Index: samba4-4.1.0rc3/python/samba/join.py =================================================================== --- samba4-4.1.0rc3.orig/python/samba/join.py 2013-09-06 11:39:57.000000000 +0200 +++ samba4-4.1.0rc3/python/samba/join.py 2013-09-12 19:39:57.811534315 +0200 @@ -606,15 +606,18 @@ "DNSNAME" : ctx.dnshostname})) for changetype, msg in recs: assert changetype == ldb.CHANGETYPE_NONE + dns_acct_dn = msg["dn"] print "Adding DNS account %s with dns/ SPN" % msg["dn"] # Remove dns password (we will set it as a modify, as we can't do clearTextPassword over LDAP) del msg["clearTextPassword"] # Remove isCriticalSystemObject for similar reasons, it cannot be set over LDAP del msg["isCriticalSystemObject"] + # Disable account until password is set + msg["userAccountControl"] = str(samba.dsdb.UF_NORMAL_ACCOUNT | + samba.dsdb.UF_ACCOUNTDISABLE) try: ctx.samdb.add(msg) - dns_acct_dn = msg["dn"] except ldb.LdbError, (num, _): if num != ldb.ERR_ENTRY_ALREADY_EXISTS: raise @@ -624,7 +627,7 @@ # connections which are hard to set up and otherwise refuse with # ERR_UNWILLING_TO_PERFORM. In this case we fall back to libnet # over SAMR. - print "Setting account password for %s" % ctx.samname + print "Setting account password for dns-%s" % ctx.myname try: ctx.samdb.setpassword("(&(objectClass=user)(samAccountName=dns-%s))" % ldb.binary_encode(ctx.myname), @@ -633,8 +636,8 @@ username=ctx.samname) except ldb.LdbError, (num, _): if num != ldb.ERR_UNWILLING_TO_PERFORM: - pass - ctx.net.set_password(account_name="dns-" % ctx.myname, + raise + ctx.net.set_password(account_name="dns-%s" % ctx.myname, domain_name=ctx.domain_name, newpassword=ctx.dnspass)