HP CIFS Server net ads join with Minimum User Permissions

Version 1.01 Sept, 2005

First Edition

SNSL Advanced Technology Center

E0300 Printed in: U.S.A. Copyright 2005 Hewlett-Packard Company

Legal Notices
The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material. Warranty. A copy of the specific warranty terms applicable to your Hewlett-Packard product and replacement parts can be obtained from your local Sales and Service Office. Restricted Rights Legend. Use, duplication or disclosure by the U.S. Government is subject to restrictions as set forth in subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 for DOD agencies, and subparagraphs (c) (1) and (c) (2) of the Commercial Computer Software Restricted Rights clause at FAR 52.227-19 for other agencies. Hewlett-Packard Company 19420 Homestead Road Cupertino, California 95014 U.S.A. Use of this manual and flexible disk(s) or tape cartridge(s) supplied for this pack is restricted to this product only. Additional copies of the programs may be made for security and back-up purposes only. Resale of the programs in their present form or with alterations, is expressly prohibited. Copyright Notices copyright 1983-2005 Hewlett-Packard Company, all rights reserved. Reproduction, adaptation, or translation of this document without prior written permission is prohibited, except as allowed under the copyright laws. copyright 1979, 1980, 1983, 1985-96, 2000 Regents of the University of California. This software is based in part on the Fourth Berkeley Software Distribution under license from the regents of the University of California. copyright 1986-2003 Microsoft, Inc.

Contents
HP CIFS Server net ads join with Minimum User Permissions ........................................................... 1 Version 1.01 Sept, 2005.............................................................................................................. 1 SNSL Advanced Technology Center .............................................................................................. 1 Legal Notices............................................................................................................................. 2 Chapter 1 Introduction .............................................................................................................. 4 Chapter 2 Initial Symptoms and Windows Management................................................................. 5 2.1 AD Users and Computers MMC ............................................................................................ 5 Chapter 3 Add and Join Using net ads join ................................................................................ 7 3.1 Operation at the AD Users & Computers MMC...................................................................... 7 3.2 At the CIFS/Samba Command Line .....................................................................................10 Chapter 4 Add Using Windows MMC, Join Using net ads join at the HP-UX Command Line.............11 4.1 Operation at the AD Users & Computers MMC......................................................................12 4.2 At the CIFS/Samba Command Line .....................................................................................15 Chapter 5 Unexpected Behavior.................................................................................................16

Chapter 1

Introduction

Adding an HP CIFS Server based upon Samba 3.0 and later to a Windows Active Directory using net ads join usually requires Administrator access to the Active Directory. With Samba, this requires appending the Administrator user to the command line and supplying the Administrator password at the prompt, like this:
rmonster->net ads join -U administrator administrator's password: Using short domain name -- SNSLATC Joined 'RMONSTER' to realm 'SNSLATC.HP.COM' rmonster->

Large enterprises often separate Unix and Windows administration groups, so that Administrator rights and permissions are not available to the Unix admin who would be executing Samba net commands at the command line. Therefore, HP CIFS Server and Samba administrators can benefit from knowing the minimum user rights and permissions (non-Administrator) for adding computers to an Active Directory domain. These permissions are required for two different scenarios: 1. An HP-UX administrator will add a CIFS/Samba computer to the Active Directory and join it to the domain from the HP-UX command line with the net ads join U username command 2. A Windows administrator will add a CIFS/Samba computer to the Active Directory using the Active Directory Users and Computers Microsoft Management Console (MMC) and then an HP-UX administrator will join it to the domain using the net ads join U username command These scenarios each require a different approach and different process to accomplish the same objective: add the computer with the absolute minimum set of user permissions. Both scenarios will be detailed with Windows MMC screenshots and CIFS/Samba command line sequences. Warning: Although joining the domain can be accomplished without administrator rights and privileges, leaving the domain cannot. After joining with these methods, the net ads leave U username command will not work, even with administrator specified as the user. The Computer object must be deleted using the Windows Users and Computers MMC.

All tests were performed using the following versions: Windows Server 2003 Enterprise Edition o All security updates, but *not* SP1 HP CIFS Server A.02.01.01 based upon Samba 3.0.7 with some backports Windows XPSP2 Client with all security updates (for correct authentication tests)

Chapter 2

Initial Symptoms and Windows Management

A successful net ads join to the domain using the administrator user looks like this:
rmonster->net ads join -U administrator administrator's password: Using short domain name -- SNSLATC Joined 'RMONSTER' to realm 'SNSLATC.HP.COM' rmonster->

The purpose of these operations is to successfully join the Windows 2003 domain without using administrator rights. An unsuccessful net ads join using an ordinary domain user (which is only a member of the Domain Users group) looks like this:
rmonster->net ads join -U darla darla's password: [2005/09/14 12:49:37, 0] libads/ldap.c:ads_join_realm(1725) ads_join_realm: ads_add_machine_acct failed (rmonster): Insufficient access ads_join_realm: Insufficient access rmonster->

