Bug 7614 - non-admin domain join always fails (libnet)
Summary: non-admin domain join always fails (libnet)
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: Other (show other bugs)
Version: unspecified
Hardware: Other Linux
: P3 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: samba4-qa@samba.org
Depends on:
Reported: 2010-08-11 06:06 UTC by Samjam
Modified: 2010-10-31 13:50 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Samjam 2010-08-11 06:06:45 UTC
this relates to your commit: 26fde8dee17b02eb064c6410d781709094ce5160

the additional servicePrincipalNames cause samba4 to fail to join a domain with a non-admin account because of these lines in libnet_join.c:

                service_principal_name[0] = talloc_asprintf(tmp_ctx, "host/%s", dns_host_name);
                service_principal_name[1] = talloc_asprintf(tmp_ctx, "host/%s", strlower_talloc(tmp_ctx, r->in.netbios_name));
                service_principal_name[2] = talloc_asprintf(tmp_ctx, "host/%s/%s", dns_host_name, realm);
                service_principal_name[3] = talloc_asprintf(tmp_ctx, "host/%s/%s", strlower_talloc(tmp_ctx, r->in.netbios_name), realm);
                service_principal_name[4] = talloc_asprintf(tmp_ctx, "host/%s/%s", dns_host_name, r->out.domain_name);
                service_principal_name[5] = talloc_asprintf(tmp_ctx, "host/%s/%s", strlower_talloc(tmp_ctx, r->in.netbios_name), r->out.domain_name);

The first two lines are normal (compared to a windows XP client - although windows has the word "host" uppercase, and the netbios name also upper case).

Some (or all) of the additional lines committed in 26fde8dee17b02eb064c6410d781709094ce5160 cause this LDAP error when the account is provisioned by a non-admin account:

Constrant Violation: Error Message: 0000200B: AtrErr: DSID-03153F70, #1:\x0a\x090: 0000200B: DSID-03153F70, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90303 (servicePrincipalName)\x0a

A non-admin account might be used to join a domain for at least these reasons:
1. it is default policy for domains that non-admin users can join up to 10 accounts (http://support.microsoft.com/?id=251335)
2. if a machine account is pre-created, it is possible to specify the user account that can join the machine to the domain (and this can be a non-admin account - even the machine account itself, if a password is assigned).

Is there a good reason to try and add these for non-bdc accounts given the consequences here? (I guess it is fair to say that admin privs should be needed when adding a BDC)
Comment 1 Matthias Dieter Wallnöfer 2010-09-11 13:20:24 UTC
> The first two lines are normal (compared to a windows XP client - although
> windows has the word "host" uppercase, and the netbios name also upper case).

Yeah, but please keep in mind that s4 in most cases will run as a DC - therefore it would be good to double-check this against a Windows Server OS.
Comment 2 Matthias Dieter Wallnöfer 2010-10-31 12:57:36 UTC
Well, I've done some work on the "servicePrincipalName"s. Probably we could now drop the last four lines since these are now handled by the "samba_spnupdate" script. Any thoughts?
Comment 3 Matthias Dieter Wallnöfer 2010-10-31 13:50:09 UTC
I've checked this some more and found out that there should only be added the two default (generic) SPNs: "HOST/<NETBIOS name>" and "HOST/<DNS name>".
This is required since we are here in the standard domain join code and don't know yet if we end up in a DC or a member server. If we become a DC, then we have our "samba_spnupdate" script which will add the other SPNs. So we are always fine.

I've written a patch which will shortly land in "master".