samba - Nov 2021 - disable automatic creation of computer accounts

On 10/25/21 11:53 AM, Rowland Penny via samba wrote:
> On Mon, 2021-10-25 at 15:00 +0200, Angel Bosch Mora wrote:
>>> Alter your script so that it does what it does now, plus joins the
>>> machine and run it on the machine to be joined. Or you could script
>>> around 'net ads join' and only attempt the join if the
computer
>>> already
>>> exists in AD.
>>>
>>
>> First part (new computer script) is already done and it runs
>> supervised by some sysadmins.
>>
>> Second part (join domain) is done by some low profile assistants, and
>> for security reasons we need that no one adds a machine by mistake or
>> intentionally.
> 
> Ah, you never said that.
> 
>>
>> In Samba 3 (NT4 PDC style) it was enough with modifying "add
machine
>> script" parameter, but I've been testing different settings
without
>> success.
> 
> AD is very different.
> 
>>
>>
>> And I know is a common policy in some environments:
>>
https://social.technet.microsoft.com/Forums/windowsserver/en-US/a2f3f357-0da5-4d41-a5cc-6ab710eb41bf/disable-automatic-computer-object-creation?forum=winserverDS
>>
>> In that article they discuss about "Add workstations to
domain"
>> right.
>> Can I enforce that via smb.conf or any other setting?
> 
> No, it is also not what you are asking, the computer would get added
> without a computer object in AD.
> 
> You can 'delegate' join permissions, see here:
>
https://www.danielengberg.com/domain-join-permissions-delegate-active-directory/
> 
> However, that is probably still not what you are asking for. What does
> your original script actually do ? Would it matter if the join created
> the computer object in 'CN=Computers' again ? Do you know that
'net ads
> join' has a parameter '--createcomputer=OU' ?
> 
> Rowland
> 
I think delegation is what should be doing. Do all the wiki [1] page 
says but don't add the permission to create new Computer objects, that 
way the users that had the delegation active could only join machines 
named as previously created machines.

This need that users that join the machines munt not be full 
administrators, and that is always the best security practice anyway.

[1] https://wiki.samba.org/index.php/Delegation/Joining_Machines_to_a_Domain

> 
> I think delegation is what should be doing. Do all the wiki [1] page
> says but don't add the permission to create new Computer objects,
> that
> way the users that had the delegation active could only join machines
> named as previously created machines.
> 
> This need that users that join the machines munt not be full
> administrators, and that is always the best security practice anyway.
> 
> [1]
> https://wiki.samba.org/index.php/Delegation/Joining_Machines_to_a_Domain
>
that is exactly what I was looking for.

thanks a lot Robert, I'll do some tests and will give an update.

abosch
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau,
qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es
destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar
aquest missatge ni lliurar-lo a terceres persones sense permis expres de
l'IMAS. Si no sou la persona destinataria que s'hi indica (o la
responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a
l'adreca electronica de la persona remitent. Abans d'imprimir aquest
missatge, pensau si es realment necessari.

> that is exactly what I was looking for.
> 
> thanks a lot Robert, I'll do some tests and will give an update.
>
it works!


In fact it was a lot easier than expected.

I'll leave a little guide just in case someone needs to achieve same
behaviour.


- Disable Computers container: Contrary to what most docs say, you don't
need ADSI edit tool (adsiedit.msc) to manage this. Just open ADUC and select
properties from right click on Computers, then go to Security and remove
everything. I just left Domain Admins in read mode because I found somewhere
that is better to NOT remove default containers for backwards compatibility. I
had to remove inheritance in advanced options to delete all users and groups
except Domain Admins.

- Create own ous: I created my custom structure with 'samba-tool ou
create'. ex: samba-tool ou create
"OU=company,DC=myad,DC=example,DC=net" ; samba-tool ou create
"OU=machines,OU=company,DC=myad,DC=example,DC=net"

- Disable creation on custom ous: by default Domain Admins (and other top level
groups) are added to new ous, so I just disabled Create secondary objects from
security tab on ou properties.

- Create domain user: create a user and add it to Domain Admins. ex: samba-tool
user create myadmin01 SuperPA55

- Test join: Now there's no way any user, even admins, can create a computer
account when joining the domain. Test it now to check any mistakes.

- Create computer account: use your scripts/interface to manually create a new
computer account on your predefined ou. ex: samba-tool computer create
"testmachine01" --computerou="OU=machines,OU=company"
(remember to strip root dn from computerou )

- Join domain: Use gui to join domain or use something like this (oneliner):

powershell -Command "& { $cred = New-Object
System.Management.Automation.PsCredential('myad\\myadmin01',
(ConvertTo-SecureString 'SuperPA55' -AsPlainText -Force)) ; Add-Computer
-DomainName 'myad' -Credential $cred -Verbose -restart -force ;}"


If everything goes right machine should restart and you'll see new login
options.

Some details:

About DNS, I know all clients are expected to have DC as their primary DNS, but
I would like to use my own PowerDNS+LDAP solution for this.
I think I'll create another thread for this but only if it's feasible.
Any hints?


About ACLS: I tried to manage security (ACL) with samba-tool...
HOLY PITIFULL MOTHER AND THE SEVEN UNBORN GODS FROM RAINBOW DIMENSION!!

I swear I tried to read some docs but I truly give up. Usually you don't
need to change this so I'll just do it with ADUC and forget about it.
go, go and try to execute 'samba-tool dsacl get' and convince me you
understand it and you use it on your daily basis to manage ACLS.
I dare you. :P



Thanks to everyone for your time,

abosch




-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau,
qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es
destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar
aquest missatge ni lliurar-lo a terceres persones sense permis expres de
l'IMAS. Si no sou la persona destinataria que s'hi indica (o la
responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a
l'adreca electronica de la persona remitent. Abans d'imprimir aquest
missatge, pensau si es realment necessari.