Privileges required to join windows domains

Andrew Bartlett abartlet at samba.org
Thu Mar 22 19:34:53 MDT 2012 

On Thu, 2012-03-22 at 15:41 +0000, Sam Liddicott wrote:
> On Wed, Mar 21, 2012 at 8:57 PM, Andrew Bartlett <abartlet at samba.org> wrote:
> 
> > On Wed, 2012-03-21 at 14:24 +0000, Sam Liddicott wrote:
> > > Samba4 libnetjoin considers failure to set msDS-SupportedEncryptionTypes
> > to
> > > be fatal unless the error was LDB_ERR_NO_SUCH_ATTRIBUTE
> > >
> > > However, windows domains long have a tradition of admin privileges not
> > > being required to join the domain, as well as being able specifically
> > > specify a user or group who may join a machine to the domain if the
> > machine
> > > account is pre-created. In these cases the msDS-SupportedEncryptionTypes
> > > attribute cannot be set when joining the domain.
> > >
> > > I think that failure to set msDS-SupportedEncryptionTypes merits a
> > warning,
> > > not a fatal error. Anyone disagree?
> >
> > In this case, how do you suggest (or how does Windows) set the supported
> > encryption types, to enable AES keys?
> >
> > Once we know this, we can choose a different approach.  As somewhere to
> > look, it may be related to netlogon calls.
> >
> 
> 
> I think that in such cases it cannot set these properties; and in joining
> windowsXP to the domain using a non-privileged account I see that this is
> the case.
> 
> Even after logging in to the domain from the newly joined member, these
> values are also not set.
> 
> On a windows 7 client that was joined using domain admin
> credentials, msDS-SupportedEncryptionTypes is still not set.
> 
> Samba insists on setting msDS-SupportedEncryptionTypes or it fails.
> 
> Perhaps the difference occurs because I am using windows 2003 server and
> perhaps you are thinking of 2008?

Certainly we need to see how a Windows 7 client sets this against a
Windows 2008 server.  Then we can do the same, and therefore escape the
need for admin privileges.

As I say, this may be related the netlogon operations, or operations as
the machine account itself. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list