[Samba] Why not using the windows configuration wizard (joining a domain) with Samba-3?

Eric Roseme eroseme at emonster.rose.hp.com
Tue Dec 13 17:03:35 GMT 2005


John H Terpstra wrote:

>On Monday 12 December 2005 02:22, Michael Billerbeck wrote:
>  
>
>>Hi,
>>
>>On Monday 12 Decemver 2005 09:46, John H Terpstra wrote:
>>    
>>
>>>On Sunday 11 December 2005 15:51, Michael Billerbeck wrote:
>>>      
>>>
>>>>Hello,
>>>>
>>>>in the Samba How-to I've read not to use the configuration wizard with
>>>>samba-3 when joining a domain.
>>>>Why that? Is there a problem?
>>>>
>>>>Thanks,
>>>>Michael
>>>>        
>>>>
>>>Please point me at the specific reference in the HOWTO. I need to 
>>> understand what causes you concern.
>>>
>>>Please help me to understand your concern. If the documentation is
>>>inadequate
>>>      
>>>
>>>I must correct of extend it.
>>>
>>>Thanks.
>>>      
>>>
>>In chapter 8.2.2 Joining a domain: Windows 2000/XP Professional (on page
>>131) point 4 says:
>>"Click the computer name tab. [...] Clicking the Network ID button will
>>launch the configuration wizard. Do not use this with Samba-3."
>>I was asking this because I used it also with Samba-3 and I would like to
>>know if there are some side effects when using it or why it is explicitly
>>mentioned.
>>    
>>
>
>Joining through use of this tool did not work with early releases of Samba-3.
>Try it. Let me know if it works now.
>
>PS: If you try the NetworkID Wizard, and it fails, reboot the Windows PC 
>before attempting to use the "Change" button. In the past, a failure when 
>usign the NetworkID wizard would hose up the Windows client so that it then 
>count not resolve the netbios name of the domain controller.
>
>- John T.
>  
>
Using the Users and Computers MMC adds the Samba computer object with a 
different UserAccountControl attribute value than when you use "net ads 
join".  It used to be that the (apparent) default value of 4128 would 
not allow auth-n with MD5.  I just tested this (W2003SP1 and 3.0.14a) 
and it now works with MD5.  In other words, using the MMC to add the 
computer object, then doing a "net ads join" (Modifying Existing 
Object), now results in successful client auth-n - at least in this test 
case.  I have heard the same testimony from other sources.  I would 
still recommend adding the object with the "net ads join", and the 
resulting UserAccountControl attribute value of 2166784.

Eric Roseme
Hewlett-Packard


More information about the samba mailing list