[Samba] Joining an AD domain without password

Andreas andreas at conectiva.com.br
Mon Sep 13 20:52:36 GMT 2004

On Mon, Sep 13, 2004 at 04:42:04PM -0300, Andreas wrote:
> On Mon, Sep 13, 2004 at 10:57:22AM -0300, Andreas wrote:
> > samba-3.0.6, win2k will all patches from windowsupdate as of last
> > friday
> > 
> > Should it be possible to join an AD domain (win2k) without a password
> > on the client side if the machine is already created in the ou=Computers
> > container? I seem to be unable to do this: either "net ads join" will ask
> > for a password or it will try with the current user's kerberos ticket and
> > fail if this user doesn't have the right privileges.
> > 
> > This seemed to work with "net rpc join" when win2k is not in its native mode.
> > Am I missing something?
> When I created the computer account in w2k, I selected the "Authenticated users"
> to be permitted to join the machine to the domain. From a winxp pro workstation,
> I could use any user to perform the joining, but from samba only administrators
> or members of the account operators group could join the domain. Is samba doing
> something differently that I'm not aware of?

Samba's "net ads join" is indeed different. I sniffed the join operation from winxp pro
and samba-3.0.7. samba uses ldap to change attributes on AD (and it's here that is
gets a permission denied error) and later on uses kerberos to change the machine's
password. Winxp uses something completely different.

More information about the samba mailing list