[Samba] Inconsistent results while attempting to preset a computer with a one-time-password
dan at reportallusa.com
Wed Feb 7 14:08:44 UTC 2018
Quoting Dan Oriani via samba <samba at lists.samba.org>:
> Quoting Dan Oriani via samba <samba at lists.samba.org>:
>> Quoting Rowland Penny via samba <samba at lists.samba.org>:
>>> On Tue, 06 Feb 2018 14:09:08 -0500
>>> Dan Oriani via samba <samba at lists.samba.org> wrote:
>>>> I'm not opposed to the idea. Does 'net ads join' support supplying
>>>> the machine name as the user, and the one-time-password given to it?
>>>> The only reason I'm using adcli at all is the preset-computer option
>>>> which I couldn't find an analogue to in 'net ads'.
>>> I have never tried this, but there is the 'createcomputer=OU' option:
>>> Precreate the computer account in a specific OU.
>>> The OU string read from top to bottom without RDNs
>>> and delimited by a '/'.
>>> E.g. "createcomputer=Computers/Servers/Unix"
>>> NB: A backslash '\' is used as escape at multiple
>>> levels and may need to be doubled or even
>>> quadrupled. It is not used as a separator.
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>> So I have the computer precreated in the OU. Lets call this host
>> 'ruby'. I also pass 'machinepass' so that it can join itself later
>> (I think?). On 'ruby' I run 'net ads join', except it asks me for a
>> password still. If I try to run 'net ads join -U RUBY$%onetimepass
>> -v -d 5' it seems as if it tries to create the machine again, as in
>> the logs I get 'machine account creation failed', then 'failed to
>> precreate account in ou ....: Insufficient accesssigned SMB2
>> message'. Should I be specifying something else? The man page seems
>> to suggest that if the machine already exists, it'll use that
>> entry. Having 'net ads join' prompt me for a password is a no-go,
>> as it brings me right back to manually doing this all by hand.
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
> Also it kind of seems from the logs that running 'net ads join
> createcomputer=OU' is attempting to join the computer I'm running
> the command on again. The man page really isn't all that specific
> about it.
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
So testing around still being unsure how to have 'net' prep the
computer, I found
2010 where another user seems to be trying to accomplish a similar
task. Is net capable of setting the allowed joiner as mentioned in
In any case, I hit another roadblock: I create the computer in ADUC
allowing SELF to join, use 'net' to set the password since it seems
'net' still doesn't allow for no-password, then attempt to join with
'net ads join -U RUBY$%password'. It seems I'm back to the same
permissions problem I was running in to with adcli though. It gets to
'machine account creation failed', then 'Host account for RUBY does
not have service principal names' and 'Failed to join domain: Failed
to set machine spn: Insufficient access'. So it looks like even though
the machine account has the permissions to join itself, it still can't
set its own SPN.
More information about the samba