[Samba] Minimum User Rights For "net ads join"
This is a discussion on [Samba] Minimum User Rights For "net ads join" within the Samba forums, part of the Networking and Network Related category; I have seen a number of cases where unix/linux administrators do not have access to Windows Administrator rights to ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
09-15-2005
|
|||
|
|||
[Samba] Minimum User Rights For "net ads join"
I have seen a number of cases where unix/linux administrators do not
have access to Windows Administrator rights to execute "net ads join". Here is the result of testing that I have done to determine what the minimum set of user rights is. Case 1: Adding the object to the domain and joining the domain with "net ads join" In this case, an ordinary user "member of Domain Users" can add and join by having an Administrator assign the user special rights to the Computers container (or equivalent). This is done by: 1. Users and Computers MMC, Advanced Features View 2. Right click Computers container and select Properties 3. Choose Security tab, add a new user to the container 4. Click Advanced, select the new user, click Edit 5. Clear all rights, add back only "Create Computer Objects" 6. OK to exit out The user can now add and join the computer object using "net ads join -U username". Case 2: Add object using "Users and Computers" MMC, join using "net ads join". This method is required when a custom schema is used and "net ads join" cannot find the correct container to add the computer. Note that sometimes the UseraccountControl attribute will populate with a value that denies krb5 authentication, and the attribute must be populated manually. 1. Users and Computers MMC, Advanced Features View 2. Add the computer object using the MMC. Do not select "Windows 2000 compatible". 3. Right click on the new computer object (note that this is different from the container in Case 1)and select Properties. 4. Click Advanced, then Add, and add the user to Security Settings. 5. Highlight the username, then select Edit. 7. Select "Full Control" - this will autoselect all Permissions. 8. Unselect those that we do not need: Full Control Create All Child Objects Delete All Child Objects ....(all items thru) Delete All Shared Folder Ob 9. OK to exit out. The user can now join and modify the existing computer object using "net ads join -U username". Caveats: 1. "net ads leave -U username" does not work, even with Administrator. 2. Several other "net ads" commands do not work. 3. The ntSecurityDescriptor is not correctly processed (ldap.c accounts for this and adds the object anyway, and issues a warning) JT - I have written a user's guide for this process. Let me know if you would like to use it however you see fit. Eric Roseme Hewlett-Packard -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba 
|
Linear Mode
