[PATCH] ADS changes for joining accounts w/o full Administrator
rights
Andrew Bartlett
abartlet at samba.org
Tue Feb 11 09:06:02 GMT 2003
On Tue, 2003-02-11 at 09:06, Antti Andreimann wrote:
> Hi!
>
> I have done some changes to enable users w/o full administrative access on
> computer accounts to join a computer into AD domain.
>
> The patch and detailed changelog is available at:
> http://www.itcollege.ee/~aandreim/samba
>
> This is a list of changes in general:
>
> 1. When creating machine account do not fail if SD cannot be changed.
> setting SD is not mandatory and join will work perfectly without it.
This would also be useful in making life easier for early AD-replacement
efforts.
> 2. Implement KPASSWD CHANGEPW protocol for changing trust password so
> machine account does not need to have reset password right for itself.
Now I see what you were trying to say on IRC. Yes, this looks very
useful!
> 3. Command line utilities no longer interfere with user's existing
> kerberos ticket cache.
> 4. Command line utilities can do kerberos authentication even if
> username is specified (-U). Initial TGT will be requested in this case.
Nice!
> 5. new "local realms" global configuration option for situations where You
> need to map users from more than one realm. This is useful for
> situations where ADS is configured to trust an external kerberos server
> and all kerberos users are duplicated in AD.
I'm not quite convinced about this. I'm quite willing (but see below)
to apply the rest of this patch, but I'll need a good explanation of
what this patch does.
> The patch is against CVS version as of 04.02.2003 and has been alpha tested
> (a clean RPM build, multiple joins and host pwd changes).
> I would be grateful if somebody authorized to do CVS commits can review my
> patch and incorporate it into sambas' code.
We need patches to be against current CVS - the patch does not apply
cleanly at present.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030211/68cf4f53/attachment.bin
More information about the samba-technical
mailing list