Normally with "net offlinejoin" you creat an machine account on any machine inside the domain copy the safefile to the new client and then join the client as local administrator. When I try to creat the safefile and add the machine accout to the domain I go the following error: --------------- root@client01:~# net offlinejoin provision -U administrator%Passw0rd domain=example.net machine_name=win11b savefile=provisioning.txt ads_print_error: AD LDAP ERROR: 19 (Constraint violation): 0000202F: samldb: spn[HOST/client01.example.net] would cause a conflict Failed to provision computer account: Invalid configuration ("netbios name" set to 'CLIENT01', should be 'win11b') and configuration modification was not requested --------------- So "net offlinejoin" expected the hostname of the client I'm executing the command and not any new name of a client I want to join. I tested it with: ---------------- root@client01:~# net offlinejoin provision -U administrator%Passw0rd domain=example.net machine_name=client01 savefile=provisioning.txt Successfully provisioned computer 'client01' in domain 'example.net' ---------------- Here you see, that now the account will be created (but it is allredy there) and the safefile will be created too. On any Windows-Client, loged in as domain administrator, I can do: ----------- H:\>djoin /provision /domain example.net /machine win11a /savefile win1a.txt ----------- And it works. I choose a new client name and NOT the name of the client I'm working on. It makes absolutly no sens at all to do an offlinejoin on the client I would like to join. One more thing. The manpage is wrong: -------------------- SAVEFILE is an optional parameter to store the generated provisioning data on disk. -------------------- The SAVEFILE must be requried, because the file will be copied to the new client and then used to join the client as local administrator
(In reply to Stefan Kania from comment #0) > ads_print_error: AD LDAP ERROR: 19 (Constraint violation): 0000202F: samldb: spn[HOST/client01.example.net] would cause a conflict This is part of some security hardening we did for Samba 4.15.2 (https://bugzilla.samba.org/show_bug.cgi?id=14564). I’m not familiar enough with ‘net offlinejoin’ to give a proper answer to the problem though.
I can repdroduce it now and that hostname "client" is certainly not supposed to be added as part of one of the SPNs, This is a regression, if you revert commit 0e96092c1895ecb41d4064111566b4ada71fe457 it will work again. I'll look into providing a fix soon.
This bug was referenced in samba master: f02a4002d5c3cfcd7f36b3bcf13310ffd155de90 6d4ad4d6824e81ef85dd924d550222dd6a322a15 062dc07e9b9c8e260548d0bca4d02819bdc60326
Created attachment 18545 [details] patch from master for v4-21-test
No other backports required, issue exist only in v4-21 branch.
Comment on attachment 18545 [details] patch from master for v4-21-test lgtm
Jule, please apply the patch to 4.21. Thanks!
Pushed to autobuild-v4-21-test.
This bug was referenced in samba v4-21-test: 33edcf2cadb92a19c8e3a99effca178617f114da 6e4c35f800764bd633d50724c57aedb72ba99f33 512514bbae46f668e075b52af4f87bfcc148042b
Closing out bug report. Thanks!
This bug was referenced in samba v4-21-stable (Release samba-4.21.4): 33edcf2cadb92a19c8e3a99effca178617f114da 6e4c35f800764bd633d50724c57aedb72ba99f33 512514bbae46f668e075b52af4f87bfcc148042b