On Thu, 21 Sep 2017 19:30:29 +0000
"A. James Lewis" <james@xxxxxxxxxx> wrote:

> What I don't understand is that the Windows team here are really
> restrictive, and I have no administrative rights in the domain,
> however I verified that I could authenticate with kerberos, using
> kinit, and then "net ads join -k", and I am able to authenticate
> against the domain, and gain access to idmap UID/GID mapping... 
> So, what I don't understand is what the join process does, if I am
> able to authenticate, having performed this "net ads join -k" dance,
> am I only configuring Samba?, because according to our Windows team,
> I have no rights in the domain to "join" a computer, and I thought
> that was required to authenticate!

They are not being that restrictive LOL

Unless changes are made, any AD user can join up to 10 computers to a
Windows AD domain, as you have found out. If you are not running
Samba as an AD DC, you are not joining the computer to Samba, you are
joining it to AD.


