Manualshelf

HP CIFS Server "net ads join" with Minimum User Permissions

ManualsBrandsHP ManualsSoftwareHP-UX Common Internet File System (CIFS) Client/Server Software
12345678910
4
Chapter 1 Introduction
Adding an HP CIFS Server based upon Samba 3.0 and later to a Windows Active Directory using “net ads
join” usually requires Administrator access to the Active Directory. With Samba, this requires appending
the Administrator user to the command line and supplying the Administrator password at the prompt, like
this:
rmonster->net ads join -U administrator
administrator's password:
Using short domain name -- SNSLATC
Joined 'RMONSTER' to realm 'SNSLATC.HP.COM'
rmonster->
Large enterprises often separate Unix and Windows administration groups, so that Administrator rights
and permissions are not available to the Unix admin who would be executing Samba net commands at
the command line.
Therefore, HP CIFS Server and Samba administrators can benefit from knowing the minimum user rights
and permissions (non-Administrator) for adding computers to an Active Directory domain. These
permissions are required for two different scenarios:
1. An HP-UX administrator will add a CIFS/Samba computer to the Active Directory and join it to
the domain from the HP-UX command line with the “net ads join U username” command
2. A Windows administrator will add a CIFS/Samba computer to the Active Directory using the
Active Directory Users and Computers Microsoft Management Console (MMC) and then an HP-UX
administrator will join it to the domain using the “net ads join U username” command
These scenarios each require a different approach and different process to accomplish the same
objective: add the computer with the absolute minimum set of user permissions. Both scenarios will be
detailed with Windows MMC screenshots and CIFS/Samba command line sequences.
Warning: Although joining the domain can be accomplished without administrator rights and privileges,
leaving the domain cannot. After joining with these methods, the “net ads leave U username”
command will not work, even with administrator specified as the user. The Computer object must be
deleted using the Windows Users and Computers MMC.
All tests were performed using the following versions:
Windows Server 2003 Enterprise Edition
o All security updates, but *not* SP1
HP CIFS Server A.02.01.01 based upon Samba 3.0.7 with some backports
Windows XPSP2 Client with all security updates (for correct authentication tests)