[Samba] net ads join fails with pre-created machine accounts
Osipov, Michael
michael.osipov at siemens.com
Mon Nov 6 11:49:52 UTC 2017
> On Mon, 6 Nov 2017 09:15:07 +0000
> "Osipov, Michael via samba" <samba at lists.samba.org> wrote:
>
> > Hi folks,
> >
> > we have recently tried to join several FreeBSD machines to your
> > forest where the machine accounts where pre-created by the core admin
> > team. We did as root:
> >
> > # kinit 'machine-name$'
> > # net ads join ...
> >
> > Unfortunately, it failed with an error that several attributes cannot
> > be set which are available to domain admins only. It ultimately means
> > that one cannot use pre-created accounts. This is somewhat of a
> > problem because getting a session with an admin to kinit via SSH and
> > have the join done requires a lot of communication effort back and
> > forth. It is way easier to have the account pre-created
> > asynchronously and not to rely on the admin anymore. Moreover, I am
> > quite certain that reset account is not supported for a domain member
> > via 'net ads ...'.
> >
> > This makes provisions machines quite hard. Is there any reasonable
> > workaround for now, or better in the works? Shall I file an issue for
> > that?
> >
> > We are using samba46-4.6.8 from the ports tree.
> >
> > Best regards,
> >
> > Michael
> >
> >
>
> You could ask the 'core admin team' to delegate the join permission to
> a user or group, instead of using the computers ticket.
They actually do, but those people are limited per top-level OU as I am
confined to one OU only. This won't be any better. I'd like to avoid any
human admin interaction by requesting of automated machine account creation
in the next step. If you consider that people get sick or leave for vacation,
you are out of luck.
Michael
More information about the samba
mailing list