[Samba] disable automatic creation of computer accounts

Robert Marcano robert at marcanoonline.com
Tue Oct 26 12:56:07 UTC 2021 

On 10/25/21 11:53 AM, Rowland Penny via samba wrote:
> On Mon, 2021-10-25 at 15:00 +0200, Angel Bosch Mora wrote:
>>> Alter your script so that it does what it does now, plus joins the
>>> machine and run it on the machine to be joined. Or you could script
>>> around 'net ads join' and only attempt the join if the computer
>>> already
>>> exists in AD.
>>>
>>
>> First part (new computer script) is already done and it runs
>> supervised by some sysadmins.
>>
>> Second part (join domain) is done by some low profile assistants, and
>> for security reasons we need that no one adds a machine by mistake or
>> intentionally.
> 
> Ah, you never said that.
> 
>>
>> In Samba 3 (NT4 PDC style) it was enough with modifying "add machine
>> script" parameter, but I've been testing different settings without
>> success.
> 
> AD is very different.
> 
>>
>>
>> And I know is a common policy in some environments:
>> https://social.technet.microsoft.com/Forums/windowsserver/en-US/a2f3f357-0da5-4d41-a5cc-6ab710eb41bf/disable-automatic-computer-object-creation?forum=winserverDS
>>
>> In that article they discuss about "Add workstations to domain"
>> right.
>> Can I enforce that via smb.conf or any other setting?
> 
> No, it is also not what you are asking, the computer would get added
> without a computer object in AD.
> 
> You can 'delegate' join permissions, see here:
> https://www.danielengberg.com/domain-join-permissions-delegate-active-directory/
> 
> However, that is probably still not what you are asking for. What does
> your original script actually do ? Would it matter if the join created
> the computer object in 'CN=Computers' again ? Do you know that 'net ads
> join' has a parameter '--createcomputer=OU' ?
> 
> Rowland
> 

I think delegation is what should be doing. Do all the wiki [1] page 
says but don't add the permission to create new Computer objects, that 
way the users that had the delegation active could only join machines 
named as previously created machines.

This need that users that join the machines munt not be full 
administrators, and that is always the best security practice anyway.

[1] https://wiki.samba.org/index.php/Delegation/Joining_Machines_to_a_Domain

More information about the samba mailing list