[Samba] Why not using the windows configuration wizard (joining
a domain) with Samba-3?
Eric Roseme
eroseme at emonster.rose.hp.com
Tue Dec 13 17:03:35 GMT 2005
John H Terpstra wrote:
>On Monday 12 December 2005 02:22, Michael Billerbeck wrote:
>
>
>>Hi,
>>
>>On Monday 12 Decemver 2005 09:46, John H Terpstra wrote:
>>
>>
>>>On Sunday 11 December 2005 15:51, Michael Billerbeck wrote:
>>>
>>>
>>>>Hello,
>>>>
>>>>in the Samba How-to I've read not to use the configuration wizard with
>>>>samba-3 when joining a domain.
>>>>Why that? Is there a problem?
>>>>
>>>>Thanks,
>>>>Michael
>>>>
>>>>
>>>Please point me at the specific reference in the HOWTO. I need to
>>> understand what causes you concern.
>>>
>>>Please help me to understand your concern. If the documentation is
>>>inadequate
>>>
>>>
>>>I must correct of extend it.
>>>
>>>Thanks.
>>>
>>>
>>In chapter 8.2.2 Joining a domain: Windows 2000/XP Professional (on page
>>131) point 4 says:
>>"Click the computer name tab. [...] Clicking the Network ID button will
>>launch the configuration wizard. Do not use this with Samba-3."
>>I was asking this because I used it also with Samba-3 and I would like to
>>know if there are some side effects when using it or why it is explicitly
>>mentioned.
>>
>>
>
>Joining through use of this tool did not work with early releases of Samba-3.
>Try it. Let me know if it works now.
>
>PS: If you try the NetworkID Wizard, and it fails, reboot the Windows PC
>before attempting to use the "Change" button. In the past, a failure when
>usign the NetworkID wizard would hose up the Windows client so that it then
>count not resolve the netbios name of the domain controller.
>
>- John T.
>
>
Using the Users and Computers MMC adds the Samba computer object with a
different UserAccountControl attribute value than when you use "net ads
join". It used to be that the (apparent) default value of 4128 would
not allow auth-n with MD5. I just tested this (W2003SP1 and 3.0.14a)
and it now works with MD5. In other words, using the MMC to add the
computer object, then doing a "net ads join" (Modifying Existing
Object), now results in successful client auth-n - at least in this test
case. I have heard the same testimony from other sources. I would
still recommend adding the object with the "net ads join", and the
resulting UserAccountControl attribute value of 2166784.
Eric Roseme
Hewlett-Packard
More information about the samba
mailing list