Dan Oriani
2018-Feb-06 20:41 UTC
[Samba] Inconsistent results while attempting to preset a computer with a one-time-password
Quoting Dan Oriani via samba <samba at lists.samba.org>:> Quoting Rowland Penny via samba <samba at lists.samba.org>: > >> On Tue, 06 Feb 2018 14:09:08 -0500 >> Dan Oriani via samba <samba at lists.samba.org> wrote: >> >>> >>> I'm not opposed to the idea. Does 'net ads join' support supplying >>> the machine name as the user, and the one-time-password given to it? >>> The only reason I'm using adcli at all is the preset-computer option >>> which I couldn't find an analogue to in 'net ads'. >>> >>> >> >> I have never tried this, but there is the 'createcomputer=OU' option: >> >> Precreate the computer account in a specific OU. >> The OU string read from top to bottom without RDNs >> and delimited by a '/'. >> E.g. "createcomputer=Computers/Servers/Unix" >> NB: A backslash '\' is used as escape at multiple >> levels and may need to be doubled or even >> quadrupled. It is not used as a separator. >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > So I have the computer precreated in the OU. Lets call this host > 'ruby'. I also pass 'machinepass' so that it can join itself later > (I think?). On 'ruby' I run 'net ads join', except it asks me for a > password still. If I try to run 'net ads join -U RUBY$%onetimepass > -v -d 5' it seems as if it tries to create the machine again, as in > the logs I get 'machine account creation failed', then 'failed to > precreate account in ou ....: Insufficient accesssigned SMB2 > message'. Should I be specifying something else? The man page seems > to suggest that if the machine already exists, it'll use that entry. > Having 'net ads join' prompt me for a password is a no-go, as it > brings me right back to manually doing this all by hand. > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaAlso it kind of seems from the logs that running 'net ads join createcomputer=OU' is attempting to join the computer I'm running the command on again. The man page really isn't all that specific about it.
Dan Oriani
2018-Feb-07 14:08 UTC
[Samba] Inconsistent results while attempting to preset a computer with a one-time-password
Quoting Dan Oriani via samba <samba at lists.samba.org>:> Quoting Dan Oriani via samba <samba at lists.samba.org>: > >> Quoting Rowland Penny via samba <samba at lists.samba.org>: >> >>> On Tue, 06 Feb 2018 14:09:08 -0500 >>> Dan Oriani via samba <samba at lists.samba.org> wrote: >>> >>>> >>>> I'm not opposed to the idea. Does 'net ads join' support supplying >>>> the machine name as the user, and the one-time-password given to it? >>>> The only reason I'm using adcli at all is the preset-computer option >>>> which I couldn't find an analogue to in 'net ads'. >>>> >>>> >>> >>> I have never tried this, but there is the 'createcomputer=OU' option: >>> >>> Precreate the computer account in a specific OU. >>> The OU string read from top to bottom without RDNs >>> and delimited by a '/'. >>> E.g. "createcomputer=Computers/Servers/Unix" >>> NB: A backslash '\' is used as escape at multiple >>> levels and may need to be doubled or even >>> quadrupled. It is not used as a separator. >>> >>> Rowland >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >> >> So I have the computer precreated in the OU. Lets call this host >> 'ruby'. I also pass 'machinepass' so that it can join itself later >> (I think?). On 'ruby' I run 'net ads join', except it asks me for a >> password still. If I try to run 'net ads join -U RUBY$%onetimepass >> -v -d 5' it seems as if it tries to create the machine again, as in >> the logs I get 'machine account creation failed', then 'failed to >> precreate account in ou ....: Insufficient accesssigned SMB2 >> message'. Should I be specifying something else? The man page seems >> to suggest that if the machine already exists, it'll use that >> entry. Having 'net ads join' prompt me for a password is a no-go, >> as it brings me right back to manually doing this all by hand. >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > Also it kind of seems from the logs that running 'net ads join > createcomputer=OU' is attempting to join the computer I'm running > the command on again. The man page really isn't all that specific > about it. > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaSo testing around still being unsure how to have 'net' prep the computer, I found https://lists.samba.org/archive/samba-technical/2010-August/072627.html from 2010 where another user seems to be trying to accomplish a similar task. Is net capable of setting the allowed joiner as mentioned in that post? In any case, I hit another roadblock: I create the computer in ADUC allowing SELF to join, use 'net' to set the password since it seems 'net' still doesn't allow for no-password, then attempt to join with 'net ads join -U RUBY$%password'. It seems I'm back to the same permissions problem I was running in to with adcli though. It gets to 'machine account creation failed', then 'Host account for RUBY does not have service principal names' and 'Failed to join domain: Failed to set machine spn: Insufficient access'. So it looks like even though the machine account has the permissions to join itself, it still can't set its own SPN.
