[Samba] Using machine account credentials for issuing standalone ldap queries against a Windows 2000 Active Directory server
Hello All, This might come across as a rather strange and interesting question related to using machine account credentials to issue standalone ldap queries against an Active Directory server. We are using Samba and use 'ads' mode to join the machine onto the Active Directory (net ads join). Once the machine is joined to the domain, we do not have access to the username and password that was used to join the machine on the Active Directory server. Also we do not have access to any other username and password on the AD server. Hence we use the machine account credentials (password that is available in the 'secrets.tdb') to perform ldap queries against the AD server (we have appropriate scripts to fetch the credential from the file). We can invoke standard 'ldapsearch' using the machine account credentials and perform ldap queries on the AD server. This works completely fine without any issues when we have joined a Windows 2003 Active Directory server. However when we join a Windows 2000 Active Directory server the machine account credentials don't work. The password always seems to be invalid when used with ldapsearch. The machine has joined the domain and queries can be performed with a normal username and password but not with the machine account username and password. Also this does not seem to be any Samba version specific - we observe this on both 3.0.23c as well as 3.0.25a. Does anyone know why the machine account credentials doesn't work when used in stand alone ldap queries against a Windows 2000 AD server? Thanks in advance for any input that might help in addressing this issue. Regards Raj Pagaku P.S: I had sent this email to samba-technical by mistake. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Use tcp while fetching kerberos tickets
Hello, We are running samba version 3.0.25a and Heimdal 0.6.3 for kerberos. With 3.0.25a version of Samba, we observe that if we are attempting to join our primary domain in ADS mode and the Active Directory happens to be the closest DC, samba creates its own local private krb5 conf file and overrides the KRB5_CONFIG environment variable [create_local_private_krb5_conf_for_domain() is invoked from function ads_dc_name() in file libsmb/namequery_dc.c] Is there a specific reason for creating a custom krb5 conf file instead of using the default krb5 conf or the conf file specified in the environment variable KRB5_CONFIG when the 'net ads join' is invoked? Nothing wrong with creating a custom file but wanted to understand the technical reason behind it. There is however one issue with the contents of the private krb5 conf file generated. The generated file has a kdc line of the following format: kdc = ip_address_of_ad_server Since the KRB5_CONFIG variable is over-ridden there is no way to inform samba to use 'tcp' for fetching Kerberos tickets. We used to run the 'net ads join' by providing path to a krb5.conf file that had a kdc line of the following format: kdc = tcp/ip_address_of_ad_server and this worked fine in older versions (3.0.23c) since a custom krb5 conf file was not created. Our environment does not allow udp kerberos traffic. How can we inform the kerberos ticketing code in samba to use 'tcp' instead of 'udp'? Thanks Raj Pagaku -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Argument createcomputer does not work in net rpc join
Jerry, Thanks for your response. Any specific reason why 'net rpc join' doesn't support it? Since we needed this functionality (customer didn't like it when we said we don't support that :)), we wrote a small function that utilizes smbldap_xxx routines. Specifically our small function utilizes the following smbldap_xxx routines: smbldap_set_mod - to set 'cn', 'sAMAccountName', 'objectClass', 'userAccountControl'. smbldap_init - to initialize the connection with AD server smbldap_set_creds - set the credentials for the connection smbldap_add - to precreate the machine account object in the location. Please let me know if we are doing something fundamentally wrong. I will be happy to submit the patch to samba group