Patch: System keytab usage improvements
Dan Perry
dperry at pppl.gov
Thu Jun 3 01:17:49 GMT 2004
>
> 1) The "net ads join" command says that it supports having the OU
> for the computer's account specified on the command line. However,
> reading through the source code, the specified OU never gets used. It
> appears that it makes it all the way to the call to
> ads_add_machine_acct(), but that function never uses the value passed to
> org_unit when building the comp_dn string:
>
> comp_dn = talloc_asprintf(ctx, "cn=%s,%s,%s", hostname,
> ads_ou_string(NULL), ads->config.bind_path);
>
> Note that NULL is passed to ads_ou_string. Shouldn't org_unit get
> passed there instead?
>
Yes, good catch. Here's a link to an updated keytab patch that fixes that
issues:
http://www.pppl.gov/~dperry/patches/keytab.v7.samba-3.0.5pre1.diff
>
> 2) Given that the org_unit is ignored, I'm not sure whether this
> second observation is valid or not... There doesn't appear to be a way
> to specify an OU that is not "top level". For example, it doesn't
> appear that one could use "net ads join" to create the computer's
> account in "ou=Unix,ou=Servers,ou=NW Datacenter".
>
To put a computer account in the directory like:
"cn=computer,ou=a,ou=b,ou=c,dc=company,dc=com"
use the following command syntax:
net ads join "/c/b/a"
The path sort of like a uri, the order of the ou's is opposite that in a dn.
Leave off the base dn as well, samba will add that for you.
-Dan
More information about the samba-technical
mailing list