Rowland Penny
2018-Feb-06 19:24 UTC
[Samba] Inconsistent results while attempting to preset a computer with a one-time-password
On Tue, 06 Feb 2018 14:09:08 -0500 Dan Oriani via samba <samba at lists.samba.org> wrote:> > I'm not opposed to the idea. Does 'net ads join' support supplying > the machine name as the user, and the one-time-password given to it? > The only reason I'm using adcli at all is the preset-computer option > which I couldn't find an analogue to in 'net ads'. > >I have never tried this, but there is the 'createcomputer=OU' option: Precreate the computer account in a specific OU. The OU string read from top to bottom without RDNs and delimited by a '/'. E.g. "createcomputer=Computers/Servers/Unix" NB: A backslash '\' is used as escape at multiple levels and may need to be doubled or even quadrupled. It is not used as a separator. Rowland
Dan Oriani
2018-Feb-06 20:36 UTC
[Samba] Inconsistent results while attempting to preset a computer with a one-time-password
Quoting Rowland Penny via samba <samba at lists.samba.org>:> On Tue, 06 Feb 2018 14:09:08 -0500 > Dan Oriani via samba <samba at lists.samba.org> wrote: > >> >> I'm not opposed to the idea. Does 'net ads join' support supplying >> the machine name as the user, and the one-time-password given to it? >> The only reason I'm using adcli at all is the preset-computer option >> which I couldn't find an analogue to in 'net ads'. >> >> > > I have never tried this, but there is the 'createcomputer=OU' option: > > Precreate the computer account in a specific OU. > The OU string read from top to bottom without RDNs > and delimited by a '/'. > E.g. "createcomputer=Computers/Servers/Unix" > NB: A backslash '\' is used as escape at multiple > levels and may need to be doubled or even > quadrupled. It is not used as a separator. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaSo I have the computer precreated in the OU. Lets call this host 'ruby'. I also pass 'machinepass' so that it can join itself later (I think?). On 'ruby' I run 'net ads join', except it asks me for a password still. If I try to run 'net ads join -U RUBY$%onetimepass -v -d 5' it seems as if it tries to create the machine again, as in the logs I get 'machine account creation failed', then 'failed to precreate account in ou ....: Insufficient accesssigned SMB2 message'. Should I be specifying something else? The man page seems to suggest that if the machine already exists, it'll use that entry. Having 'net ads join' prompt me for a password is a no-go, as it brings me right back to manually doing this all by hand.
Dan Oriani
2018-Feb-06 20:41 UTC
[Samba] Inconsistent results while attempting to preset a computer with a one-time-password
Quoting Dan Oriani via samba <samba at lists.samba.org>:> Quoting Rowland Penny via samba <samba at lists.samba.org>: > >> On Tue, 06 Feb 2018 14:09:08 -0500 >> Dan Oriani via samba <samba at lists.samba.org> wrote: >> >>> >>> I'm not opposed to the idea. Does 'net ads join' support supplying >>> the machine name as the user, and the one-time-password given to it? >>> The only reason I'm using adcli at all is the preset-computer option >>> which I couldn't find an analogue to in 'net ads'. >>> >>> >> >> I have never tried this, but there is the 'createcomputer=OU' option: >> >> Precreate the computer account in a specific OU. >> The OU string read from top to bottom without RDNs >> and delimited by a '/'. >> E.g. "createcomputer=Computers/Servers/Unix" >> NB: A backslash '\' is used as escape at multiple >> levels and may need to be doubled or even >> quadrupled. It is not used as a separator. >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > So I have the computer precreated in the OU. Lets call this host > 'ruby'. I also pass 'machinepass' so that it can join itself later > (I think?). On 'ruby' I run 'net ads join', except it asks me for a > password still. If I try to run 'net ads join -U RUBY$%onetimepass > -v -d 5' it seems as if it tries to create the machine again, as in > the logs I get 'machine account creation failed', then 'failed to > precreate account in ou ....: Insufficient accesssigned SMB2 > message'. Should I be specifying something else? The man page seems > to suggest that if the machine already exists, it'll use that entry. > Having 'net ads join' prompt me for a password is a no-go, as it > brings me right back to manually doing this all by hand. > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaAlso it kind of seems from the logs that running 'net ads join createcomputer=OU' is attempting to join the computer I'm running the command on again. The man page really isn't all that specific about it.
Reasonably Related Threads
- Inconsistent results while attempting to preset a computer with a one-time-password
- Inconsistent results while attempting to preset a computer with a one-time-password
- Inconsistent results while attempting to preset a computer with a one-time-password
- Inconsistent results while attempting to preset a computer with a one-time-password
- Inconsistent results while attempting to preset a computer with a one-time-password