or to anyone who requires it. Regards Raj Pagaku -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 15, 2007 2:12 PM To: Raj Pagaku Cc: samba@lists.samba.org Subject: Re: [Samba] Argument createcomputer does not work in net rpc join -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Raj Pagaku wrote: We are using samba-3.0.25a and we want to join our system onto the Active Directory server in a specific location. The argument 'createcomputer' is exactly what we want and it works perfectly when we do a 'net ads join' but fails when we do a 'net rpc join'. The computer object always gets created in the 'Computers' folder. Looking at the code it appears that the 'net rpc join' doesn't support the 'createcomputer' argument. Is there a specific reason why it isn't supported? Are there plans to support the 'createcomputer' argument in the 'net rpc join' command in any future releases? No. Net rpc join does not support creating the machine in a specific OU. That is a AD-specific operation. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGw2wcIR7qMdg1EfYRAmtwAJ9YtsnY6Gbeeo+mitxzC1Tq1sTrlgCg73jf IJgliyyenW/LROTbAXYs+K4= =Ibsu -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Argument createcomputer does not work in net rpc join
Hello, Any suggestions or pointers from the folks would be highly appreciated. I didn't attach smb.conf since this was a generic question. Thanks in advance. Regards Raj Pagaku -Original Message- From: Raj Pagaku Sent: Friday, August 03, 2007 2:45 PM To: samba@lists.samba.org Subject: [Samba] Argument createcomputer does not work in net rpc join Hello, We are using samba-3.0.25a and we want to join our system onto the Active Directory server in a specific location. The argument 'createcomputer' is exactly what we want and it works perfectly when we do a 'net ads join' but fails when we do a 'net rpc join'. The computer object always gets created in the 'Computers' folder. Looking at the code it appears that the 'net rpc join' doesn't support the 'createcomputer' argument. Is there a specific reason why it isn't supported? Are there plans to support the 'createcomputer' argument in the 'net rpc join' command in any future releases? Thanks Raj Pagaku -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Argument createcomputer does not work in net rpc join
Hello, We are using samba-3.0.25a and we want to join our system onto the Active Directory server in a specific location. The argument 'createcomputer' is exactly what we want and it works perfectly when we do a 'net ads join' but fails when we do a 'net rpc join'. The computer object always gets created in the 'Computers' folder. Looking at the code it appears that the 'net rpc join' doesn't support the 'createcomputer' argument. Is there a specific reason why it isn't supported? Are there plans to support the 'createcomputer' argument in the 'net rpc join' command in any future releases? Thanks Raj Pagaku -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba v3.0.23c + FreeBSD 6.1 - Failed to set servicePrincipalNames
Thanks Jerry for your response. It is case (b). The fqdn of the local machine is set to a domain outside the AD domain name and the user credentials being used is 'Domain User' and not a 'Domain Admin'. Do we need 'Domain Admin' if the local machine domain is outside the AD domain name? Is this a restriction that will be addressed in the near future? Thanks Raj -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Friday, November 10, 2006 10:21 AM To: Raj Pagaku Cc: Jean-Vincent BAYARRI; samba@lists.samba.org Subject: Re: [Samba] Samba v3.0.23c + FreeBSD 6.1 - Failed to set servicePrincipalNames -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Raj Pagaku wrote: wsa29:] net ads join -s /etc/samba/smb.conf -Uolympus olympus's password: Using short domain name -- CHILD1 Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. Disabled account for 'WSA29' in realm 'CHILD1.AD.WGA' Either (a) the fqdn of the local machine (the one you are joining to the domain) is not set correctly or (b) is set to a domain outside the AD domain name and you are not a domain admin. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFFVMMNIR7qMdg1EfYRAtwFAJ4kijRr2l2J5gyWnfNbUtTBdHbTqgCfbDWM i5ufx5EVRQq5I5QnSfr1G/c= =+Jx7 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba v3.0.23c + FreeBSD 6.1 - Failed to set servicePrincipalNames
