[Samba] Samba v3.0.23c + FreeBSD 6.1 - Failed to set servicePrincipalNames

Raj Pagaku rpagaku at ironport.com
Fri Nov 10 21:24:48 GMT 2006 

Thanks Jerry for your response as well as the useful link to the
reference article.

Once I delegated the following Permissions' for the specific 'Domain
User' on the 'Computer Objects' on my AD server, I was able to join the
Samba system to the domain.

Permissions Delegated via the 'Delegation Control Wizard':
1> Allow 'Write DNS Host Name Attributes' property
2> Allow 'Write Service Principal Name' property

I am sharing the steps I performed on my Windows 2003 AD server for
benefit of others:

* Invoke the 'Delegate Control Wizard' for the 'Computers'
* Add the specific 'Domain User' to the 'Selected users and groups'.
* Create a custom task to delegate.
* Select the 'Computer Objects'
* Select the 'Property-Specific'. Then select the 'Write dNSHostName'
and the 'Write servicePrincipalName'
* Finish your task

If there are any known side-effects of delegating these permissions,
please let me know.

Thanks
Raj Pagaku

> -----Original Message-----
> From: Gerald (Jerry) Carter [mailto:jerry at samba.org]
> Sent: Friday, November 10, 2006 11:16 AM
> To: Raj Pagaku
> Cc: Jean-Vincent BAYARRI; samba at lists.samba.org
> Subject: Re: [Samba] Samba v3.0.23c + FreeBSD 6.1 - Failed to set
> servicePrincipalNames
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Raj Pagaku wrote:
> > Thanks Jerry for your response.  It is case (b).  The fqdn of the
local
> > machine is set to a domain outside the AD domain name and the user
> > credentials being used is 'Domain User' and not a 'Domain Admin'.
> >
> > Do we need 'Domain Admin' if the local machine domain is outside the
AD
> > domain name?  Is this a restriction that will be addressed in the
near
> > future?
> 
> This is an AD restriction on the default security assigned
> to a computer object.  When a non-admin is given the right
> to join a specific machine to the domain, that user is only
> granted validated write access to thye DnsHostName and
> servicePrincipalName attributes.  A Windows XP box would fail
> to join the domain in the same way.
> 
> This doc explains it:
> http://msdn.microsoft.com/library/default.asp?url=/library/en-
> us/ad/ad/control_access_rights.asp
> 
> 
> 
> 
> 
> 
> cheers, jerry
> =====================================================================
> Samba                                    ------- http://www.samba.org
> Centeris                         -----------  http://www.centeris.com
> "What man is a man who does not make the world better?"      --Balian
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
> Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
> 
> iD8DBQFFVM/aIR7qMdg1EfYRAhswAKDYOM4LWTHDgsQGKv195kwT9Quo5wCg6xfA
> NhDch9dN3aADNwSpQ70fxAE=
> =VrII
> -----END PGP SIGNATURE-----

More information about the samba mailing list