Web lists-archives.com

Re: [Samba] Inconsistent results while attempting to preset a computer with a one-time-password




Quoting Dan Oriani via samba <samba@xxxxxxxxxxxxxxx>:

Quoting Dan Oriani via samba <samba@xxxxxxxxxxxxxxx>:

Quoting Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>:

On Tue, 06 Feb 2018 14:09:08 -0500
Dan Oriani via samba <samba@xxxxxxxxxxxxxxx> wrote:


I'm not opposed to the idea. Does 'net ads join' support supplying
the machine name as the user, and the one-time-password given to it?
The only reason I'm using adcli at all is the preset-computer option
which I couldn't find an analogue to in 'net ads'.



I have never tried this, but there is the 'createcomputer=OU' option:

Precreate the computer account in a specific OU.
The OU string read from top to bottom without RDNs
and delimited by a '/'.
E.g. "createcomputer=Computers/Servers/Unix"
NB: A backslash '\' is used as escape at multiple
levels and may need to be doubled or even
quadrupled. It is not used as a separator.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

So I have the computer precreated in the OU. Lets call this host 'ruby'. I also pass 'machinepass' so that it can join itself later (I think?). On 'ruby' I run 'net ads join', except it asks me for a password still. If I try to run 'net ads join -U RUBY$%onetimepass -v -d 5' it seems as if it tries to create the machine again, as in the logs I get 'machine account creation failed', then 'failed to precreate account in ou ....: Insufficient accesssigned SMB2 message'. Should I be specifying something else? The man page seems to suggest that if the machine already exists, it'll use that entry. Having 'net ads join' prompt me for a password is a no-go, as it brings me right back to manually doing this all by hand.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Also it kind of seems from the logs that running 'net ads join createcomputer=OU' is attempting to join the computer I'm running the command on again. The man page really isn't all that specific about it.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

So testing around still being unsure how to have 'net' prep the computer, I found https://lists.samba.org/archive/samba-technical/2010-August/072627.html from 2010 where another user seems to be trying to accomplish a similar task. Is net capable of setting the allowed joiner as mentioned in that post?

In any case, I hit another roadblock: I create the computer in ADUC allowing SELF to join, use 'net' to set the password since it seems 'net' still doesn't allow for no-password, then attempt to join with 'net ads join -U RUBY$%password'. It seems I'm back to the same permissions problem I was running in to with adcli though. It gets to 'machine account creation failed', then 'Host account for RUBY does not have service principal names' and 'Failed to join domain: Failed to set machine spn: Insufficient access'. So it looks like even though the machine account has the permissions to join itself, it still can't set its own SPN.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba