Finishing up the new nads join code [was Re: svn commit: samba
r15543...]
Gerald (Jerry) Carter
jerry at samba.org
Tue May 16 15:05:58 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
jerry at samba.org wrote:
> Still to do:
>
> * Fix the userAccountControl for DES only systems
> * Set the userPrincipalName in order to support things like
> 'kinit -k' (although we might be able to just use
> the sAMAccountName instead)
> * Re-add support for pre-creating the machine account in
> a specific OU
Just an update on where things stands. Currently know open
issues are:
* Setting the SPN when the Samba host's DNS domain
is outside of Windows realm does not work (nor does it
work on Windows 2000). The fix is to not use the
permissive modify control. But currently libads/ldap.c
tags this onto every request.
* 'net ads leave' will require user creds. The only reason
that this formerly worked is that we explicitly added
the machine's SID to the security descriptor on the computer
object. But you have to have domain admin privileges to
do this. Hence the need to rewrite it to simply disable
the account (just like Windows).
* Setting the UPN. Still thinking about this one...
* Using a pre-existing tkt cache is broken (segv: easy fix)
cheers, jerry
=====================================================================
Samba ------- http://www.samba.org
Centeris ----------- http://www.centeris.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
iD8DBQFEaepWIR7qMdg1EfYRAgBfAKDp4Jj/8jx1x3LuaUAvaYbn4CaROgCg3DxK
oq+c/fWj2Rx9L4zCw1+DqAw=
=x1vD
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list