"net rpc join" with "security = domain" regression

Bjoern Baumbach bb at sernet.de
Thu Mar 6 04:14:03 MST 2014

On 03/05/2014 09:19 PM, Andrew Bartlett wrote:
> On Wed, 2014-03-05 at 14:13 +0100, Bjoern Baumbach wrote:
>> > So there should be a test that tries to join an *AD domain* using
>> > security=domain.
> My view is we should not support that.  I would very much like to
> understand the use case for this operation, because it seems like an
> additional complexity we just don't need.

I use security=domain on system where I do not want to change or care
about the dns settings. Furthermore there could be systems without a RTC
and no need for correct time settings.

In my opinion there should be a way to enforce NT style domain
membership and ignore the AD stuff.

> Ideally, we would eventually deprecate security=domain, and like Windows
> clients, join the domain and check that the domain is AD, and if so
> store that as an assertion in secrets.tdb.  My view is that the
> confusing difference between 'security=domain' and 'security=ads' should
> not be exposed to our users.

I agree, that could be nice to some users - but there should be an
option to enforce the nt join.

Best regards

SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de

SerNet auf der CeBIT: 10. - 14. März 2014, Halle 6, Stand G10
Das Neueste rund um SAMBA, verinice, Firewalls und Linux!
Kostenlose Tickets anfordern per Mail an cebit at sernet.de.

More information about the samba-technical mailing list