[PATCH 1/2] Set os attribute and version during domain join
Matthew Geddes
musicalcarrion at gmail.com
Fri Mar 16 17:57:14 GMT 2007
Gerald (Jerry) Carter wrote:
> $ net ads join osname=`uname -s` osver=`uname -r`
>
> would yield
>
> operatingSystemName: Linux
> operatingSsystemVersion: 2.6.18.6-2-gwc
> operatingsystemServicePack: Samba 3.0.25pre2-SVN-build-21792
>
> Do people want this or should I just keep it as a local
> patch?
I like the patch and have been working on something similar here. Have
you tested it using an account that sports only
SeMachineAccountPrivilege though? My old patch (which on the face of it
seems like yours -- just adding attributes to the LDAP mods list) only
worked when joining as a user in the Domain Admins group.
At a quick glance, it looks as though this may be due to to ACLs set in
Active Directory. There is a difference between the ACLs on a
Samba-created machine account and a Windows XP-created machine account
from what I've seen. Windows XP-created accounts grant rights to the
user doing the join to update the properties in the account, whereas
Samba-created accounts don't.
The only seemingly-relevant differences I see in captures between our
join and XP's is that we use an Info24 + an Info16 to set account
attributes (mainly the password), whereas XP just uses the Info25
(An info 21 + the password). I can't see anything in the Info21 that
looks like the account flags passed to
net_domain.c:rpccli_samr_create_dom_user (arg 6). Incidentally, I have a
patch I'm trying to get back to you guys that fixes some problems with
these flags.
[I'm working from Samba 3.0.23c, BTW]
What I was planning on doing next was testing the theory about ACLs by
using ldapmodify to update a freshly-created account created by Windows
XP and one by Samba to see whether I can update one but not the other
(using the credentials used to create the account). I haven't yet --
other things came up.
Until we know more, a compromise might be to do the update in two
stages: Update the SPN or fail and then attempt to update the other
attributes and log a non-fatal message on failure.
thx,
Matt
More information about the samba-technical
mailing list