[Samba] Domain join hardening changes, trusted user
Stefan Staeglich
staeglis at informatik.uni-freiburg.de
Mon May 19 13:39:41 UTC 2025
Hello,
we manage our Samba AD via an external IPAM/IDM (the AD is only one of several
backends) and use a system user to create, modify and delete the objects
including machine accounts in LDAP. All necessary rights are explicitly
delegated to this system user, who is not a member of the “Domain Admins”
group.
This has been causing problems when joining Windows machines for some time.
Previously, there was a workaround using registry keys, but this no longer
seems to work properly with the latest Windows 11.
With a Windows DC, this user could be configured as a “Trusted User” via GPO.
However, this GPO does not seem to be evaluated by Samba and we have not found
a corresponding smb.conf option.
Does the Samba community know if and how this can be implemented with Samba?
This is configured on the DC, but is evaluated by the client. Accordingly, my
assumption would be that some flag must be set, which can perhaps also be set
via ldbedit. Does anyone know more about this?
Best regards,
Stefan
https://support.microsoft.com/en-us/topic/kb5020276-netjoin-domain-join-hardening-changes-2b65a0f3-1f4c-42ef-ac0f-1caaf421baf8
More information about the samba
mailing list