Thanks Jerry for your response as well as the useful link to the reference article. Once I delegated the following Permissions' for the specific 'Domain User' on the 'Computer Objects' on my AD server, I was able to join the Samba system to the domain. Permissions Delegated via the 'Delegation Control Wizard': 1 Allow 'Write DNS Host Name Attributes' property 2 Allow 'Write Service Principal Name' property I am sharing the steps I performed on my Windows 2003 AD server for benefit of others: * Invoke the 'Delegate Control Wizard' for the 'Computers' * Add the specific 'Domain User' to the 'Selected users and groups'. * Create a custom task to delegate. * Select the 'Computer Objects' * Select the 'Property-Specific'. Then select the 'Write dNSHostName' and the 'Write servicePrincipalName' * Finish your task If there are any known side-effects of delegating these permissions, please let me know. Thanks Raj Pagaku -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Friday, November 10, 2006 11:16 AM To: Raj Pagaku Cc: Jean-Vincent BAYARRI; samba@lists.samba.org Subject: Re: [Samba] Samba v3.0.23c + FreeBSD 6.1 - Failed to set servicePrincipalNames -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Raj Pagaku wrote: Thanks Jerry for your response. It is case (b). The fqdn of the local machine is set to a domain outside the AD domain name and the user credentials being used is 'Domain User' and not a 'Domain Admin'. Do we need 'Domain Admin' if the local machine domain is outside the AD domain name? Is this a restriction that will be addressed in the near future? This is an AD restriction on the default security assigned to a computer object. When a non-admin is given the right to join a specific machine to the domain, that user is only granted validated write access to thye DnsHostName and servicePrincipalName attributes. A Windows XP box would fail to join the domain in the same way. This doc explains it: http://msdn.microsoft.com/library/default.asp?url=/library/en- us/ad/ad/control_access_rights.asp cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFFVM/aIR7qMdg1EfYRAhswAKDYOM4LWTHDgsQGKv195kwT9Quo5wCg6xfA NhDch9dN3aADNwSpQ70fxAE= =VrII -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba v3.0.23c + FreeBSD 6.1 - Failed to set servicePrincipalNames
I tried the suggested solution and i still run into the same issue (Further searching in the Samba list led me to another thread where the same solution was proposed, don't know whether that worked for the thread originator) wsa29:] net ads join -s /etc/samba/smb.conf -Uolympus olympus's password: Using short domain name -- CHILD1 Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. Disabled account for 'WSA29' in realm 'CHILD1.AD.WGA' After I execute the above command, I see that my system is listed in the AD server 'Computer' list but has a red 'x' symbol to indicate that it is disabled. However if I execute the command 'net ads status -s /etc/samba/smb.conf -Uolympus' after the 'net ads join' command, I am able to retrieve status information properly. -Raj -Original Message- From: Jean-Vincent BAYARRI [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 08, 2006 12:22 AM To: Raj Pagaku Cc: samba@lists.samba.org Subject: Re: [Samba] Samba v3.0.23c + FreeBSD 6.1 - Failed to set servicePrincipalNames Hi, I also run FreeBSD 6.1 (and also experience a lot of trouble with version 3.0.23c...) For your problem you should check your /etc/hosts. It must have the CHILD1.AD.WGA as fqdn for your IP like this: xxx.xxx.xxx.xxx CHILD1.AD.WGA CHILD1 alias1 alias2 ... aliasN Le Tue, Nov 07, 2006 at 02:56:29PM -0800, Raj Pagaku a écrit : Hello, We recently upgraded to the latest Samba3 version v3.0.23c. If the Samba system and the AD belong to the same domain, I am able to perform a 'net ads join' by supplying either a 'Domain Admins' or a 'Domain Users' credential. However if the Samba system and the AD belong to different domain, I can perform the 'net ads join' by supplying