Draft #4: Re: [patch] net ads join rework
Gerald (Jerry) Carter
jerry at samba.org
Fri May 12 04:55:07 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Gerald (Jerry) Carter wrote:
> Just found this:
>
> http://support.microsoft.com/kb/326985
>
> Note that you do not have to register all services.
> Many service types, such as HTTP, W3SVC, WWW, RPC,
> CIFS (file access), WINS, and uninterruptible power
> supply (UPS), will map to a default service type named
> HOST. For example, if your client software uses an SPN
> of HTTP/webserver1.microsoft.com to perform an HTTP connection
> to the Web server on the webserver1.microsoft.com server,
> but this SPN is not registered on the server, the Windows
> 2000 domain controller will automatically map it to
> HOST/webserver1.microsoft.com. This mapping applies only
> if the Web service is running under the local System account.
New patch and more findings. This version does create the
dNSHostName and servicePrincipalName attributes just like
Windows 2k/xp does. The interesting is this code:
ads_mod_str(ctx, &mods, "dNSHostName", my_fqdn);
ads_mod_strlist(ctx, &mods, "servicePrincipalName",
servicePrincipalName);
#if 0
ads_mod_str(ctx, &mods, "userPrincipalName", host_upn);
ads_mod_str(ctx, &mods, "operatingSystem", "Samba");
ads_mod_str(ctx, &mods, "operatingSystemVersion",
SAMBA_VERSION_STRING);
ads_mod_str(ctx, &mods, "userAccountControl", controlstr);
#endif
status = ads_gen_mod(ads_s, new_dn, mods);
The ifdef'd out code represents attributes that cannot be set
using the machine creds. Apparently you can only set the
hostname and SPN values. There are two which are a problem.
a) userPrincipalName -- needed for 'kinit -k' when using a
keytab
b) userAccountControl -- need to set the DES_ONLY flag on
systems without support for RC4-HMAC.
But the problem is that these can only be set via LDAP as
far as I know. If this is the case, then a non-Domain Admin
would not be able to create them in any case.
With the current revision of the patch, we require the same
permissions a Windows box to join a domain and set the same
SPNs.
I would like to check this into the SAMBA_3_0 tree at this
point and continue to work on the remaining issues. Any
objections or comments?
cheers, jerry
=====================================================================
Samba ------- http://www.samba.org
Centeris ----------- http://www.centeris.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
iD8DBQFEZBUqIR7qMdg1EfYRArc3AKCV7qbgAx8cpAFDNbiu2G/3/RWV/ACgwS+N
1PNWzk5AtDww8/5IkwTEjFA=
=NFE2
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stats.log
Type: text/x-log
Size: 741 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20060511/778677ff/stats-0001.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: net_ads_join_v4.patch
Type: text/x-patch
Size: 79452 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20060511/778677ff/net_ads_join_v4-0001.bin
More information about the samba-technical
mailing list