Finishing up the new nads join code [was Re: svn commit: samba r15543...]

Gerald (Jerry) Carter jerry at samba.org
Tue May 16 15:05:58 GMT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

jerry at samba.org wrote:

> Still to do:
> 
> * Fix the userAccountControl for DES only systems
> * Set the userPrincipalName in order to support things like
>   'kinit -k' (although we might be able to just use 
>   the sAMAccountName instead)
> * Re-add support for pre-creating the machine account in 
>   a specific OU

Just an update on where things stands.  Currently know open
issues are:

* Setting the SPN when the Samba host's DNS domain
  is outside of Windows realm does not work (nor does it
  work on Windows 2000).  The fix is to not use the
  permissive modify control.  But currently libads/ldap.c
  tags this onto every request.

* 'net ads leave' will require user creds.  The only reason
  that this formerly worked is that we explicitly added
  the machine's SID to the security descriptor on the computer
  object.  But you have to have domain admin privileges to
  do this.  Hence the need to rewrite it to simply disable
  the account (just like Windows).

* Setting the UPN.  Still thinking about this one...

* Using a pre-existing tkt cache is broken (segv: easy fix)






cheers, jerry
=====================================================================
Samba                                    ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEaepWIR7qMdg1EfYRAgBfAKDp4Jj/8jx1x3LuaUAvaYbn4CaROgCg3DxK
oq+c/fWj2Rx9L4zCw1+DqAw=
=x1vD
-----END PGP SIGNATURE-----


More information about the samba-technical mailing list