[PATCH] ADS changes for joining accounts w/o full Administrator rights

Antti Andreimann Antti.Andreimann at mail.ee
Mon Feb 10 22:06:07 GMT 2003


I have done some changes to enable users w/o full administrative access on 
computer accounts to join a computer into AD domain.

The patch and detailed changelog is available at:

This is a list of changes in general:

1. When creating machine account do not fail if SD cannot be changed.
   setting SD is not mandatory and join will work perfectly without it.
2. Implement KPASSWD CHANGEPW protocol for changing trust password so
   machine account does not need to have reset password right for itself.
3. Command line utilities no longer interfere with user's existing 
   kerberos ticket cache.
4. Command line utilities can do kerberos authentication even if
   username is specified (-U). Initial TGT will be requested in this case.
5. new "local realms" global configuration option for situations where You
   need to map users from more than one realm. This is useful for
   situations where ADS is configured to trust an external kerberos server
   and all kerberos users are duplicated in AD.

The patch is against CVS version as of 04.02.2003 and has been alpha tested 
(a clean RPM build, multiple joins and host pwd changes).
I would be grateful if somebody authorized to do CVS commits can review my 
patch and incorporate it into sambas' code.

           Antti Andreimann
     Using Linux since 1993
Member of ELUG since 29.01.2000

More information about the samba-technical mailing list