnab at iname.com
diff -uNr samba-3.0.0.original/source/libads/ldap.c samba-3.0.0/source/libads/ldap.c
--- samba-3.0.0.original/source/libads/ldap.c 2003-09-11 14:05:44.000000000 -0400
+++ samba-3.0.0/source/libads/ldap.c 2003-12-09 11:10:24.000000000 -0500
@@ -998,6 +998,14 @@
const char *servicePrincipalName[5] = {NULL, NULL, NULL, NULL, NULL};
char *psp, *psp2;
unsigned acct_control;
+ unsigned exists=0;
+ LDAPMessage *res;
+
+ status = ads_find_machine_acct(ads, (void **)&res, hostname);
+ if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) {
+ DEBUG(0, ("Host account for %s already exists - modifying old account\n", hostname));
+ exists=1;
+ }
if (!(ctx = talloc_init("machine_account")))
return ADS_ERROR(LDAP_NO_MEMORY);
@@ -1045,18 +1053,23 @@
if (!(mods = ads_init_mods(ctx)))
goto done;
-
- ads_mod_str(ctx, &mods, "cn", hostname);
- ads_mod_str(ctx, &mods, "sAMAccountName", samAccountName);
- ads_mod_strlist(ctx, &mods, "objectClass", objectClass);
+
+ if (!exists) {
+ ads_mod_str(ctx, &mods, "cn", hostname);
+ ads_mod_str(ctx, &mods, "sAMAccountName", samAccountName);
+ ads_mod_str(ctx, &mods, "userAccountControl", controlstr);
+ ads_mod_strlist(ctx, &mods, "objectClass", objectClass);
+ }
+ ads_mod_str(ctx, &mods, "dNSHostName", hostname);
ads_mod_str(ctx, &mods, "userPrincipalName", host_upn);
ads_mod_strlist(ctx, &mods, "servicePrincipalName", servicePrincipalName);
- ads_mod_str(ctx, &mods, "dNSHostName", hostname);
- ads_mod_str(ctx, &mods, "userAccountControl", controlstr);
ads_mod_str(ctx, &mods, "operatingSystem", "Samba");
ads_mod_str(ctx, &mods, "operatingSystemVersion", SAMBA_VERSION_STRING);
- ret = ads_gen_add(ads, new_dn, mods);
+ if (!exists)
+ ret = ads_gen_add(ads, new_dn, mods);
+ else
+ ret = ads_gen_mod(ads, new_dn, mods);
if (!ADS_ERR_OK(ret))
goto done;
@@ -1065,11 +1078,13 @@
* it shouldn't be mandatory and probably we just
* don't have enough rights to do it.
*/
- status = ads_set_machine_sd(ads, hostname, new_dn);
-
- if (!ADS_ERR_OK(status)) {
- DEBUG(0, ("Warning: ads_set_machine_sd: %s\n",
- ads_errstr(status)));
+ if (!exists) {
+ status = ads_set_machine_sd(ads, hostname, new_dn);
+
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(0, ("Warning: ads_set_machine_sd: %s\n",
+ ads_errstr(status)));
+ }
}
done:
talloc_destroy(ctx);
@@ -1309,6 +1324,7 @@
host = strdup(hostname);
strlower_m(host);
+ /*
status = ads_find_machine_acct(ads, (void **)&res, host);
if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) {
DEBUG(0, ("Host account for %s already exists - deleting old account\n", host));
@@ -1319,6 +1335,7 @@
return status;
}
}
+ */
status = ads_add_machine_acct(ads, host, account_type, org_unit);
if (!ADS_ERR_OK(status)) {
More information about the samba-technical
mailing list