[Samba] net ads join fails with pre-created machine accounts
Rowland Penny
rpenny at samba.org
Mon Nov 6 10:47:46 UTC 2017
On Mon, 6 Nov 2017 09:15:07 +0000
"Osipov, Michael via samba" <samba at lists.samba.org> wrote:
> Hi folks,
>
> we have recently tried to join several FreeBSD machines to your
> forest where the machine accounts where pre-created by the core admin
> team. We did as root:
>
> # kinit 'machine-name$'
> # net ads join ...
>
> Unfortunately, it failed with an error that several attributes cannot
> be set which are available to domain admins only. It ultimately means
> that one cannot use pre-created accounts. This is somewhat of a
> problem because getting a session with an admin to kinit via SSH and
> have the join done requires a lot of communication effort back and
> forth. It is way easier to have the account pre-created
> asynchronously and not to rely on the admin anymore. Moreover, I am
> quite certain that reset account is not supported for a domain member
> via 'net ads ...'.
>
> This makes provisions machines quite hard. Is there any reasonable
> workaround for now, or better in the works? Shall I file an issue for
> that?
>
> We are using samba46-4.6.8 from the ports tree.
>
> Best regards,
>
> Michael
>
>
You could ask the 'core admin team' to delegate the join permission to
a user or group, instead of using the computers ticket.
Rowland
More information about the samba
mailing list