[Samba] Joining a domain.

A. James Lewis james at fsck.co.uk
Thu Sep 21 19:30:29 UTC 2017 

What I don't understand is that the Windows team here are really restrictive, and I have no administrative rights in the domain, however I verified that I could authenticate with kerberos, using kinit, and then "net ads join -k", and I am able to authenticate against the domain, and gain access to idmap UID/GID mapping... 

So, what I don't understand is what the join process does, if I am able to authenticate, having performed this "net ads join -k" dance, am I only configuring Samba?, because according to our Windows team, I have no rights in the domain to "join" a computer, and I thought that was required to authenticate!

James


September 21, 2017 8:08 PM, "Rowland Penny via samba" <samba at lists.samba.org> wrote:

> On Thu, 21 Sep 2017 18:01:08 +0000
> "A. James Lewis via samba" <samba at lists.samba.org> wrote:
> 
>> Hi,
>> 
>> I hope it's not a stupid question, but I'm mainly a Linux admin, and
>> I'm really looking at Samba because of winbind, but there's something
>> I don't really understand....
>> 
>> People keep talking about computer accounts and joining the domain,
>> but the guide I followed required "net ads join -k", which doesn't
>> appear to require authentication, and so cannot have actually done
>> anything on the domain, so I don't really understand what happens on
>> the AD controller side, or if I need to somehow register with the
>> domain, or if I can just authenticate anyway... and/or what net ads
>> join -k did?
>> 
>> I hope someone can clarify this for me.
> 
> You need to authenticate to join a computer to an AD domain, you can
> do this with -U username or -U username%password, the only difference
> is that the first one will prompt for the password. If you don't
> provide a username, the logged in users name will be used. The
> 'username' must be a user with the correct rights to join a computer to
> the domain.
> 
> Using '-k' is a bit different, you can still use -U but you don't need
> the password and will not be prompted for one. Whenever '-k' is used
> to join the domain, 'kinit' will need to have been run beforehand to
> obtain a kerberos ticket. This can just be 'kinit', in which a ticket
> will be obtained for the logged in user, or 'kinit username', in this
> instance, the ticket will be obtained for 'username'
> 
> HTH
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

--
A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

More information about the samba mailing list