Rashid N. Achilov
2007-Feb-12 06:54 UTC
[Samba] Autogenerating of operatingSystem and operatingSystemVersion attributes in AD
When Samba joins to AD, net creates 'Computer' object in target AD. Object 'Computer' has attributes operatingSystem and operatingSystemVersion, which automatically setup in properly value, when native Windows join to AD. I offer a patch to utils/net_ads.c to do similar way - set up operatingSystem to "Samba" and operatingSystemVersion to Samba version, when Samba joins AD --- net_ads.c start here --- --- /tmp/net_ads.c Tue Nov 14 20:42:14 2006 +++ net_ads.c Wed Jan 3 19:44:05 2007 @@ -997,7 +997,6 @@ ads_mod_str(ctx, &mods, "dNSHostName", my_fqdn); ads_mod_strlist(ctx, &mods, "servicePrincipalName", servicePrincipalName); - status = ads_gen_mod(ads_s, new_dn, mods); done: @@ -1065,6 +1064,62 @@ } /******************************************************************* + Set a machines operatingSystem and operatingSystemVersion attributes + ********************************************************************/ + +static ADS_STATUS net_set_machine_opsystem(TALLOC_CTX *ctx, ADS_STRUCT *ads_s ) +{ + ADS_STATUS status = ADS_ERROR(LDAP_SERVER_DOWN); + char *new_dn; + ADS_MODLIST mods; + char *psp; + LDAPMessage *res = NULL; + char *dn_string = NULL; + const char *machine_name = global_myname(); + int count; + + if ( !machine_name ) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + /* Find our DN */ + + status = ads_find_machine_acct(ads_s, (void **)(void *)&res, machine_name); + if (!ADS_ERR_OK(status)) + return status; + + if ( (count = ads_count_replies(ads_s, res)) != 1 ) { + DEBUG(1,("net_set_machine_opsystem: %d entries returned!\n", count)); + return ADS_ERROR(LDAP_NO_MEMORY); + } + + if ( (dn_string = ads_get_dn(ads_s, res)) == NULL ) { + DEBUG(1, ("net_set_machine_opsystem: ads_get_dn returned NULL (malloc failure?)\n")); + goto done; + } + + new_dn = talloc_strdup(ctx, dn_string); + ads_memfree(ads_s, dn_string); + + if (!new_dn) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + if (!(mods = ads_init_mods(ctx))) + goto done; + + ads_mod_str(ctx, &mods, "operatingSystem", "Samba"); + ads_mod_str(ctx, &mods, "operatingSystemVersion", SAMBA_VERSION_OFFICIAL_STRING); + + status = ads_gen_mod(ads_s, new_dn, mods); + +done: + ads_msgfree(ads_s, res); + + return status; +} + +/******************************************************************* join a domain using ADS (LDAP mods) ********************************************************************/ @@ -1352,6 +1407,14 @@ DEBUG(1,("Error creating host keytab!\n")); } + /* create the operatingSystem and operatingSystemVersion values */ + + status = net_set_machine_opsystem( ctx, ads ); + if ( !ADS_ERR_OK(status) ) { + d_fprintf(stderr,"Cannot set operatingSystem or operatingSystemVersion\n"); + d_fprintf(stderr,"values, but you cat set it manually\n"); + } + d_printf("Joined '%s' to realm '%s'\n", global_myname(), ads->config.realm); SAFE_FREE(machine_account); --- net_ads.c ends here --- -- With Best Regards. Rashid N. Achilov (RNA1-RIPE), Web: http://www.askd.ru/~shelton OOO "ACK" telecommunications administrator, e-mail: achilov-rn [at] askd.ru PGP: 83 CD E2 A7 37 4A D5 81 D6 D6 52 BF C9 2F 85 AF 97 BE CB 0A
Gerald (Jerry) Carter
2007-Feb-12 13:10 UTC
[Samba] Autogenerating of operatingSystem and operatingSystemVersion attributes in AD
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rashid,> When Samba joins to AD, net creates 'Computer' object in > target AD. Object 'Computer' has attributes operatingSystem > and operatingSystemVersion, which automatically setup > in properly value, when native Windows join to AD. > I offer a patch to utils/net_ads.c to do similar way - > set up operatingSystem to "Samba" and operatingSystemVersion > to Samba version, when Samba joins ADThe problem with this patch and the reason we don't set these attributes any more is that you cannot be guaranteed to have permission unless you are a domain admin. If you can find a way to do this via RPC, that would probably be a better solution. cheers,jerry ====================================================================Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF0GcCIR7qMdg1EfYRAhWPAJ9Xpv+dLSlbO+0fpVDzE0DvYBhQlACfagxF SqDxyM00unpNDu5nWZECf1I=n3Fg -----END PGP SIGNATURE-----
Gerald (Jerry) Carter
2007-Feb-12 14:12 UTC
[Samba] Autogenerating of operatingSystem and operatingSystemVersion attributes in AD
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jim McDonough wrote:> At some point in the past (probably 3 years now) I > found that even when we set these attributes, at some > point, AD would decide to overwrite them. I never got > down to the root cause of the behavior, but it seemed > at the time like anything it didnt' recognize would > eventually be reset.Sounds plausible. My tests show the DC filling them in on behalf of Windows clients so there is something going on under the covers. cheers, jerry ====================================================================Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF0HVkIR7qMdg1EfYRApeEAKCZK6BDqXd4Dr2P7JF4DdYevFm0TACgrCo7 5muOjp/xBy7ZvhJvH63/7FE=NeQv -----END PGP SIGNATURE-----
simo
2007-Feb-12 15:08 UTC
[Samba] Autogenerating of operatingSystem and operatingSystemVersion attributes in AD
On Mon, 2007-02-12 at 09:03 -0500, Jim McDonough wrote:> On 2/12/07, Gerald (Jerry) Carter <jerry@samba.org> wrote: > I really have fought this type of behavior because it > is inconsistent. I'd rather find another way to set the > OS attributes. > At some point in the past (probably 3 years now) I found that even > when we set these attributes, at some point, AD would decide to > overwrite them. I never got down to the root cause of the behavior, > but it seemed at the time like anything it didnt' recognize would > eventually be reset.I am sure this is not the case, I've seen *different* clients do that and the arbitrary change sticks. I guess you have to do these mods after the account is settled down, maybe you can even try to update these fields using the machine account password? Never checked the permission on those attributes, but it might be interesting. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: idra@samba.org http://samba.org
Maybe Matching Threads
- Update of operatingSystem and operatingSystemVersion attributes in AD
- cannot compile 4-8-stable or 4-8-test
- Can the 'operatingSystemVersion' value of DC computers in LDAP server keeps up to date?
- Kerberos Keytab Code Update in 3.0.23
- possible memory leak in ldb module while dbcheck on RODC