[Samba] Minimum User Rights For "net ads join"

Thu, 15 Sep 2005 13:43:53 -0700

I have seen a number of cases where unix/linux administrators do not have access to Windows Administrator rights to execute "net ads join". Here is the result of testing that I have done to determine what the minimum set of user rights is.
Case 1: Adding the object to the domain and joining the domain with "net ads join" 


In this case, an ordinary user "member of Domain Users" can add and join 
 by having an Administrator assign the user special rights to the 
Computers container (or equivalent).  This is done by:

    1.  Users and Computers MMC, Advanced Features View
    2.  Right click Computers container and select Properties
    3.  Choose Security tab, add a new user to the container
    4.  Click Advanced, select the new user, click Edit
    5.  Clear all rights, add back only "Create Computer Objects"
    6.  OK to exit out


The user can now add and join the computer object using "net ads join -U 
 username".




Case 2:  Add object using "Users and Computers" MMC, join using "net ads 
join".



This method is required when a custom schema is used and "net ads join" 
cannot find the correct container to add the computer.  Note that 
sometimes the UseraccountControl attribute will populate with a value 
that denies krb5 authentication, and the attribute must be populated 
manually.

    1.  Users and Computers MMC, Advanced Features View
    2.  Add the computer object using the MMC.  Do not select "Windows
        2000 compatible".
    3.  Right click on the new computer object (note that this is
        different from the container in Case 1)and select Properties.
    4.  Click Advanced, then Add, and add the user to Security Settings.
    5.  Highlight the username, then select Edit.
    7.  Select "Full Control" - this will autoselect all Permissions.
    8.  Unselect those that we do not need:
                                            Full Control
                                            Create All Child Objects
                                            Delete All Child Objects
                                            ....(all items thru)
                                            Delete All Shared Folder Ob
    9.  OK to exit out.


The user can now join and modify the existing computer object using "net 
ads join -U username".



Caveats:

1.  "net ads leave -U username" does not work, even with Administrator.
2.  Several other "net ads" commands do not work.
3.  The ntSecurityDescriptor is not correctly processed (ldap.c accounts
    for this and adds the object anyway, and issues a warning)


JT - I have written a user's guide for this process.  Let me know if you 
would like to use it however you see fit.



Eric Roseme
Hewlett-Packard

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba






















					Reply via email to