samba4 net join with pre-existing account

Sam Liddicott sam at liddicott.com
Mon Aug 9 08:05:21 MDT 2010


  On 09/08/10 14:57, Stefan (metze) Metzmacher wrote:
> Hi Sam,
>
>> Andrew; this relates to your commit:
>> 26fde8dee17b02eb064c6410d781709094ce5160
>>
>> the additional servicePrincipalNames cause samba4 to fail to join a
>> domain with a non-admin account because of these lines in libnet_join.c:
>>
>>                  service_principal_name[0] = talloc_asprintf(tmp_ctx,
>> "host/%s", dns_host_name);
>>                  service_principal_name[1] = talloc_asprintf(tmp_ctx,
>> "host/%s", strlower_talloc(tmp_ctx, r->in.netbios_name));
>>                  service_principal_name[2] = talloc_asprintf(tmp_ctx,
>> "host/%s/%s", dns_host_name, realm);
>>                  service_principal_name[3] = talloc_asprintf(tmp_ctx,
>> "host/%s/%s", strlower_talloc(tmp_ctx, r->in.netbios_name), realm);
>>                  service_principal_name[4] = talloc_asprintf(tmp_ctx,
>> "host/%s/%s", dns_host_name, r->out.domain_name);
>>                  service_principal_name[5] = talloc_asprintf(tmp_ctx,
>> "host/%s/%s", strlower_talloc(tmp_ctx, r->in.netbios_name),
>> r->out.domain_name);
>>
>> The first two lines are normal (compared to a windows XP client -
>> although windows has the word "host" uppercase, and the netbios name
>> also upper case).
>>
>> Some (or all) of the additional lines committed in
>> 26fde8dee17b02eb064c6410d781709094ce5160 cause this LDAP error when the
>> account is provisioned by a non-admin account:
>>
>> Constrant Violation: Error Message: 0000200B: AtrErr: DSID-03153F70,
>> #1:\x0a\x090: 0000200B: DSID-03153F70, problem 1005
>> (CONSTRAINT_ATT_TYPE), data 0, Att 90303 (servicePrincipalName)\x0a
> Against all windows versions? Years ago I read that some windows versions
> doesn't allow this via LDAP, but only via DsWriteAccountSpn().

Well I've only tried Windows XP (as it was handy) against Windows Server 
2008 (sp2 with all the updates).

Sam

-- 
[FSF Associate Member #2325] 
<http://www.fsf.org/register_form?referrer=2325>


More information about the samba-technical mailing list