Rowland Penny
2021-Oct-25  12:49 UTC
[Samba] disable automatic creation of computer accounts
On Mon, 2021-10-25 at 14:09 +0200, Angel Bosch Mora via samba wrote:> Hi, > > I need to disable computer creation when joining AD. > > We have some script in our environment that create computer accounts, > add them to DNS and perform some other tasks. > So we need that joining samba domain FAILS if computer account is not > found, even if credentials are correct, and SUCCES if computer > account is already created (samba-tool computer create mymachine01) > > How can I achieve that behaviour?Alter your script so that it does what it does now, plus joins the machine and run it on the machine to be joined. Or you could script around 'net ads join' and only attempt the join if the computer already exists in AD.> > Best regards, > > abosch > > > -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, > qualsevol fitxer annex, es dirigeix exclusivament a la persona que > n'es destinataria i pot contenir informacio confidencial. En cap cas > no heu de copiar aquest missatge ni lliurar-lo a terceres persones > sense permis expres de l'IMAS. Si no sou la persona destinataria que > s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho > notifiqueu immediatament a l'adreca electronica de la persona > remitent. Abans d'imprimir aquest missatge, pensau si es realment > necessari. >Why do people still use disclaimers, they are totally unenforceable (if they need enforcing) especially if the recipient cannot understand them. Rowland
Angel Bosch Mora
2021-Oct-25  13:00 UTC
[Samba] disable automatic creation of computer accounts
> Alter your script so that it does what it does now, plus joins the > machine and run it on the machine to be joined. Or you could script > around 'net ads join' and only attempt the join if the computer > already > exists in AD. >First part (new computer script) is already done and it runs supervised by some sysadmins. Second part (join domain) is done by some low profile assistants, and for security reasons we need that no one adds a machine by mistake or intentionally. In Samba 3 (NT4 PDC style) it was enough with modifying "add machine script" parameter, but I've been testing different settings without success. And I know is a common policy in some environments: https://social.technet.microsoft.com/Forums/windowsserver/en-US/a2f3f357-0da5-4d41-a5cc-6ab710eb41bf/disable-automatic-computer-object-creation?forum=winserverDS In that article they discuss about "Add workstations to domain" right. Can I enforce that via smb.conf or any other setting? abosch -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari.