On Tue, 2020-11-17 at 13:50 -0300, Gabriel Franca via samba
wrote:> Good afternoon people,
>
> I don't know if you can help me, I set up a Lab and I'm testing the
> creation of VDIs using a dc samba, that's the scenario.
>
> 1) Samba domain controller 4.13
>
> 2) Windows 2019 server as a member of the domain, in it I installed
> hyper-v
> and in it I configured the remote desktop service.
>
> I set up the template and when I create the pool I take the following
> error.
>
> The Remote Desktop Connection Agent was unable to create the computer
> account object in Active Directory Domain Services (AD DS). Verify
> that the
> Remote Desktop Connection Agent computer account has permissions to
> create
> computer accounts in the OU (organizational unit), the Remote Desktop
> Connection Agent server can contact AD DS and there is no object
> duplicate
> computer account in a different OU.
>
> It is giving error when it will put the VDIs in the domain.
I think I know what this is.
When I was working with Microsoft on MS16-081 (which I discovered) they
told me that there was a bit of software that required machine accounts
to create other machine accounts. I think this might be it. (It made
the fix much harder).
Either way, Samba doesn't support anyone other than an administrator
creating machine accounts (by default). Some folks get around this
with ACLs, but take care, I would still treat any account that can
create new users as 'quite privileged'.
Sorry!
Andrew Bartlett
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-081
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/default-workstation-numbers-join-domain
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
https://catalyst.net.nz/services/samba