[Samba] net ads status stripped output

Rowland penny rpenny at samba.org
Thu Jun 4 08:08:01 UTC 2020

On 04/06/2020 08:48, Markus Lindberg wrote:
>>>> If you do not want to authenticate users and groups, why are you joining
>>>> the computers to AD ?
>>>> The whole idea behind AD is the centralisation of users and groups. If
>>>> you are using users and groups created locally on the computer (i.e.
>>>> they are not in AD), then you are not using AD even if the computer is
>>>> joined to AD.
>>>> I think you need to explain just what you are doing.
>>> We are joining the computers to the AD since we are using 802.1x
>>> combined with RADIUS to place computers in a AD group that is tied to a
>>> RADIUS group. This allows us to place computers in different VLANs
>>> based on the RADIUS group. When we join the computer to the AD it gets
>>> created in a specific container, then we do _some_ changes to the
>>> computer object, placing it into a AD group for example.
>> What then, there must be users and groups involved (there is at least
>> one user, the computer), where do they come from ?
> I think the compter account is created when I join the computers. This
> is the command I run when I join the computer to the AD.
> net ads join -k createcomputer=Admin/Staging/Client-Lnx createupn="host/`hostname -f`@EXAMPLE.COM" osName='Linux Client' osVer="$(echo -n $(lsb_release -s -i -c))"
> After that has been finished I'm able to run `net ads status` by
> authenticating "as the computer", like so.
> net ads status -P
> --
> Markus

Ah, I think I understand what you are doing now, but I think you must be 
running the command as root. If I run the command it just errors out 
'ERROR: Unable to open secrets database', but if I run it using sudo, I 
get a similar output as yours.

You are quite correct, '-P' means use the machine account and this is a 
very unprivileged user.


More information about the samba mailing list