The user darla does not have the required permissions to join a computer object to the domain. Darla can be added to the Administrators group, or the Domain Admins group, or the Enterprise Admins group, with full Administrator rights, and successfully execute net ads join. But then she does not have minimum permissions. Below is a join with Darla as a member of Administrators. This is shown because although Darla with minimum permissions will also join to the domain, the Samba output will be different than the output with Darla as an administrator:
rmonster->net ads join -U darla darla's password: Using short domain name -- SNSLATC Joined 'RMONSTER' to realm 'SNSLATC.HP.COM' rmonster->

2.1

AD Users and Computers MMC

All of the operations that are required to assign the user darla the necessary rights and privileges in the Active Directory are executed with the Active Directory Users and Computers Microsoft Management Console. Start the console, then click view and select Advanced Features:

All subsequent operations will start from the ADUC Advanced Features MMC.

Chapter 3

Add and Join Using net ads join

For Scenario 1 the next step is to assign the minimum rights for Darla to add and join the CIFS/Samba computer object to the Active Directory using net ads join. This sequence is appropriate for the case when the Active Directory schema is mostly the standard default design, and Samba can determine what container the new computer object will be added to. Therefore, the net ads join command can initiate both the AD Computer Add operation and the Samba join (to the domain) operation.

3.1

Operation at the AD Users & Computers MMC

1. Right click the Computers container in the navigator pane, and select Properties.

2. Select the Security tab, and then click the Advanced button.

3: Click Add, and add the user Darla.

4. Click OK.

5. Ensure that darla is highlighted, then click Edit.

6. First click Clear All to remove the default permissions. Then scroll down and find Create Computer Objects. Select the Allow box for Create Computer Objects, and click OK. Continue clicking OK on the MMC panes until only the parent ADUC screen remains.

3.2

At the CIFS/Samba Command Line

Now execute the net ads join U darla. Darla is an ordinary user with only the special privilege of Create Computer Objects for the Active Directory Computers container:
rmonster->net ads join -U darla darla's password: [2005/09/14 09:41:23, 0] libads/ldap.c:ads_add_machine_acct(1473) Warning: ads_set_machine_sd: Unexpected information received Using short domain name -- SNSLATC Joined 'RMONSTER' to realm 'SNSLATC.HP.COM' rmonster->

The join succeeds. CIFS/Samba on the HP-UX server may now be started, and users will successfully authenticate if the server configuration has been set up correctly. See Chapter 5 for a list of net ads command that work with minimum permissions. Notice the Warning message in the test above. See chapter 5 for a description and ramifications of this warning. Test that domain membership and Kerberos authentication correctly operates by mapping a share with a domain member client.

10

Chapter 4

Add Using Windows MMC, Join Using net ads join at the HP-UX Command Line

For Scenario 2 the next step is to assign the minimum rights for Darla to join the CIFS/Samba computer object to the Active Directory using net ads join, but the Windows Administrator will actually add the computer object to the domain using the Users and Computers MMC. This scenario is useful when Samba cannot determine where the computer object must be added because the Active Directory schema design is customized and does not follow the default Windows schema. The MMC is used to add the object, and net ads join modifies the existing object. When adding the computer object with the MMC, do not select Assign this computer account as a preWindows 2000 computer:

11

4.1

Operation at the AD Users & Computers MMC

1. Right click the new computer object and select Properties.

2. Select Advanced.

12

3. Add the new user to the Permission entries, and then select Edit.

4. Click Full Control Allow. This will select all of the permissions for the user. We will edit out the unnecessary entries in the next steps.

13

5. Click Full Control again to clear only it, then clear the other entries shown in the display (Full Control, Create All Child Objects, Delete All Child Objects). Then scroll the display down.

6. Clear the remaining permissions as shown above, leaving the bottom 7 selected as shown. Click OK on the MMC panes until only the parent ASUC screen remains.

14

4.2

At the CIFS/Samba Command Line

Now the new CIFS/Samba computer object has been added to the domain with the MMC. The user darla has been added to the object and has been assigned the minimum permission set to join at the command line. Execute the net ads join U darla:
rmonster->net ads join -U darla darla's password: [2005/09/14 08:46:57, 0] libads/ldap.c:ads_add_machine_acct(1366) ads_add_machine_acct: Host account for rmonster already exists - modifying old account Using short domain name -- SNSLATC Joined 'RMONSTER' to realm 'SNSLATC.HP.COM' rmonster->

The join succeeds. Notice the message that the host account already exists, and has been modified with the new Samba data. Test that domain membership and Kerberos authentication correctly operates by mapping a share with a domain member client. IMPORTANT: The computer object attribute userAccountControl is populated with a computed value based upon several computer and domain factors. When adding a CIFS/Samba computer to the Active Directory with the Users and Computers MMC, this value may be invalid for Kerberos authentication to perform correctly. If Kerberos authentication does not perform correctly, then the attribute value may have to be manually written to the AD using ADSIedit or LDAPModify.

