[PATCH] ADS changes for joining accounts w/o full Administrator
Antti.Andreimann at mail.ee
Mon Feb 10 22:06:07 GMT 2003
I have done some changes to enable users w/o full administrative access on
computer accounts to join a computer into AD domain.
The patch and detailed changelog is available at:
This is a list of changes in general:
1. When creating machine account do not fail if SD cannot be changed.
setting SD is not mandatory and join will work perfectly without it.
2. Implement KPASSWD CHANGEPW protocol for changing trust password so
machine account does not need to have reset password right for itself.
3. Command line utilities no longer interfere with user's existing
kerberos ticket cache.
4. Command line utilities can do kerberos authentication even if
username is specified (-U). Initial TGT will be requested in this case.
5. new "local realms" global configuration option for situations where You
need to map users from more than one realm. This is useful for
situations where ADS is configured to trust an external kerberos server
and all kerberos users are duplicated in AD.
The patch is against CVS version as of 04.02.2003 and has been alpha tested
(a clean RPM build, multiple joins and host pwd changes).
I would be grateful if somebody authorized to do CVS commits can review my
patch and incorporate it into sambas' code.
Using Linux since 1993
Member of ELUG since 29.01.2000
More information about the samba-technical