Osipov, Michael
2017-Nov-06  09:15 UTC
[Samba] net ads join fails with pre-created machine accounts
Hi folks, we have recently tried to join several FreeBSD machines to your forest where the machine accounts where pre-created by the core admin team. We did as root: # kinit 'machine-name$' # net ads join ... Unfortunately, it failed with an error that several attributes cannot be set which are available to domain admins only. It ultimately means that one cannot use pre-created accounts. This is somewhat of a problem because getting a session with an admin to kinit via SSH and have the join done requires a lot of communication effort back and forth. It is way easier to have the account pre-created asynchronously and not to rely on the admin anymore. Moreover, I am quite certain that reset account is not supported for a domain member via 'net ads ...'. This makes provisions machines quite hard. Is there any reasonable workaround for now, or better in the works? Shall I file an issue for that? We are using samba46-4.6.8 from the ports tree. Best regards, Michael
Rowland Penny
2017-Nov-06  10:47 UTC
[Samba] net ads join fails with pre-created machine accounts
On Mon, 6 Nov 2017 09:15:07 +0000 "Osipov, Michael via samba" <samba at lists.samba.org> wrote:> Hi folks, > > we have recently tried to join several FreeBSD machines to your > forest where the machine accounts where pre-created by the core admin > team. We did as root: > > # kinit 'machine-name$' > # net ads join ... > > Unfortunately, it failed with an error that several attributes cannot > be set which are available to domain admins only. It ultimately means > that one cannot use pre-created accounts. This is somewhat of a > problem because getting a session with an admin to kinit via SSH and > have the join done requires a lot of communication effort back and > forth. It is way easier to have the account pre-created > asynchronously and not to rely on the admin anymore. Moreover, I am > quite certain that reset account is not supported for a domain member > via 'net ads ...'. > > This makes provisions machines quite hard. Is there any reasonable > workaround for now, or better in the works? Shall I file an issue for > that? > > We are using samba46-4.6.8 from the ports tree. > > Best regards, > > Michael > >You could ask the 'core admin team' to delegate the join permission to a user or group, instead of using the computers ticket. Rowland
Osipov, Michael
2017-Nov-06  11:49 UTC
[Samba] net ads join fails with pre-created machine accounts
> On Mon, 6 Nov 2017 09:15:07 +0000 > "Osipov, Michael via samba" <samba at lists.samba.org> wrote: > > > Hi folks, > > > > we have recently tried to join several FreeBSD machines to your > > forest where the machine accounts where pre-created by the core admin > > team. We did as root: > > > > # kinit 'machine-name$' > > # net ads join ... > > > > Unfortunately, it failed with an error that several attributes cannot > > be set which are available to domain admins only. It ultimately means > > that one cannot use pre-created accounts. This is somewhat of a > > problem because getting a session with an admin to kinit via SSH and > > have the join done requires a lot of communication effort back and > > forth. It is way easier to have the account pre-created > > asynchronously and not to rely on the admin anymore. Moreover, I am > > quite certain that reset account is not supported for a domain member > > via 'net ads ...'. > > > > This makes provisions machines quite hard. Is there any reasonable > > workaround for now, or better in the works? Shall I file an issue for > > that? > > > > We are using samba46-4.6.8 from the ports tree. > > > > Best regards, > > > > Michael > > > > > > You could ask the 'core admin team' to delegate the join permission to > a user or group, instead of using the computers ticket.They actually do, but those people are limited per top-level OU as I am confined to one OU only. This won't be any better. I'd like to avoid any human admin interaction by requesting of automated machine account creation in the next step. If you consider that people get sick or leave for vacation, you are out of luck. Michael