Draft #3: Re: [patch] net ads join rework
simo
idra at samba.org
Thu May 11 01:34:36 GMT 2006
On Wed, 2006-05-10 at 23:39 +0200, Guenther Deschner wrote:
> Hi Jerry,
>
> On Wed, May 10, 2006 at 01:53:02PM -0700, Gerald (Jerry) Carter wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Another rev of the modified net ads join code
> > and ADS_STRUCT rewrite:
> >
> > New version of the patch to fix segv in the printer
> > publishing code and in idmap_ad. Thanks to Guenther
> > for pointing our the segv in check_published_printers().
> >
> > The other concerns brought which are not addressed yet
> > is that a machine account created with the new ads join
> > code has a different UPN/SPN that the old code. Still
> > looking into this.
>
> At least those attributes are settable via LDAP post the rpc join when
> just binding with the machine account (no admin privs needed):
>
> dNSHostName: mthelena.ber.suse.de
> servicePrincipalName: CIFS/mthelena.ber.suse.de
> servicePrincipalName: HOST/mthelena.ber.suse.de
> servicePrincipalName: CIFS/mthelena
> servicePrincipalName: HOST/mthelena
>
> (note that you can't add the fqdn SPNs before the dNSHostName is set).
>
> remains only the UPN which neither the machine account nor the privileged
> user (not an admin) can change via LDAP.
Afaik the userPrincipalName can be modified via LDAP, I've done that for
users not sure for machines.
Simo.
--
Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org
http://samba.org
More information about the samba-technical
mailing list