HP CIFS Server "net ads join" with Minimum User Permissions

ManualsBrandsHP ManualsSoftwareHP-UX Common Internet File System (CIFS) Client/Server Software

The warning is reporting that the data for the directory attribute ntSecurityDescriptor was not correctly

processed. Samba tests for this condition and correctly assumes that the user does not have the rights

required by Windows to process the attribute ntSecurityDescriptor. The attribute is not critical for

Samba, so the warning is logged and the addition of the object is completed. The rights required by the

user to satisfy Windows requirements for ntSecurityDescriptor is membership in the Administrators group.

Since this is the exact privilege level that must be avoided for adding a directory object with minimum

rights, this Windows requirement cannot be met. See the Microsoft Windows article “Problems Accessing

the ntSecurityDescriptor property by using the ADSI LDAP provider” (was Q-article Q323749).

A “net ads status –U darla” will show the expected CIFS/Samba server directory attributes, but will

truncate prior to the Security Descriptor listing, as shown below:

rmonster->net ads status -U darla

darla's password:

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: user

objectClass: computer

cn: rmonster

distinguishedName: CN=rmonster,CN=Computers,DC=snslatc,DC=hp,DC=com

instanceType: 4

whenCreated: 20050914151517.0Z

whenChanged: 20050914154659.0Z

uSNCreated: 906012

uSNChanged: 906023

name: rmonster

objectGUID: 8cdaf0ac-c707-4524-98e9-28a335143cb3

userAccountControl: 4128

badPwdCount: 0

codePage: 0

countryCode: 0

badPasswordTime: 0

lastLogoff: 0

lastLogon: 127711872753593750

localPolicyFlags: 0

pwdLastSet: 127711864189375000

primaryGroupID: 515

objectSid: S-1-5-21-515967899-1275210071-1801674531-1278

accountExpires: 9223372036854775807

logonCount: 67

sAMAccountName: RMONSTER$

sAMAccountType: 805306369

operatingSystem: Samba

operatingSystemVersion: 3.0.7 based HP CIFS Server A.02.01.01

dNSHostName: rmonster.snslatc.hp.com

userPrincipalName: HOST/rmonster@SNSLATC.HP.COM

servicePrincipalName: CIFS/rmonster.snslatc.hp.com

servicePrincipalName: CIFS/rmonster

servicePrincipalName: HOST/rmonster.snslatc.hp.com

servicePrincipalName: HOST/rmonster

objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=snslatc,DC=hp,DC=com

isCriticalSystemObject: FALSE

rmonster->

An example of a typical “net ads status –U administrator” listing is shown for comparison: