samba - Oct 2021 - disable automatic creation of computer accounts

On Mon, 2021-10-25 at 15:00 +0200, Angel Bosch Mora
wrote:
> > Alter your script so that it does what it does now, plus joins the
> > machine and run it on the machine to be joined. Or you could script
> > around 'net ads join' and only attempt the join if the
computer
> > already
> > exists in AD.
> > 
> 
> First part (new computer script) is already done and it runs
> supervised by some sysadmins.
> 
> Second part (join domain) is done by some low profile assistants, and
> for security reasons we need that no one adds a machine by mistake or
> intentionally.
Ah, you never said that.
> 
> In Samba 3 (NT4 PDC style) it was enough with modifying "add machine
> script" parameter, but I've been testing different settings
without
> success.
AD is very different.
> 
> 
> And I know is a common policy in some environments:
>
https://social.technet.microsoft.com/Forums/windowsserver/en-US/a2f3f357-0da5-4d41-a5cc-6ab710eb41bf/disable-automatic-computer-object-creation?forum=winserverDS
> 
> In that article they discuss about "Add workstations to domain"
> right.
> Can I enforce that via smb.conf or any other setting?
No, it is also not what you are asking, the computer would get added
without a computer object in AD.

You can 'delegate' join permissions, see here:
https://www.danielengberg.com/domain-join-permissions-delegate-active-directory/

However, that is probably still not what you are asking for. What does
your original script actually do ? Would it matter if the join created
the computer object in 'CN=Computers' again ? Do you know that 'net
ads
join' has a parameter '--createcomputer=OU' ?

Rowland

> However, that is probably still not what you are asking for. What
> does
> your original script actually do ? Would it matter if the join
> created
> the computer object in 'CN=Computers' again ? Do you know that
'net
> ads
> join' has a parameter '--createcomputer=OU' ?
>
yeah, I can work with diferent OUs if necessary.

as I see it there's 2 different steps here
- Creating computer object
- Joining computer to AD

Can those be fine grained?
I just want a way to fail joining if computer isn't already created on AD
subtree.



abosch
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau,
qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es
destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar
aquest missatge ni lliurar-lo a terceres persones sense permis expres de
l'IMAS. Si no sou la persona destinataria que s'hi indica (o la
responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a
l'adreca electronica de la persona remitent. Abans d'imprimir aquest
missatge, pensau si es realment necessari.

On 10/25/21 11:53 AM, Rowland Penny via samba wrote:
> On Mon, 2021-10-25 at 15:00 +0200, Angel Bosch Mora wrote:
>>> Alter your script so that it does what it does now, plus joins the
>>> machine and run it on the machine to be joined. Or you could script
>>> around 'net ads join' and only attempt the join if the
computer
>>> already
>>> exists in AD.
>>>
>>
>> First part (new computer script) is already done and it runs
>> supervised by some sysadmins.
>>
>> Second part (join domain) is done by some low profile assistants, and
>> for security reasons we need that no one adds a machine by mistake or
>> intentionally.
> 
> Ah, you never said that.
> 
>>
>> In Samba 3 (NT4 PDC style) it was enough with modifying "add
machine
>> script" parameter, but I've been testing different settings
without
>> success.
> 
> AD is very different.
> 
>>
>>
>> And I know is a common policy in some environments:
>>
https://social.technet.microsoft.com/Forums/windowsserver/en-US/a2f3f357-0da5-4d41-a5cc-6ab710eb41bf/disable-automatic-computer-object-creation?forum=winserverDS
>>
>> In that article they discuss about "Add workstations to
domain"
>> right.
>> Can I enforce that via smb.conf or any other setting?
> 
> No, it is also not what you are asking, the computer would get added
> without a computer object in AD.
> 
> You can 'delegate' join permissions, see here:
>
https://www.danielengberg.com/domain-join-permissions-delegate-active-directory/
> 
> However, that is probably still not what you are asking for. What does
> your original script actually do ? Would it matter if the join created
> the computer object in 'CN=Computers' again ? Do you know that
'net ads
> join' has a parameter '--createcomputer=OU' ?
> 
> Rowland
> 
I think delegation is what should be doing. Do all the wiki [1] page 
says but don't add the permission to create new Computer objects, that 
way the users that had the delegation active could only join machines 
named as previously created machines.

This need that users that join the machines munt not be full 
administrators, and that is always the best security practice anyway.

[1] https://wiki.samba.org/index.php/Delegation/Joining_Machines_to_a_Domain