"net rpc join" with "security = domain" regression
Andrew Bartlett
abartlet at samba.org
Wed Mar 5 13:19:33 MST 2014
On Wed, 2014-03-05 at 14:13 +0100, Bjoern Baumbach wrote:
> On 03/04/2014 09:30 PM, Andrew Bartlett wrote:
> > Can you work out why 'make test' didn't pick this up?
>
> The join fails on (for example) Windows Server 2008 r2 and Samba 4.0,
> but is working for a samba 3 PDC NT domain.
>
> So there should be a test that tries to join an *AD domain* using
> security=domain.
My view is we should not support that. I would very much like to
understand the use case for this operation, because it seems like an
additional complexity we just don't need. I do understand the use case
for 'winbindd rpc only', but why should security=domain ever be used
against an ADS DC?
Ideally, we would eventually deprecate security=domain, and like Windows
clients, join the domain and check that the domain is AD, and if so
store that as an assertion in secrets.tdb. My view is that the
confusing difference between 'security=domain' and 'security=ads' should
not be exposed to our users.
> BTW: when I join the samba 3 PDC I get those ugly questions before the
> join is done:
> No realm has been specified! Do you really want to join an Active
> Directory server?
> No realm has been specified! Do you really want to join an Active
> Directory server?
> Using short domain name -- NTDOM
> Joined 'BBTEST' to domain 'NTDOM'
We should detect that the domain is not AD, and not print such warnings.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list