Dan Oriani
2018-Feb-07 17:42 UTC
[Samba] Inconsistent results while attempting to preset a computer with a one-time-password
Quoting Dan Oriani via samba <samba at lists.samba.org>:> Quoting Dan Oriani via samba <samba at lists.samba.org>: > >> Quoting Dan Oriani via samba <samba at lists.samba.org>: >> >>> Quoting Rowland Penny via samba <samba at lists.samba.org>: >>> >>>> On Tue, 06 Feb 2018 14:09:08 -0500 >>>> Dan Oriani via samba <samba at lists.samba.org> wrote: >>>> >>>>> >>>>> I'm not opposed to the idea. Does 'net ads join' support supplying >>>>> the machine name as the user, and the one-time-password given to it? >>>>> The only reason I'm using adcli at all is the preset-computer option >>>>> which I couldn't find an analogue to in 'net ads'. >>>>> >>>>> >>>> >>>> I have never tried this, but there is the 'createcomputer=OU' option: >>>> >>>> Precreate the computer account in a specific OU. >>>> The OU string read from top to bottom without RDNs >>>> and delimited by a '/'. >>>> E.g. "createcomputer=Computers/Servers/Unix" >>>> NB: A backslash '\' is used as escape at multiple >>>> levels and may need to be doubled or even >>>> quadrupled. It is not used as a separator. >>>> >>>> Rowland >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> So I have the computer precreated in the OU. Lets call this host >>> 'ruby'. I also pass 'machinepass' so that it can join itself later >>> (I think?). On 'ruby' I run 'net ads join', except it asks me for >>> a password still. If I try to run 'net ads join -U >>> RUBY$%onetimepass -v -d 5' it seems as if it tries to create the >>> machine again, as in the logs I get 'machine account creation >>> failed', then 'failed to precreate account in ou ....: >>> Insufficient accesssigned SMB2 message'. Should I be specifying >>> something else? The man page seems to suggest that if the machine >>> already exists, it'll use that entry. Having 'net ads join' prompt >>> me for a password is a no-go, as it brings me right back to >>> manually doing this all by hand. >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >> >> Also it kind of seems from the logs that running 'net ads join >> createcomputer=OU' is attempting to join the computer I'm running >> the command on again. The man page really isn't all that specific >> about it. >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > So testing around still being unsure how to have 'net' prep the > computer, I found > https://lists.samba.org/archive/samba-technical/2010-August/072627.html from > 2010 where another user seems to be trying to accomplish a similar > task. Is net capable of setting the allowed joiner as mentioned in > that post? > > In any case, I hit another roadblock: I create the computer in ADUC > allowing SELF to join, use 'net' to set the password since it seems > 'net' still doesn't allow for no-password, then attempt to join with > 'net ads join -U RUBY$%password'. It seems I'm back to the same > permissions problem I was running in to with adcli though. It gets > to 'machine account creation failed', then 'Host account for RUBY > does not have service principal names' and 'Failed to join domain: > Failed to set machine spn: Insufficient access'. So it looks like > even though the machine account has the permissions to join itself, > it still can't set its own SPN. > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaAnd just like that post, if I modify that machine entry and grant 'Read Write all properties' on the SELF object, it can then successfully join itself. That doesn't really seem like a great idea though, and definitely doesn't lend itself to automation. Unfortunately it seems as though that thread ends without resolution so I'm still unsure as to where to go from here.
Apparently Analagous Threads
- Inconsistent results while attempting to preset a computer with a one-time-password
- Inconsistent results while attempting to preset a computer with a one-time-password
- Inconsistent results while attempting to preset a computer with a one-time-password
- Inconsistent results while attempting to preset a computer with a one-time-password
- Inconsistent results while attempting to preset a computer with a one-time-password