[Samba] disable automatic creation of computer accounts
rpenny at samba.org
Mon Oct 25 15:53:32 UTC 2021
On Mon, 2021-10-25 at 15:00 +0200, Angel Bosch Mora wrote:
> > Alter your script so that it does what it does now, plus joins the
> > machine and run it on the machine to be joined. Or you could script
> > around 'net ads join' and only attempt the join if the computer
> > already
> > exists in AD.
> First part (new computer script) is already done and it runs
> supervised by some sysadmins.
> Second part (join domain) is done by some low profile assistants, and
> for security reasons we need that no one adds a machine by mistake or
Ah, you never said that.
> In Samba 3 (NT4 PDC style) it was enough with modifying "add machine
> script" parameter, but I've been testing different settings without
AD is very different.
> And I know is a common policy in some environments:
> In that article they discuss about "Add workstations to domain"
> Can I enforce that via smb.conf or any other setting?
No, it is also not what you are asking, the computer would get added
without a computer object in AD.
You can 'delegate' join permissions, see here:
However, that is probably still not what you are asking for. What does
your original script actually do ? Would it matter if the join created
the computer object in 'CN=Computers' again ? Do you know that 'net ads
join' has a parameter '--createcomputer=OU' ?
More information about the samba