samba - Jan 2019 - Howto set/reset/reaad computer account password with samba-4.9.x examples?

Hi list,

I want to perform a domain join of a computer to a given machine account
with reusing it, not overwriting. For this I think, it is the right way
(for a unattend.xml) to use the <machinePassword> described here:
https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-unattendedjoin-identification#child-elements

in the new feature list of samba 4.9.x is written "The 'samba-tool
computer' command allow manipulation of computer accounts including
creating a new computer and resetting the password. This allows an
'offline join' of a member server or workstation to the Samba AD
domain."

Unfortunatly I dont find any example for

  * resetting the password (the "setpassword" from user command doesnt
    work, maybe simply --password?)
  * creating a computer with a given machine password (maybe simply
    --password,too ?)
  * reading the machine password from AD (there i found some old variant
    which didnt work, tested with Win81-clients)
  * perform an offline join with a previously given/read-from-ad machine
    password

Is this possible, some examples anywhere?

Tfh!

Oliver

On Wed, 16 Jan 2019 22:03:29 +0100
Oliver Rath via samba <samba at lists.samba.org> wrote:
> Hi list,
> 
> I want to perform a domain join of a computer to a given machine
> account with reusing it, not overwriting. For this I think, it is the
> right way (for a unattend.xml) to use the <machinePassword> described
> here:
>
https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-unattendedjoin-identification#child-elements
> 
> in the new feature list of samba 4.9.x is written "The 'samba-tool
> computer' command allow manipulation of computer accounts including
> creating a new computer and resetting the password. This allows an
> 'offline join' of a member server or workstation to the Samba AD
> domain."
> 
> Unfortunatly I dont find any example for
> 
>   * resetting the password (the "setpassword" from user command
doesnt
>     work, maybe simply --password?)
It does work, did you forget the '$' on the end of the computer name ?

e.g. samba-tool user setpassword --filter=samaccountname=Computer$

I think you would need to use this with '--random-password'
>   * creating a computer with a given machine password (maybe simply
>     --password,too ?)
You cannot do that, you need to create the computer and then set the
password.
>   * reading the machine password from AD (there i found some old
> variant which didnt work, tested with Win81-clients)
I think you would have to export a keytab for the new computer, pass
this to the new computer and then kinit with this and then do the join
with kerberos.

Rowland

Hi Oliver,

Le 01/16/2019 à 10:03 PM, Oliver Rath via samba a écrit
:
> Hi list,
>
> I want to perform a domain join of a computer to a given machine account
> with reusing it, not overwriting. For this I think, it is the right way
> (for a unattend.xml) to use the <machinePassword> described here:
>
https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-unattendedjoin-identification#child-elements
>
> in the new feature list of samba 4.9.x is written "The 'samba-tool
> computer' command allow manipulation of computer accounts including
> creating a new computer and resetting the password. This allows an
> 'offline join' of a member server or workstation to the Samba AD
domain."
There has been a thread on the samba-technical mailing list about 
djoin.exe et al. You may take a look at it :

https://lists.samba.org/archive/samba-technical/2019-January/132023.html

You'll need both a way to create/reset the account (and get the clear 
text shared secret), then re-inject it on the domain member in the 
secrets.tdb file.

Cheers,

Denis
>
> Unfortunatly I dont find any example for
>
>   * resetting the password (the "setpassword" from user command
doesnt
>     work, maybe simply --password?)
>   * creating a computer with a given machine password (maybe simply
>     --password,too ?)
>   * reading the machine password from AD (there i found some old variant
>     which didnt work, tested with Win81-clients)
>   * perform an offline join with a previously given/read-from-ad machine
>     password
>
> Is this possible, some examples anywhere?
>
> Tfh!
>
> Oliver
>
-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil.it

Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr