[PATCH 1/2] Set os attribute and version during domain join

Matthew Geddes musicalcarrion at gmail.com
Fri Mar 16 18:52:40 GMT 2007 

Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Matthew Geddes wrote:
>
>   
>> At a quick glance, it looks as though this may be due to to 
>> ACLs set in Active Directory. There is a difference
>> between the ACLs on a Samba-created machine account and a
>> Windows XP-created machine account from what I've seen.
>> Windows XP-created accounts grant rights to the
>> user doing the join to update the properties in the 
>> account, whereas Samba-created accounts don't.
>>
>> The only seemingly-relevant differences I see in captures between our
>> join and XP's is that we use an Info24 + an Info16  to set account
>> attributes (mainly the password), whereas XP just uses the Info25
>> (An info 21 + the password). I can't see anything in the Info21 that
>> looks like the account flags passed to
>> net_domain.c:rpccli_samr_create_dom_user (arg 6). Incidentally, 
>> I have a patch I'm trying to get back to you guys that
>> fixes some problems with these flags.
>>     
>
> Matthew,  From what I've seen, the resulting permissions are
> exactly the Samba between the Samba machine ovject and XP.
> I've viewed the resulting ACLs in adsiedit.msc.  Can you point
> me at how you are seeing the differences?

I usually use dsacls.exe (from the support tools or reskit). I'll go 
back and check again.

....

I used adsiedit.msc and an account created by Windows XP Pro has the 
same ACLs  as a Debian host running Samba 3.0.23c except that the XP 
account also lists a user called 'Domain T. Add 
(domadd at dev2003.augment-it.com)', which is the user I created that 
sports only SeMachineAccountPrivilege. I used the same account to join 
the Debian machine to the domain (Windows 2003 Server DC, BTW).

domadd has the following permissions over that object:

  Read
  Allowed to Authenticate
  Change Password
  Receive As
  Reset Password
  Send As
  Validated write to DNS host name
  Validated write to service principal name
  Read Account Restrictions
  Write Account Restrictions
  Read DNS Host Name Attributes
  Read Personal Information

None of these appear to be enough to allow the changing of these 
attributes (I'd expect it to be one of the "Write * Information" 
permissions) though.

The permissions for SELF allow Read/Write Personal Information, so 
perhaps binding to the LDAP tree using the machine account credentials 
might work. If that's the case, perhaps moving your patch from the net 
command to winbindd's startup code might work (and allow us to 
dynamically update those records based on the output of things like 
uname each time we start).

thx,
Matt

More information about the samba-technical mailing list