[Samba] Joining a domain.

[Rowland Penny]

On Thu, 21 Sep 2017 22:06:10 +0100
"A. James Lewis" <james at fsck.co.uk> wrote:

> On 21/09/17 20:48, Rowland Penny via samba wrote:
> > On Thu, 21 Sep 2017 19:30:29 +0000
> > "A. James Lewis" <james at fsck.co.uk> wrote:
> >
> >> What I don't understand is that the Windows team here are really
> >> restrictive, and I have no administrative rights in the domain,
> >> however I verified that I could authenticate with kerberos, using
> >> kinit, and then "net ads join -k", and I am able to authenticate
> >> against the domain, and gain access to idmap UID/GID mapping...
> >>
> >> So, what I don't understand is what the join process does, if I am
> >> able to authenticate, having performed this "net ads join -k"
> >> dance, am I only configuring Samba?, because according to our
> >> Windows team, I have no rights in the domain to "join" a computer,
> >> and I thought that was required to authenticate!
> >>
> > They are not being that restrictive LOL
> >
> > Unless changes are made, any AD user can join up to 10 computers to
> > a Windows AD domain, as you have found out. If you are not running
> > Samba as an AD DC, you are not joining the computer to Samba, you
> > are joining it to AD.
> >
> > Rowland
> 
> That's interesting, and TBH I might argue that that's worse, I feel
> they have denied me vital need to know information by telling me that
> I cannot do that, thus making me run around trying to find someone
> who would agree to join my test box to the domain, having them argue
> that I need to join it to their test domain which doesn't have any
> users in it, thus defeating the object of the exercise.... etc. etc.
> 
> What determines this 10 machines, and is it ever reset?

I bet they don't know, so it is up to you if you want to tell them ;-)

Have a look here for more info:

https://blogs.technet.microsoft.com/dubaisec/2016/02/01/who-can-add-workstation-to-the-domain/

Rowland