[PATCH 1/2] Set os attribute and version during domain join
Matthew Geddes
musicalcarrion at gmail.com
Fri Mar 16 18:52:40 GMT 2007
Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Matthew Geddes wrote:
>
>
>> At a quick glance, it looks as though this may be due to to
>> ACLs set in Active Directory. There is a difference
>> between the ACLs on a Samba-created machine account and a
>> Windows XP-created machine account from what I've seen.
>> Windows XP-created accounts grant rights to the
>> user doing the join to update the properties in the
>> account, whereas Samba-created accounts don't.
>>
>> The only seemingly-relevant differences I see in captures between our
>> join and XP's is that we use an Info24 + an Info16 to set account
>> attributes (mainly the password), whereas XP just uses the Info25
>> (An info 21 + the password). I can't see anything in the Info21 that
>> looks like the account flags passed to
>> net_domain.c:rpccli_samr_create_dom_user (arg 6). Incidentally,
>> I have a patch I'm trying to get back to you guys that
>> fixes some problems with these flags.
>>
>
> Matthew, From what I've seen, the resulting permissions are
> exactly the Samba between the Samba machine ovject and XP.
> I've viewed the resulting ACLs in adsiedit.msc. Can you point
> me at how you are seeing the differences?
I usually use dsacls.exe (from the support tools or reskit). I'll go
back and check again.
....
I used adsiedit.msc and an account created by Windows XP Pro has the
same ACLs as a Debian host running Samba 3.0.23c except that the XP
account also lists a user called 'Domain T. Add
(domadd at dev2003.augment-it.com)', which is the user I created that
sports only SeMachineAccountPrivilege. I used the same account to join
the Debian machine to the domain (Windows 2003 Server DC, BTW).
domadd has the following permissions over that object:
Read
Allowed to Authenticate
Change Password
Receive As
Reset Password
Send As
Validated write to DNS host name
Validated write to service principal name
Read Account Restrictions
Write Account Restrictions
Read DNS Host Name Attributes
Read Personal Information
None of these appear to be enough to allow the changing of these
attributes (I'd expect it to be one of the "Write * Information"
permissions) though.
The permissions for SELF allow Read/Write Personal Information, so
perhaps binding to the LDAP tree using the machine account credentials
might work. If that's the case, perhaps moving your patch from the net
command to winbindd's startup code might work (and allow us to
dynamically update those records based on the output of things like
uname each time we start).
thx,
Matt
More information about the samba-technical
mailing list