Draft #4: Re: [patch] net ads join rework

Gerald (Jerry) Carter jerry at samba.org
Fri May 12 04:55:07 GMT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gerald (Jerry) Carter wrote:

> Just found this:
> 
> http://support.microsoft.com/kb/326985
> 
>   Note that you do not have to register all services.
>   Many service types,  such as HTTP, W3SVC, WWW, RPC,
>   CIFS (file access), WINS, and  uninterruptible power
>   supply (UPS), will map to a default service type named
>   HOST. For example, if your client software uses an SPN
>   of HTTP/webserver1.microsoft.com to perform an HTTP connection
>   to the Web server on the webserver1.microsoft.com server,
>   but this SPN is not registered on the server, the Windows
>   2000 domain controller will automatically map it to
>   HOST/webserver1.microsoft.com. This mapping applies only
>   if the Web service is running under the local System account.

New patch and more findings.  This version does create the
dNSHostName and servicePrincipalName attributes just like
Windows 2k/xp does.  The interesting is this code:

  ads_mod_str(ctx, &mods, "dNSHostName", my_fqdn);
  ads_mod_strlist(ctx, &mods, "servicePrincipalName",
      servicePrincipalName);
#if 0
  ads_mod_str(ctx, &mods, "userPrincipalName", host_upn);
  ads_mod_str(ctx, &mods, "operatingSystem", "Samba");
  ads_mod_str(ctx, &mods, "operatingSystemVersion",
      SAMBA_VERSION_STRING);
  ads_mod_str(ctx, &mods, "userAccountControl", controlstr);
#endif
  status = ads_gen_mod(ads_s, new_dn, mods);

The ifdef'd out code represents attributes that cannot be set
using the machine creds.  Apparently you can only set the
hostname and SPN values.  There are two which are a problem.

a) userPrincipalName -- needed for 'kinit -k' when using a
   keytab
b) userAccountControl -- need to set the DES_ONLY flag on
   systems without support for RC4-HMAC.

But the problem is that these can only be set via LDAP as
far as I know.  If this is the case, then a non-Domain Admin
would not be able to create them in any case.

With the current revision of the patch, we require the same
permissions a Windows box to join a domain and set the same
SPNs.

I would like to check this into the SAMBA_3_0 tree at this
point and continue to work on the remaining issues.  Any
objections or comments?





cheers, jerry
=====================================================================
Samba                                    ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEZBUqIR7qMdg1EfYRArc3AKCV7qbgAx8cpAFDNbiu2G/3/RWV/ACgwS+N
1PNWzk5AtDww8/5IkwTEjFA=
=NFE2
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stats.log
Type: text/x-log
Size: 741 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20060511/778677ff/stats-0001.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: net_ads_join_v4.patch
Type: text/x-patch
Size: 79452 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20060511/778677ff/net_ads_join_v4-0001.bin

More information about the samba-technical mailing list