Privileges required to join windows domains

Andrew Bartlett abartlet at
Wed Mar 21 14:57:13 MDT 2012

On Wed, 2012-03-21 at 14:24 +0000, Sam Liddicott wrote:
> Samba4 libnetjoin considers failure to set msDS-SupportedEncryptionTypes to
> be fatal unless the error was LDB_ERR_NO_SUCH_ATTRIBUTE
> However, windows domains long have a tradition of admin privileges not
> being required to join the domain, as well as being able specifically
> specify a user or group who may join a machine to the domain if the machine
> account is pre-created. In these cases the msDS-SupportedEncryptionTypes
> attribute cannot be set when joining the domain.
> I think that failure to set msDS-SupportedEncryptionTypes merits a warning,
> not a fatal error. Anyone disagree?

In this case, how do you suggest (or how does Windows) set the supported
encryption types, to enable AES keys?

Once we know this, we can choose a different approach.  As somewhere to
look, it may be related to netlogon calls.


Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list