HP CIFS Server “net ads join” with Minimum User Permissions Version 1.01 Sept, 2005 First Edition SNSL Advanced Technology Center E0300 Printed in: U.S.A.
Legal Notices The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material. Warranty.
Contents HP CIFS Server “net ads join” with Minimum User Permissions ........................................................... 1 Version 1.01 Sept, 2005.............................................................................................................. 1 SNSL Advanced Technology Center .............................................................................................. 1 Legal Notices.......................................................................................................
Chapter 1 Introduction Adding an HP CIFS Server based upon Samba 3.0 and later to a Windows Active Directory using “net ads join” usually requires Administrator access to the Active Directory. With Samba, this requires appending the Administrator user to the command line and supplying the Administrator password at the prompt, like this: rmonster->net ads join -U administrator administrator's password: Using short domain name -- SNSLATC Joined 'RMONSTER' to realm 'SNSLATC.HP.
Chapter 2 Initial Symptoms and Windows Management A successful “net ads join” to the domain using the administrator user looks like this: rmonster->net ads join -U administrator administrator's password: Using short domain name -- SNSLATC Joined 'RMONSTER' to realm 'SNSLATC.HP.COM' rmonster-> The purpose of these operations is to successfully join the Windows 2003 domain without using administrator rights.
All subsequent operations will start from the ADUC Advanced Features MMC.
Chapter 3 Add and Join Using “net ads join” For Scenario 1 the next step is to assign the minimum rights for Darla to add and join the CIFS/Samba computer object to the Active Directory using “net ads join”. This sequence is appropriate for the case when the Active Directory schema is mostly the standard default design, and Samba can determine what container the new computer object will be added to.
3: Click Add, and add the user Darla. 4. Click OK.
5. Ensure that darla is highlighted, then click Edit. 6. First click “Clear All” to remove the default permissions. Then scroll down and find “Create Computer Objects.” Select the Allow box for “Create Computer Objects”, and click OK. Continue clicking OK on the MMC panes until only the parent ADUC screen remains.
3.2 At the CIFS/Samba Command Line Now execute the “net ads join –U darla”. Darla is an ordinary user with only the special privilege of “Create Computer Objects” for the Active Directory Computers container: rmonster->net ads join -U darla darla's password: [2005/09/14 09:41:23, 0] libads/ldap.c:ads_add_machine_acct(1473) Warning: ads_set_machine_sd: Unexpected information received Using short domain name -- SNSLATC Joined 'RMONSTER' to realm 'SNSLATC.HP.COM' rmonster-> The join succeeds.
Chapter 4 Add Using Windows MMC, Join Using “net ads join” at the HP-UX Command Line For Scenario 2 the next step is to assign the minimum rights for Darla to join the CIFS/Samba computer object to the Active Directory using “net ads join”, but the Windows Administrator will actually add the computer object to the domain using the Users and Computers MMC.
4.1 Operation at the AD Users & Computers MMC 1. Right click the new computer object and select Properties. 2. Select Advanced.
3. Add the new user to the Permission entries, and then select Edit. 4. Click “Full Control” Allow. This will select all of the permissions for the user. We will edit out the unnecessary entries in the next steps.
5. Click Full Control again to clear only it, then clear the other entries shown in the display (Full Control, Create All Child Objects, Delete All Child Objects). Then scroll the display down. 6. Clear the remaining permissions as shown above, leaving the bottom 7 selected as shown. Click OK on the MMC panes until only the parent ASUC screen remains.
4.2 At the CIFS/Samba Command Line Now the new CIFS/Samba computer object has been added to the domain with the MMC. The user darla has been added to the object and has been assigned the minimum permission set to join at the command line. Execute the “net ads join –U darla”: rmonster->net ads join -U darla darla's password: [2005/09/14 08:46:57, 0] libads/ldap.
Chapter 5 Unexpected Behavior Scenarios 1 and 2 allow a common user to join the domain from the CIFS/Samba command line using “net ads join”. However, this same user with the same permissions cannot leave the domain with a “net ads leave”: rmonster->net ads leave -U darla Failed to delete host 'RMONSTER' from the 'SNSLATC.HP.COM' realm. rmonster-> Recalling the permission set that was assigned to the user darla for the Computer container, we did not select “Delete Computer Objects”.
The warning is reporting that the data for the directory attribute ntSecurityDescriptor was not correctly processed. Samba tests for this condition and correctly assumes that the user does not have the rights required by Windows to process the attribute ntSecurityDescriptor. The attribute is not critical for Samba, so the warning is logged and the addition of the object is completed.
rmonster->net ads status -U administrator administrator's password: objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: rmonster distinguishedName: CN=rmonster,CN=Computers,DC=snslatc,DC=hp,DC=com instanceType: 4 whenCreated: 20050914151517.0Z whenChanged: 20050914154659.0Z uSNCreated: 906012 uSNChanged: 906023 name: rmonster objectGUID: 8cdaf0ac-c707-4524-98e9-28a335143cb3 userAccountControl: 4128 badPwdCount: 0 . . . .
