[PATCH 1/2] Set os attribute and version during domain join

Matthew Geddes musicalcarrion at gmail.com
Fri Mar 16 17:57:14 GMT 2007 

Gerald (Jerry) Carter wrote:
>  $ net ads join osname=`uname -s` osver=`uname -r`
>
> would yield
>
>  operatingSystemName: Linux
>  operatingSsystemVersion: 2.6.18.6-2-gwc
>  operatingsystemServicePack: Samba 3.0.25pre2-SVN-build-21792
>
> Do people want this or should I just keep it as a local
> patch?

I like the patch and have been working on something similar here. Have 
you tested it using an account that sports only 
SeMachineAccountPrivilege though? My old patch (which on the face of it 
seems like yours -- just adding attributes to the LDAP mods list) only 
worked when joining as a user in the Domain Admins group.

At a quick glance, it looks as though this may be due to to ACLs set in 
Active Directory. There is a difference between the ACLs on a 
Samba-created machine account and a Windows XP-created machine account 
from what I've seen. Windows XP-created accounts grant rights to the 
user doing the join to update the properties in the account, whereas 
Samba-created accounts don't.

The only seemingly-relevant differences I see in captures between our 
join and XP's is that we use an Info24 + an Info16  to set account 
attributes (mainly the password), whereas XP just uses the Info25
 (An info 21 + the password). I can't see anything in the Info21 that 
looks like the account flags passed to 
net_domain.c:rpccli_samr_create_dom_user (arg 6). Incidentally, I have a 
patch I'm trying to get back to you guys that fixes some problems with 
these flags.

[I'm working from Samba 3.0.23c, BTW]

What I was planning on doing next was testing the theory about ACLs by 
using ldapmodify to update a freshly-created account created by Windows 
XP and one by Samba to see whether I can update one but not the other 
(using the credentials used to create the account). I haven't yet -- 
other things came up.

Until we know more, a compromise might be to do the update in two 
stages: Update the SPN or fail and then attempt to update the other 
attributes and log a non-fatal message on failure.

thx,
Matt

More information about the samba-technical mailing list