HP CIFS Server "net ads join" with Minimum User Permissions
16
Chapter 5 Unexpected Behavior
Scenarios 1 and 2 allow a common user to join the domain from the CIFS/Samba command line using
“net ads join”. However, this same user with the same permissions cannot leave the domain with a “net
ads leave”:
rmonster->net ads leave -U darla
Failed to delete host 'RMONSTER' from the 'SNSLATC.HP.COM' realm.
rmonster->
Recalling the permission set that was assigned to the user darla for the Computer container, we did not
select “Delete Computer Objects”. It does not matter – even with it selected darla cannot leave the
domain.
In addition, executing the “net ads leave” with Administrator produces the same results:
rmonster->net ads leave -U administrator
Failed to delete host 'RMONSTER' from the 'SNSLATC.HP.COM' realm.
rmonster->
Administrator has full control, but still cannot leave the domain.
Other net commands that do not work are:
§ Leave
§ User add
§ Group add
§ Password
Other net commands that do work with minimal permissions are:
§ Testjoin
§ User delete
§ Group delete
§ Info
§ Status
§ Lookup
§ Search
§ Dn
§ Keytab
§ Printer
Observe the warning text in a prior join to the domain:
rmonster->net ads join -U darla
darla's password:
[2005/09/14 09:41:23, 0] libads/ldap.c:ads_add_machine_acct(1473)
Warning: ads_set_machine_sd: Unexpected information received
Using short domain name -- SNSLATC
Joined 'RMONSTER' to realm 'SNSLATC.HP.COM'
rmonster->