Privileges required to join windows domains
abartlet at samba.org
Wed Mar 21 14:57:13 MDT 2012
On Wed, 2012-03-21 at 14:24 +0000, Sam Liddicott wrote:
> Samba4 libnetjoin considers failure to set msDS-SupportedEncryptionTypes to
> be fatal unless the error was LDB_ERR_NO_SUCH_ATTRIBUTE
> However, windows domains long have a tradition of admin privileges not
> being required to join the domain, as well as being able specifically
> specify a user or group who may join a machine to the domain if the machine
> account is pre-created. In these cases the msDS-SupportedEncryptionTypes
> attribute cannot be set when joining the domain.
> I think that failure to set msDS-SupportedEncryptionTypes merits a warning,
> not a fatal error. Anyone disagree?
In this case, how do you suggest (or how does Windows) set the supported
encryption types, to enable AES keys?
Once we know this, we can choose a different approach. As somewhere to
look, it may be related to netlogon calls.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical