samba4 net join with pre-existing account
Stefan (metze) Metzmacher
metze at samba.org
Mon Aug 9 07:57:57 MDT 2010
Hi Sam,
> Andrew; this relates to your commit:
> 26fde8dee17b02eb064c6410d781709094ce5160
>
> the additional servicePrincipalNames cause samba4 to fail to join a
> domain with a non-admin account because of these lines in libnet_join.c:
>
> service_principal_name[0] = talloc_asprintf(tmp_ctx,
> "host/%s", dns_host_name);
> service_principal_name[1] = talloc_asprintf(tmp_ctx,
> "host/%s", strlower_talloc(tmp_ctx, r->in.netbios_name));
> service_principal_name[2] = talloc_asprintf(tmp_ctx,
> "host/%s/%s", dns_host_name, realm);
> service_principal_name[3] = talloc_asprintf(tmp_ctx,
> "host/%s/%s", strlower_talloc(tmp_ctx, r->in.netbios_name), realm);
> service_principal_name[4] = talloc_asprintf(tmp_ctx,
> "host/%s/%s", dns_host_name, r->out.domain_name);
> service_principal_name[5] = talloc_asprintf(tmp_ctx,
> "host/%s/%s", strlower_talloc(tmp_ctx, r->in.netbios_name),
> r->out.domain_name);
>
> The first two lines are normal (compared to a windows XP client -
> although windows has the word "host" uppercase, and the netbios name
> also upper case).
>
> Some (or all) of the additional lines committed in
> 26fde8dee17b02eb064c6410d781709094ce5160 cause this LDAP error when the
> account is provisioned by a non-admin account:
>
> Constrant Violation: Error Message: 0000200B: AtrErr: DSID-03153F70,
> #1:\x0a\x090: 0000200B: DSID-03153F70, problem 1005
> (CONSTRAINT_ATT_TYPE), data 0, Att 90303 (servicePrincipalName)\x0a
Against all windows versions? Years ago I read that some windows versions
doesn't allow this via LDAP, but only via DsWriteAccountSpn().
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100809/e0dfd3fa/attachment.pgp>
More information about the samba-technical
mailing list