[Samba] Running off pre-created keytabs
L.P.H. van Belle
belle at bazuin.nl
Fri Jan 11 14:44:31 UTC 2019
> >>> Samba AD is very much a work in progress and gets major updates
> >>> regularly, but these updates rely on people saying 'this does not
> >>> work'. If people don't tell us what doesn't work and provide data
> >>> (logs, error messages etc) to back this up, they will never
> >> get fixed.
> >> We are not talking about Samba AD. We are talking about
> >> Windows AD and Samba domain member servers.
> > So, you still need Admin rights... Samba or or MS AD or
> Novell DS, does not matter..
> > All need Admin right before you can join without admin rights.
> > Simple as that, if not... Then you have a big security hole.
> The Windows AD admin needs admin rights on the Windows AD
> server to add a machine account. In our case the Windows
> domain member admin only needs *local* admin rights to a) add
> the registry key and b) run the script. The Windows domain
> member admin does *not* need admin rights on the Windows AD server.
> It would be nice if we could say the same for a Windows AD
> server and a Samba domain member server.
> That's the whole thing: you *can* join a Windows domain server to the domain,
> without the need for the Windows domain member server admin to have admin rights on the AD.
> You cannot join a Samba domain member server in the same fashion.
Well, can you provide a log level 10 of such attempt? And put it in bugzilla?
That would help in getting this fixed.
Not that i would support it, its a leak imo.
And its confusing for others since it only works for windows server as "Member" and not computers, and you can only add 10 by default.
For computers, you still need to
Assign rights to the user/group using the Default Domain Group policy.
Delegate rights to user using Active Directory Users and Computers.
But im not here for starting a discussion...
So have a nice weekend everybody, im out early today.
More information about the samba