Kacper
2018-Sep-22 11:09 UTC
[Samba] Redirecting the computer container doesn't work in Samba 4.8.5
Hello, Changing "CN=Computers" to another OU doesn't seem to work correctly in Samba 4.8.5. Running redircmp or changing the wellKnownObject AA312825768811D1ADED00C04FD8D5CD to another OU worked in Samba 4.4 but now the Windows clients don't seem to respect that entry. They instead try to create their computer object under "CN=Computers" which they no longer have access to resulting in an Access Denied message during domain join. In the samba log one can clearly see that the windows clients are trying to create their computer accounts in the wrong container. Could this be a bug or did something change in the way this is handled? Regards, Kacper --- Ldif: dn: DC=mydomain,DC=test changetype: modify delete: wellKnownObjects wellKnownObjects: B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,DC=mydomain,DC=test - add: wellKnownObjects wellKnownObjects: B:32:AA312825768811D1ADED00C04FD8D5CD:My_Machines,DC=mydomain,DC=test
Andrew Bartlett
2018-Sep-22 16:29 UTC
[Samba] Redirecting the computer container doesn't work in Samba 4.8.5
On Sat, 2018-09-22 at 13:09 +0200, Kacper via samba wrote:> Hello, > > Changing "CN=Computers" to another OU doesn't seem to work correctly > in Samba 4.8.5. Running redircmp or changing the wellKnownObject > AA312825768811D1ADED00C04FD8D5CD to another OU worked in Samba 4.4 > but > now the Windows clients don't seem to respect that entry. They > instead > try to create their computer object under "CN=Computers" which they > no > longer have access to resulting in an Access Denied message during > domain join. > > In the samba log one can clearly see that the windows clients are > trying to create their computer accounts in the wrong container. > > Could this be a bug or did something change in the way this is > handled? > > Regards, > Kacper > --- > > Ldif: > dn: DC=mydomain,DC=test > changetype: modify > delete: wellKnownObjects > wellKnownObjects: > B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,DC=mydomain,DC=tes > t > - > add: wellKnownObjects > wellKnownObjects: > B:32:AA312825768811D1ADED00C04FD8D5CD:My_Machines,DC=mydomain,DC=testSamba doesn't have much control over what clients choose to do, if they don't follow the wellKnownObjects we can't really stop that. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Kacper
2018-Sep-22 17:14 UTC
[Samba] Redirecting the computer container doesn't work in Samba 4.8.5
But if it worked in samba 4.4 something must have been changed to break this functionality in 4.8. On Sat, 22 Sep 2018, 18:29 Andrew Bartlett, <abartlet at samba.org> wrote:> On Sat, 2018-09-22 at 13:09 +0200, Kacper via samba wrote: > > Hello, > > > > Changing "CN=Computers" to another OU doesn't seem to work correctly > > in Samba 4.8.5. Running redircmp or changing the wellKnownObject > > AA312825768811D1ADED00C04FD8D5CD to another OU worked in Samba 4.4 > > but > > now the Windows clients don't seem to respect that entry. They > > instead > > try to create their computer object under "CN=Computers" which they > > no > > longer have access to resulting in an Access Denied message during > > domain join. > > > > In the samba log one can clearly see that the windows clients are > > trying to create their computer accounts in the wrong container. > > > > Could this be a bug or did something change in the way this is > > handled? > > > > Regards, > > Kacper > > --- > > > > Ldif: > > dn: DC=mydomain,DC=test > > changetype: modify > > delete: wellKnownObjects > > wellKnownObjects: > > B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,DC=mydomain,DC=tes > > t > > - > > add: wellKnownObjects > > wellKnownObjects: > > B:32:AA312825768811D1ADED00C04FD8D5CD:My_Machines,DC=mydomain,DC=test > > Samba doesn't have much control over what clients choose to do, if they > don't follow the wellKnownObjects we can't really stop that. > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT > http://catalyst.net.nz/services/samba > > > >
Achim Gottinger
2018-Sep-24 00:19 UTC
[Samba] Redirecting the computer container doesn't work in Samba 4.8.5
Am 22.09.18 um 13:09 schrieb Kacper via samba:> Hello, > > Changing "CN=Computers" to another OU doesn't seem to work correctly > in Samba 4.8.5. Running redircmp or changing the wellKnownObject > AA312825768811D1ADED00C04FD8D5CD to another OU worked in Samba 4.4 but > now the Windows clients don't seem to respect that entry. They instead > try to create their computer object under "CN=Computers" which they no > longer have access to resulting in an Access Denied message during > domain join. > > In the samba log one can clearly see that the windows clients are > trying to create their computer accounts in the wrong container. > > Could this be a bug or did something change in the way this is handled? > > Regards, > Kacper > --- > > Ldif: > dn: DC=mydomain,DC=test > changetype: modify > delete: wellKnownObjects > wellKnownObjects: > B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,DC=mydomain,DC=test > - > add: wellKnownObjects > wellKnownObjects: > B:32:AA312825768811D1ADED00C04FD8D5CD:My_Machines,DC=mydomain,DC=test >Can it be you have an syntax error in the add statement, using CN=My_Machines may work.
Kacper
2018-Sep-24 09:37 UTC
[Samba] Redirecting the computer container doesn't work in Samba 4.8.5
Sorry, that's just a typo. It should be B:32:AA312825768811D1ADED00C04FD8D5CD:OU=My_Machines,DC=mydomain,DC=test On Mon, Sep 24, 2018 at 2:21 AM Achim Gottinger via samba <samba at lists.samba.org> wrote:> > > Am 22.09.18 um 13:09 schrieb Kacper via samba: > > Hello, > > > > Changing "CN=Computers" to another OU doesn't seem to work correctly > > in Samba 4.8.5. Running redircmp or changing the wellKnownObject > > AA312825768811D1ADED00C04FD8D5CD to another OU worked in Samba 4.4 but > > now the Windows clients don't seem to respect that entry. They instead > > try to create their computer object under "CN=Computers" which they no > > longer have access to resulting in an Access Denied message during > > domain join. > > > > In the samba log one can clearly see that the windows clients are > > trying to create their computer accounts in the wrong container. > > > > Could this be a bug or did something change in the way this is handled? > > > > Regards, > > Kacper > > --- > > > > Ldif: > > dn: DC=mydomain,DC=test > > changetype: modify > > delete: wellKnownObjects > > wellKnownObjects: > > B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,DC=mydomain,DC=test > > - > > add: wellKnownObjects > > wellKnownObjects: > > B:32:AA312825768811D1ADED00C04FD8D5CD:My_Machines,DC=mydomain,DC=test > > > Can it be you have an syntax error in the add statement, using CN=My_Machines may work. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba