samba4 net join with pre-existing account

Sam Liddicott sam at liddicott.com
Mon Aug 9 06:47:41 MDT 2010 

Andrew; this relates to your commit: 
26fde8dee17b02eb064c6410d781709094ce5160

the additional servicePrincipalNames cause samba4 to fail to join a 
domain with a non-admin account because of these lines in libnet_join.c:

                 service_principal_name[0] = talloc_asprintf(tmp_ctx, 
"host/%s", dns_host_name);
                 service_principal_name[1] = talloc_asprintf(tmp_ctx, 
"host/%s", strlower_talloc(tmp_ctx, r->in.netbios_name));
                 service_principal_name[2] = talloc_asprintf(tmp_ctx, 
"host/%s/%s", dns_host_name, realm);
                 service_principal_name[3] = talloc_asprintf(tmp_ctx, 
"host/%s/%s", strlower_talloc(tmp_ctx, r->in.netbios_name), realm);
                 service_principal_name[4] = talloc_asprintf(tmp_ctx, 
"host/%s/%s", dns_host_name, r->out.domain_name);
                 service_principal_name[5] = talloc_asprintf(tmp_ctx, 
"host/%s/%s", strlower_talloc(tmp_ctx, r->in.netbios_name), 
r->out.domain_name);

The first two lines are normal (compared to a windows XP client - 
although windows has the word "host" uppercase, and the netbios name 
also upper case).

Some (or all) of the additional lines committed in 
26fde8dee17b02eb064c6410d781709094ce5160 cause this LDAP error when the 
account is provisioned by a non-admin account:

Constrant Violation: Error Message: 0000200B: AtrErr: DSID-03153F70, 
#1:\x0a\x090: 0000200B: DSID-03153F70, problem 1005 
(CONSTRAINT_ATT_TYPE), data 0, Att 90303 (servicePrincipalName)\x0a

A non-admin account might be used to join a domain for at least these 
reasons:
1. it is default policy for domains that non-admin users can join up to 
10 accounts (http://support.microsoft.com/?id=251335)
2. if a machine account is pre-created, it is possible to specify the 
user account that can join the machine to the domain (and this can be a 
non-admin account - even the machine account itself, if a password is 
assigned).

So... I hope we can re-visit your reasons for adding these names for 
non-bdc accounts. Maybe we can avoid this, or fall-back to the first two 
names if it fails for non-bdc accounts.


Sam

On 06/08/10 17:18, Sam Liddicott wrote:
>  I find that if I pre-create the machine account, at the point of
> creation I get to specify the user or group that can join the computer 
> to the domain. The magic token SELF means that the machine can join 
> itself to the domain (or anyone claiming to be the machine):
>
> If only samba4's net join could use the "no password" that is created 
> for the initial machine account. However:
> c:> net user <machine-name> <new-password> /DOMAIN
>
> can be used to set the password for the account such that "net join" 
> on samba will be able to join the domain. (Of course -U <machine-name> 
> --password=<new-password> must be used, -P won't work yet!)
>
> However we get a final failure:
> Joining domain failed: Failed to replace entries on 
> CN=...,CN=Computers,DC=bah,DC=blah...
>
> This error suggests that Samba's join is doing something not expected 
> by this KB article: http://support.microsoft.com/?id=251335 but the 
> error can be made to go away if I edit the advanced security 
> properties of the pre-created account and  add "read/write all 
> properties" - I'm still tracking down which properties are needed.
>
> Sam
>
> On 09/07/10 17:56, Sam Liddicott wrote:
>>  Is it possible to have samba4 join a domain without providing the 
>> administrator password (as can be done on windows) by pre-creating 
>> the computer account before provisioning?
>>
>> Normally I have my samba4 server join a domain with:
>>
>> $ net join $WORKGROUP member --realm=$REALM -U Administrator
>>
>> and provide a domain Administrator password
>>
>> I read here: http://support.microsoft.com/kb/150493
>>
>> that it should be possible to pre-create the computer account on the 
>> domain controller with something like:
>> c:\> netdom add $SAMBAHOST
>>
>> (which works)
>> and then on the client:
>> c:\> NETDOM /Domain:MYDOMAIN MEMBER $SAMBAHOST /JOINDOMAIN
>>
>> The samba4 equivalent "net join" doesn't seem to have an option that 
>> doesn't require an administrator password.
>>
>> Possibly samba3 "net ads" can handle this - but I recall that samba4 
>> "net join" uses netbios to join the domain instead of the rpc's used 
>> by samba3.
>>
>> I think I've now danced around the question; is the answer:
>> 1. I need to bring "net ads" to samba 4
>> 2. something else
>>
>> thanks
>>
>> Sam
>>
>
>


-- 
[FSF Associate Member #2325] 
<http://www.fsf.org/register_form?referrer=2325>

More information about the samba-technical mailing list