Hi, I hope it's not a stupid question, but I'm mainly a Linux admin, and I'm really looking at Samba because of winbind, but there's something I don't really understand.... People keep talking about computer accounts and joining the domain, but the guide I followed required "net ads join -k", which doesn't appear to require authentication, and so cannot have actually done anything on the domain, so I don't really understand what happens on the AD controller side, or if I need to somehow register with the domain, or if I can just authenticate anyway... and/or what net ads join -k did? I hope someone can clarify this for me. -- A. James Lewis (james at fsck.co.uk (mailto:james at fsck.co.uk)) "Engineering does not require science. Science helps a lot but people built perfectly good brick walls long before they knew why cement works."
On Thu, 21 Sep 2017 18:01:08 +0000 "A. James Lewis via samba" <samba at lists.samba.org> wrote:> Hi, > > I hope it's not a stupid question, but I'm mainly a Linux admin, and > I'm really looking at Samba because of winbind, but there's something > I don't really understand.... > > People keep talking about computer accounts and joining the domain, > but the guide I followed required "net ads join -k", which doesn't > appear to require authentication, and so cannot have actually done > anything on the domain, so I don't really understand what happens on > the AD controller side, or if I need to somehow register with the > domain, or if I can just authenticate anyway... and/or what net ads > join -k did? > > I hope someone can clarify this for me. >You need to authenticate to join a computer to an AD domain, you can do this with -U username or -U username%password, the only difference is that the first one will prompt for the password. If you don't provide a username, the logged in users name will be used. The 'username' must be a user with the correct rights to join a computer to the domain. Using '-k' is a bit different, you can still use -U but you don't need the password and will not be prompted for one. Whenever '-k' is used to join the domain, 'kinit' will need to have been run beforehand to obtain a kerberos ticket. This can just be 'kinit', in which a ticket will be obtained for the logged in user, or 'kinit username', in this instance, the ticket will be obtained for 'username' HTH Rowland
What I don't understand is that the Windows team here are really restrictive, and I have no administrative rights in the domain, however I verified that I could authenticate with kerberos, using kinit, and then "net ads join -k", and I am able to authenticate against the domain, and gain access to idmap UID/GID mapping... So, what I don't understand is what the join process does, if I am able to authenticate, having performed this "net ads join -k" dance, am I only configuring Samba?, because according to our Windows team, I have no rights in the domain to "join" a computer, and I thought that was required to authenticate! James September 21, 2017 8:08 PM, "Rowland Penny via samba" <samba at lists.samba.org> wrote:> On Thu, 21 Sep 2017 18:01:08 +0000 > "A. James Lewis via samba" <samba at lists.samba.org> wrote: > >> Hi, >> >> I hope it's not a stupid question, but I'm mainly a Linux admin, and >> I'm really looking at Samba because of winbind, but there's something >> I don't really understand.... >> >> People keep talking about computer accounts and joining the domain, >> but the guide I followed required "net ads join -k", which doesn't >> appear to require authentication, and so cannot have actually done >> anything on the domain, so I don't really understand what happens on >> the AD controller side, or if I need to somehow register with the >> domain, or if I can just authenticate anyway... and/or what net ads >> join -k did? >> >> I hope someone can clarify this for me. > > You need to authenticate to join a computer to an AD domain, you can > do this with -U username or -U username%password, the only difference > is that the first one will prompt for the password. If you don't > provide a username, the logged in users name will be used. The > 'username' must be a user with the correct rights to join a computer to > the domain. > > Using '-k' is a bit different, you can still use -U but you don't need > the password and will not be prompted for one. Whenever '-k' is used > to join the domain, 'kinit' will need to have been run beforehand to > obtain a kerberos ticket. This can just be 'kinit', in which a ticket > will be obtained for the logged in user, or 'kinit username', in this > instance, the ticket will be obtained for 'username' > > HTH > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- A. James Lewis (james at fsck.co.uk) "Engineering does not require science. Science helps a lot but people built perfectly good brick walls long before they knew why cement works."
On Thu, 21 Sep 2017 19:30:29 +0000 "A. James Lewis" <james at fsck.co.uk> wrote:> What I don't understand is that the Windows team here are really > restrictive, and I have no administrative rights in the domain, > however I verified that I could authenticate with kerberos, using > kinit, and then "net ads join -k", and I am able to authenticate > against the domain, and gain access to idmap UID/GID mapping... > > So, what I don't understand is what the join process does, if I am > able to authenticate, having performed this "net ads join -k" dance, > am I only configuring Samba?, because according to our Windows team, > I have no rights in the domain to "join" a computer, and I thought > that was required to authenticate! >They are not being that restrictive LOL Unless changes are made, any AD user can join up to 10 computers to a Windows AD domain, as you have found out. If you are not running Samba as an AD DC, you are not joining the computer to Samba, you are joining it to AD. Rowland
On Thu, 21 Sep 2017 22:06:10 +0100 "A. James Lewis" <james at fsck.co.uk> wrote:> On 21/09/17 20:48, Rowland Penny via samba wrote: > > On Thu, 21 Sep 2017 19:30:29 +0000 > > "A. James Lewis" <james at fsck.co.uk> wrote: > > > >> What I don't understand is that the Windows team here are really > >> restrictive, and I have no administrative rights in the domain, > >> however I verified that I could authenticate with kerberos, using > >> kinit, and then "net ads join -k", and I am able to authenticate > >> against the domain, and gain access to idmap UID/GID mapping... > >> > >> So, what I don't understand is what the join process does, if I am > >> able to authenticate, having performed this "net ads join -k" > >> dance, am I only configuring Samba?, because according to our > >> Windows team, I have no rights in the domain to "join" a computer, > >> and I thought that was required to authenticate! > >> > > They are not being that restrictive LOL > > > > Unless changes are made, any AD user can join up to 10 computers to > > a Windows AD domain, as you have found out. If you are not running > > Samba as an AD DC, you are not joining the computer to Samba, you > > are joining it to AD. > > > > Rowland > > That's interesting, and TBH I might argue that that's worse, I feel > they have denied me vital need to know information by telling me that > I cannot do that, thus making me run around trying to find someone > who would agree to join my test box to the domain, having them argue > that I need to join it to their test domain which doesn't have any > users in it, thus defeating the object of the exercise.... etc. etc. > > What determines this 10 machines, and is it ever reset?I bet they don't know, so it is up to you if you want to tell them ;-) Have a look here for more info: https://blogs.technet.microsoft.com/dubaisec/2016/02/01/who-can-add-workstation-to-the-domain/ Rowland
I use "net ads join -U <admin>%<password>" for joining the domain. I then add the computer to the dns with "samba-tool dns add <ad ip> <ad zone> <hostname> A <host ip> -U <admin> --password=<password>" Hope this helps! /Peter Den 21 sep. 2017 20:06 skrev "A. James Lewis via samba" < samba at lists.samba.org>:> Hi, > > I hope it's not a stupid question, but I'm mainly a Linux admin, and I'm > really looking at Samba because of winbind, but there's something I don't > really understand.... > > People keep talking about computer accounts and joining the domain, but > the guide I followed required "net ads join -k", which doesn't appear to > require authentication, and so cannot have actually done anything on the > domain, so I don't really understand what happens on the AD controller > side, or if I need to somehow register with the domain, or if I can just > authenticate anyway... and/or what net ads join -k did? > > I hope someone can clarify this for me. > > -- > A. James Lewis (james at fsck.co.uk (mailto:james at fsck.co.uk)) > "Engineering does not require science. Science helps a lot but people > built perfectly good brick walls long before they knew why cement works." > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba