net join to ads domains
Stefan (metze) Metzmacher
metze at samba.org
Fri Jan 14 15:20:40 GMT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Andrew,
some comments on net join and ads domains
as you said we need to set the serverPrincipal,
there a function for that!
drsuapi_DsWriteAccountSpn()
and I think w2k3 refused to set that via LDAP.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/dswriteaccountspn.asp
...Using LDAP to write directly to the SPN property is not allowed; all writes must come through
this RPC call. Reads using LDAP are allowed....
and windows clients use also SAMR to create the account and then
use DsWriteAccountSpn() to register a servicePrincipal, when they join a ads domain
and I think we should do the same in samba4
(and not reactivate libads/!!!:-)
- - so you just need to try to connect to the drsuapi pipe
- - do a DsBind()
- - do a DsCrackNames with this options
r.in.req.req1.format_offered = DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT;
r.in.req.req1.format_desired = DRSUAPI_DS_NAME_FORMAT_FQDN_1779;
~ to get the LDAP DN of the machine account
- - do a DsWriteAccountSpn() for that DN
- --
metze
Stefan Metzmacher <metze at samba.org> www.samba.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-nr1 (Windows XP)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFB5+NIm70gjA5TCD8RAv+dAJ9VylWS46GIhmcv3tLAlHL6YgI5sACfbAy/
MRO91N/eKLUXrUfqpzK4UcI=
=Miv+
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list