Privileges required to join windows domains

Sam Liddicott sam at liddicott.com
Thu Mar 22 09:41:53 MDT 2012


On Wed, Mar 21, 2012 at 8:57 PM, Andrew Bartlett <abartlet at samba.org> wrote:

> On Wed, 2012-03-21 at 14:24 +0000, Sam Liddicott wrote:
> > Samba4 libnetjoin considers failure to set msDS-SupportedEncryptionTypes
> to
> > be fatal unless the error was LDB_ERR_NO_SUCH_ATTRIBUTE
> >
> > However, windows domains long have a tradition of admin privileges not
> > being required to join the domain, as well as being able specifically
> > specify a user or group who may join a machine to the domain if the
> machine
> > account is pre-created. In these cases the msDS-SupportedEncryptionTypes
> > attribute cannot be set when joining the domain.
> >
> > I think that failure to set msDS-SupportedEncryptionTypes merits a
> warning,
> > not a fatal error. Anyone disagree?
>
> In this case, how do you suggest (or how does Windows) set the supported
> encryption types, to enable AES keys?
>
> Once we know this, we can choose a different approach.  As somewhere to
> look, it may be related to netlogon calls.
>


I think that in such cases it cannot set these properties; and in joining
windowsXP to the domain using a non-privileged account I see that this is
the case.

Even after logging in to the domain from the newly joined member, these
values are also not set.

On a windows 7 client that was joined using domain admin
credentials, msDS-SupportedEncryptionTypes is still not set.

Samba insists on setting msDS-SupportedEncryptionTypes or it fails.

Perhaps the difference occurs because I am using windows 2003 server and
perhaps you are thinking of 2008?

Sam


More information about the samba-technical mailing list