Finishing up the new nads join code [was Re: svn commit: samba r15543...]

Gerald (Jerry) Carter jerry at
Tue May 16 15:05:58 GMT 2006

Hash: SHA1

jerry at wrote:

> Still to do:
> * Fix the userAccountControl for DES only systems
> * Set the userPrincipalName in order to support things like
>   'kinit -k' (although we might be able to just use 
>   the sAMAccountName instead)
> * Re-add support for pre-creating the machine account in 
>   a specific OU

Just an update on where things stands.  Currently know open
issues are:

* Setting the SPN when the Samba host's DNS domain
  is outside of Windows realm does not work (nor does it
  work on Windows 2000).  The fix is to not use the
  permissive modify control.  But currently libads/ldap.c
  tags this onto every request.

* 'net ads leave' will require user creds.  The only reason
  that this formerly worked is that we explicitly added
  the machine's SID to the security descriptor on the computer
  object.  But you have to have domain admin privileges to
  do this.  Hence the need to rewrite it to simply disable
  the account (just like Windows).

* Setting the UPN.  Still thinking about this one...

* Using a pre-existing tkt cache is broken (segv: easy fix)

cheers, jerry
Samba                                    -------
Centeris                         -----------
"What man is a man who does not make the world better?"      --Balian
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE -


More information about the samba-technical mailing list