net ads join fails with pre-created machine accounts

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

net ads join fails with pre-created machine accounts

Samba - General mailing list
Hi folks,

we have recently tried to join several FreeBSD machines to your forest where the machine accounts where pre-created by the core admin team. We did as root:

# kinit 'machine-name$'
# net ads join ...

Unfortunately, it failed with an error that several attributes cannot be set which are available to domain admins only. It ultimately means that one cannot use pre-created accounts. This is somewhat of a problem because getting a session with an admin to kinit via SSH and have the join done requires a lot of communication effort back and forth. It is way easier to have the account pre-created asynchronously and not to rely on the admin anymore. Moreover, I am quite certain that reset account is not supported for a domain member via 'net ads ...'.

This makes provisions machines quite hard. Is there any reasonable workaround for now, or better in the works? Shall I file an issue for that?

We are using samba46-4.6.8 from the ports tree.

Best regards,

Michael


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: net ads join fails with pre-created machine accounts

Samba - General mailing list
On Mon, 6 Nov 2017 09:15:07 +0000
"Osipov, Michael via samba" <[hidden email]> wrote:

> Hi folks,
>
> we have recently tried to join several FreeBSD machines to your
> forest where the machine accounts where pre-created by the core admin
> team. We did as root:
>
> # kinit 'machine-name$'
> # net ads join ...
>
> Unfortunately, it failed with an error that several attributes cannot
> be set which are available to domain admins only. It ultimately means
> that one cannot use pre-created accounts. This is somewhat of a
> problem because getting a session with an admin to kinit via SSH and
> have the join done requires a lot of communication effort back and
> forth. It is way easier to have the account pre-created
> asynchronously and not to rely on the admin anymore. Moreover, I am
> quite certain that reset account is not supported for a domain member
> via 'net ads ...'.
>
> This makes provisions machines quite hard. Is there any reasonable
> workaround for now, or better in the works? Shall I file an issue for
> that?
>
> We are using samba46-4.6.8 from the ports tree.
>
> Best regards,
>
> Michael
>
>

You could ask the 'core admin team' to delegate the join permission to
a user or group, instead of using the computers ticket.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: net ads join fails with pre-created machine accounts

Samba - General mailing list
> On Mon, 6 Nov 2017 09:15:07 +0000
> "Osipov, Michael via samba" <[hidden email]> wrote:
>
> > Hi folks,
> >
> > we have recently tried to join several FreeBSD machines to your
> > forest where the machine accounts where pre-created by the core admin
> > team. We did as root:
> >
> > # kinit 'machine-name$'
> > # net ads join ...
> >
> > Unfortunately, it failed with an error that several attributes cannot
> > be set which are available to domain admins only. It ultimately means
> > that one cannot use pre-created accounts. This is somewhat of a
> > problem because getting a session with an admin to kinit via SSH and
> > have the join done requires a lot of communication effort back and
> > forth. It is way easier to have the account pre-created
> > asynchronously and not to rely on the admin anymore. Moreover, I am
> > quite certain that reset account is not supported for a domain member
> > via 'net ads ...'.
> >
> > This makes provisions machines quite hard. Is there any reasonable
> > workaround for now, or better in the works? Shall I file an issue for
> > that?
> >
> > We are using samba46-4.6.8 from the ports tree.
> >
> > Best regards,
> >
> > Michael
> >
> >
>
> You could ask the 'core admin team' to delegate the join permission to
> a user or group, instead of using the computers ticket.

They actually do, but those people are limited per top-level OU as I am
confined to one OU only. This won't be any better. I'd like to avoid any
human admin interaction by requesting of automated machine account creation
in the next step. If you consider that people get sick or leave for vacation,
you are out of luck.

Michael
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba