[PATCH] ADS changes for joining accounts w/o full Administrator rights

Andrew Bartlett abartlet at samba.org
Tue Feb 11 09:06:02 GMT 2003 

On Tue, 2003-02-11 at 09:06, Antti Andreimann wrote:
> Hi!
> 
> I have done some changes to enable users w/o full administrative access on 
> computer accounts to join a computer into AD domain.
> 
> The patch and detailed changelog is available at:
> http://www.itcollege.ee/~aandreim/samba
> 
> This is a list of changes in general:
> 
> 1. When creating machine account do not fail if SD cannot be changed.
>    setting SD is not mandatory and join will work perfectly without it.

This would also be useful in making life easier for early AD-replacement
efforts.

> 2. Implement KPASSWD CHANGEPW protocol for changing trust password so
>    machine account does not need to have reset password right for itself.

Now I see what you were trying to say on IRC.  Yes, this looks very
useful!

> 3. Command line utilities no longer interfere with user's existing 
>    kerberos ticket cache.
> 4. Command line utilities can do kerberos authentication even if
>    username is specified (-U). Initial TGT will be requested in this case.

Nice!

> 5. new "local realms" global configuration option for situations where You
>    need to map users from more than one realm. This is useful for
>    situations where ADS is configured to trust an external kerberos server
>    and all kerberos users are duplicated in AD.

I'm not quite convinced about this.  I'm quite willing (but see below)
to apply the rest of this patch, but I'll need a good explanation of
what this patch does.

> The patch is against CVS version as of 04.02.2003 and has been alpha tested 
> (a clean RPM build, multiple joins and host pwd changes).
> I would be grateful if somebody authorized to do CVS commits can review my 
> patch and incorporate it into sambas' code.

We need patches to be against current CVS - the patch does not apply
cleanly at present.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030211/68cf4f53/attachment.bin

More information about the samba-technical mailing list