a 'Domain Admins' credential but not a user belonging to 'Domain Users'. If the user belongs only to the 'Domain Users', I get the 'Failed to set servicePrincipalNames' error. Samba System domain = WGA AD Server domain = CHILD1.AD.WGA wsa29:] winbindd -V Version 3.0.23c wsa29:] hostname wsa29.wga wsa29:] klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: [EMAIL PROTECTED] Issued Expires Principal Nov 7 14:31:19 Nov 8 00:31:19 krbtgt/[EMAIL PROTECTED] Nov 7 14:32:07 Nov 8 00:31:19 [EMAIL PROTECTED] wsa29:] cat smb.conf [global] workgroup = CHILD1 server string = Samba Server load printers = yes log file = /var/log/samba.log.%m lock directory = /var/run/locks pid directory = /var/run/locks max log size = 100 security = ads password server = child1-server.child1.ad.wga realm = CHILD1.AD.WGA encrypt passwords = yes smb passwd file = /usr/local/samba/lib/smbpasswd socket options = TCP_NODELAY dns proxy = no winbind uid = 1-2 winbind gid = 1-2 winbind enum users = yes winbind enum groups = yes wsa29:] net ads join -s /etc/samba/smb.conf -Uadministrator administrator's password: Using short domain name -- CHILD1 Joined 'WSA29' to realm 'CHILD1.AD.WGA' wsa29:] net ads join -s /etc/samba/smb.conf -Uolympus olympus's password: Using short domain name -- CHILD1 Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. Disabled account for 'WSA29' in realm 'CHILD1.AD.WGA' Here the user 'administrator' belongs to 'Domain Admins' and the user 'olympus' belongs to 'Domain Users'. Shouldn't I be able to use a 'Domain Users' account to perform the 'net ads join' operation in 3.0.23c? Or is this restricted to both Samba system and AD server being on the same domain? Thanks in advance -Raj -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- ** * * Jean-Vincent BAYARRI Ingénieur système réseau * * Service Informatique Laboratoire Central des Ponts et Chaussées * * 58, boulevard Lefebvre 75732 PARIS CEDEX 15 * * Tel 01 40 43 51 70 Fax 01 56 56 16 99 * ** * -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba v3.0.23c + FreeBSD 6.1 - Failed to set servicePrincipalNames
Hello, We recently upgraded to the latest Samba3 version v3.0.23c. If the Samba system and the AD belong to the same domain, I am able to perform a 'net ads join' by supplying either a 'Domain Admins' or a 'Domain Users' credential. However if the Samba system and the AD belong to different domain, I can perform the 'net ads join' by supplying a 'Domain Admins' credential but not a user belonging to 'Domain Users'. If the user belongs only to the 'Domain Users', I get the 'Failed to set servicePrincipalNames' error. Samba System domain = WGA AD Server domain = CHILD1.AD.WGA wsa29:] winbindd -V Version 3.0.23c wsa29:] hostname wsa29.wga wsa29:] klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: [EMAIL PROTECTED] Issued Expires Principal Nov 7 14:31:19 Nov 8 00:31:19 krbtgt/[EMAIL PROTECTED] Nov 7 14:32:07 Nov 8 00:31:19 [EMAIL PROTECTED] wsa29:] cat smb.conf [global] workgroup = CHILD1 server string = Samba Server load printers = yes log file = /var/log/samba.log.%m lock directory = /var/run/locks pid directory = /var/run/locks max log size = 100 security = ads password server = child1-server.child1.ad.wga realm = CHILD1.AD.WGA encrypt passwords = yes smb passwd file = /usr/local/samba/lib/smbpasswd socket options = TCP_NODELAY dns proxy = no winbind uid = 1-2 winbind gid = 1-2 winbind enum users = yes winbind enum groups = yes wsa29:] net ads join -s /etc/samba/smb.conf -Uadministrator administrator's password: Using short domain name -- CHILD1 Joined 'WSA29' to realm 'CHILD1.AD.WGA' wsa29:] net ads join -s /etc/samba/smb.conf -Uolympus olympus's password: Using short domain name -- CHILD1 Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. Disabled account for 'WSA29' in realm 'CHILD1.AD.WGA' Here the user 'administrator' belongs to 'Domain Admins' and the user 'olympus' belongs to 'Domain Users'. Shouldn't I be able to use a 'Domain Users' account to perform the 'net ads join' operation in 3.0.23c? Or is this restricted to both Samba system and AD server being on the same domain? Thanks in advance -Raj -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
