[PATCH] ADS changes for joining accounts w/o full Administrator rights

Andrew Bartlett abartlet at samba.org
Tue Feb 11 09:06:02 GMT 2003

On Tue, 2003-02-11 at 09:06, Antti Andreimann wrote:
> Hi!
> I have done some changes to enable users w/o full administrative access on 
> computer accounts to join a computer into AD domain.
> The patch and detailed changelog is available at:
> http://www.itcollege.ee/~aandreim/samba
> This is a list of changes in general:
> 1. When creating machine account do not fail if SD cannot be changed.
>    setting SD is not mandatory and join will work perfectly without it.

This would also be useful in making life easier for early AD-replacement

> 2. Implement KPASSWD CHANGEPW protocol for changing trust password so
>    machine account does not need to have reset password right for itself.

Now I see what you were trying to say on IRC.  Yes, this looks very

> 3. Command line utilities no longer interfere with user's existing 
>    kerberos ticket cache.
> 4. Command line utilities can do kerberos authentication even if
>    username is specified (-U). Initial TGT will be requested in this case.


> 5. new "local realms" global configuration option for situations where You
>    need to map users from more than one realm. This is useful for
>    situations where ADS is configured to trust an external kerberos server
>    and all kerberos users are duplicated in AD.

I'm not quite convinced about this.  I'm quite willing (but see below)
to apply the rest of this patch, but I'll need a good explanation of
what this patch does.

> The patch is against CVS version as of 04.02.2003 and has been alpha tested 
> (a clean RPM build, multiple joins and host pwd changes).
> I would be grateful if somebody authorized to do CVS commits can review my 
> patch and incorporate it into sambas' code.

We need patches to be against current CVS - the patch does not apply
cleanly at present.

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030211/68cf4f53/attachment.bin

More information about the samba-technical mailing list