[Samba] samba support of KB5020276 workaround

Francesco Malvezzi francesco.malvezzi at unimore.it
Wed Nov 6 12:37:22 UTC 2024


>> Hi everybody,
>> 
>> since a couple of years, user X can't join a computer to AD if the 
>> computer object has been created by user Y.
> 
> Why pre-create the computer object before the join ?

hi Rowland,

in order to place it in the correct ou (unless I am mistaken. Is it 
possible to specify the target ou during the join? In my memory it was not.)

> The 'net ads join' command will create it for you and if you want it
> created in a different OU to the standard CN, then the
> 'createcomputer=OU' option will do it for you.

yes, it's correct and it works. Some of the departments local 
administrators are not linux people and feel more at ease with ADUC [1].

> 
> Also, why are you letting normal users join computers ?

They are not normal users, they are member of some group delegated [2]. 
The problem arises in the few departments with more than a local admin: 
if Alice creates a machine in her ou on ADUC, Bob (a admin in the same 
ou) can't perform the join.

Thank you for asking!

Francesco

[1] Active Directory Users and Computer snap-in
[2] https://wiki.samba.org/index.php/Delegation/Joining_Machines_to_a_Domain




More information about the samba mailing list