samba4 net join with pre-existing account

Sam Liddicott sam at liddicott.com
Fri Aug 6 10:18:01 MDT 2010 

  I find that if I pre-create the machine account, at the point of 
creation I get to specify the user or group that can join the computer 
to the domain. The magic token SELF means that the machine can join 
itself to the domain (or anyone claiming to be the machine):

If only samba4's net join could use the "no password" that is created 
for the initial machine account. However:
c:> net user <machine-name> <new-password> /DOMAIN

can be used to set the password for the account such that "net join" on 
samba will be able to join the domain. (Of course -U <machine-name> 
--password=<new-password> must be used, -P won't work yet!)

However we get a final failure:
Joining domain failed: Failed to replace entries on 
CN=...,CN=Computers,DC=bah,DC=blah...

This error suggests that Samba's join is doing something not expected by 
this KB article: http://support.microsoft.com/?id=251335 but the error 
can be made to go away if I edit the advanced security properties of the 
pre-created account and  add "read/write all properties" - I'm still 
tracking down which properties are needed.

Sam

On 09/07/10 17:56, Sam Liddicott wrote:
>  Is it possible to have samba4 join a domain without providing the 
> administrator password (as can be done on windows) by pre-creating the 
> computer account before provisioning?
>
> Normally I have my samba4 server join a domain with:
>
> $ net join $WORKGROUP member --realm=$REALM -U Administrator
>
> and provide a domain Administrator password
>
> I read here: http://support.microsoft.com/kb/150493
>
> that it should be possible to pre-create the computer account on the 
> domain controller with something like:
> c:\> netdom add $SAMBAHOST
>
> (which works)
> and then on the client:
> c:\> NETDOM /Domain:MYDOMAIN MEMBER $SAMBAHOST /JOINDOMAIN
>
> The samba4 equivalent "net join" doesn't seem to have an option that 
> doesn't require an administrator password.
>
> Possibly samba3 "net ads" can handle this - but I recall that samba4 
> "net join" uses netbios to join the domain instead of the rpc's used 
> by samba3.
>
> I think I've now danced around the question; is the answer:
> 1. I need to bring "net ads" to samba 4
> 2. something else
>
> thanks
>
> Sam
>


-- 
[FSF Associate Member #2325] 
<http://www.fsf.org/register_form?referrer=2325>

More information about the samba-technical mailing list