Bug 2420 - Enable "net ads join" to override userAccountControl attribute
Summary: Enable "net ads join" to override userAccountControl attribute
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.0.9
Hardware: All Windows 2000
: P3 normal
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
Depends on:
Reported: 2005-03-04 12:38 UTC by David
Modified: 2006-07-05 13:09 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description David 2005-03-04 12:38:37 UTC
If a new machine account is created using either the W2K or W2K3 GUI, the 
userAccountControl attribute for the particular machine is always 4128.  The 
userAccountControl value without the UF_USE_DES_KEY_ONLY (0x200000) flag would 
cause KDC to vent RC4-HMAC tickets for this particular machine account.  This 
is problematic for Samba built and run without a RC4-HMAC capable KRB5 client.  

Based on the code, even the "net ads join" did not override userAccountControl 
if the machine account already exists.  The net command was built without RC4-
HMAC, thus it always set the UF_USE_DES_KEY_ONLY (0x200000) flag for new 
machine account.  "net ads join" should by default or by command line option to 
override userAccountControl value.

There are always workarounds for this problem, but getting it fixed will make 
everyone's job easier.
Comment 1 David 2005-03-04 15:29:29 UTC
The following is the patch (against 3.0.11) of what the code should do if the 
machine account exists.  It is only for building Samba with KRB5 client lib 
that does not have RC4-HMAC support.


        if (!exists) {
                ads_mod_str(ctx, &mods, "cn", machine_name);
                ads_mod_str(ctx, &mods, "sAMAccountName", samAccountName);
                ads_mod_str(ctx, &mods, "userAccountControl", controlstr);
                ads_mod_strlist(ctx, &mods, "objectClass", objectClass);
<       } else {
<                 /* The machine accounts created using Windows GUI do not have
<                  * the UF_USE_DES_KEY_ONLY flag set, this behavior causes 
<                  * to decrypt error for non-RC4-HAMC supported KRB5 clients.
<                  * Update userAccountControl with UF_USE_DES_KEY_ONLY required
<                  * only if ENCTYPE_ARCFOUR_HMAC is not defined.
<                  */
<                 ads_mod_str(ctx, &mods, "userAccountControl", controlstr);
< #endif


        ads_mod_str(ctx, &mods, "dNSHostName", my_fqdn);
        ads_mod_str(ctx, &mods, "userPrincipalName", host_upn);
Comment 2 Gerald (Jerry) Carter (dead mail address) 2006-07-05 13:09:12 UTC
code has been rewritten and fixes problem.