15

Chapter 5

Unexpected Behavior

Scenarios 1 and 2 allow a common user to join the domain from the CIFS/Samba command line using net ads join. However, this same user with the same permissions cannot leave the domain with a net ads leave:
rmonster->net ads leave -U darla Failed to delete host 'RMONSTER' from the 'SNSLATC.HP.COM' realm. rmonster->

Recalling the permission set that was assigned to the user darla for the Computer container, we did not select Delete Computer Objects. It does not matter even with it selected darla cannot leave the domain. In addition, executing the net ads leave with Administrator produces the same results:
rmonster->net ads leave -U administrator Failed to delete host 'RMONSTER' from the 'SNSLATC.HP.COM' realm. rmonster->

Administrator has full control, but still cannot leave the domain. Other net commands that do not work are: Other net commands that do work with minimal permissions are: Testjoin User delete Group delete Info Status Lookup Search Dn Keytab Printer Leave User add Group add Password

Observe the warning text in a prior join to the domain:

rmonster->net ads join -U darla darla's password: [2005/09/14 09:41:23, 0] libads/ldap.c:ads_add_machine_acct(1473) Warning: ads_set_machine_sd: Unexpected information received Using short domain name -- SNSLATC Joined 'RMONSTER' to realm 'SNSLATC.HP.COM' rmonster->

16

The warning is reporting that the data for the directory attribute ntSecurityDescriptor was not correctly processed. Samba tests for this condition and correctly assumes that the user does not have the rights required by Windows to process the attribute ntSecurityDescriptor. The attribute is not critical for Samba, so the warning is logged and the addition of the object is completed. The rights required by the user to satisfy Windows requirements for ntSecurityDescriptor is membership in the Administrators group. Since this is the exact privilege level that must be avoided for adding a directory object with minimum rights, this Windows requirement cannot be met. See the Microsoft Windows article Problems Accessing the ntSecurityDescriptor property by using the ADSI LDAP provider (was Q-article Q323749). A net ads status U darla will show the expected CIFS/Samba server directory attributes, but will truncate prior to the Security Descriptor listing, as shown below:
rmonster->net ads status -U darla darla's password: objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: rmonster distinguishedName: CN=rmonster,CN=Computers,DC=snslatc,DC=hp,DC=com instanceType: 4 whenCreated: 20050914151517.0Z whenChanged: 20050914154659.0Z uSNCreated: 906012 uSNChanged: 906023 name: rmonster objectGUID: 8cdaf0ac-c707-4524-98e9-28a335143cb3 userAccountControl: 4128 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 127711872753593750 localPolicyFlags: 0 pwdLastSet: 127711864189375000 primaryGroupID: 515 objectSid: S-1-5-21-515967899-1275210071-1801674531-1278 accountExpires: 9223372036854775807 logonCount: 67 sAMAccountName: RMONSTER$ sAMAccountType: 805306369 operatingSystem: Samba operatingSystemVersion: 3.0.7 based HP CIFS Server A.02.01.01 dNSHostName: rmonster.snslatc.hp.com userPrincipalName: HOST/rmonster@SNSLATC.HP.COM servicePrincipalName: CIFS/rmonster.snslatc.hp.com servicePrincipalName: CIFS/rmonster servicePrincipalName: HOST/rmonster.snslatc.hp.com servicePrincipalName: HOST/rmonster objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=snslatc,DC=hp,DC=com isCriticalSystemObject: FALSE rmonster->

An example of a typical net ads status U administrator listing is shown for comparison:

17

rmonster->net ads status -U administrator administrator's password: objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: rmonster distinguishedName: CN=rmonster,CN=Computers,DC=snslatc,DC=hp,DC=com instanceType: 4 whenCreated: 20050914151517.0Z whenChanged: 20050914154659.0Z uSNCreated: 906012 uSNChanged: 906023 name: rmonster objectGUID: 8cdaf0ac-c707-4524-98e9-28a335143cb3 userAccountControl: 4128 badPwdCount: 0 . . . . sAMAccountName: RMONSTER$ sAMAccountType: 805306369 operatingSystem: Samba operatingSystemVersion: 3.0.7 based HP CIFS Server A.02.01.01 dNSHostName: rmonster.snslatc.hp.com userPrincipalName: HOST/rmonster@SNSLATC.HP.COM servicePrincipalName: CIFS/rmonster.snslatc.hp.com servicePrincipalName: CIFS/rmonster servicePrincipalName: HOST/rmonster.snslatc.hp.com servicePrincipalName: HOST/rmonster objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=snslatc,DC=hp,DC=com isCriticalSystemObject: FALSE -------------- Security Descriptor (revision: 1, type: 0x8c14) owner SID: S-1-5-21-515967899-1275210071-1801674531-512 group SID: S-1-5-21-515967899-1275210071-1801674531-513 ------- (system) ACL (revision: 2, size: 28, number of ACEs: 1) ------- ACE (type: 0x02, flags: 0xd2, size: 0x14, mask: 0xd016b) access SID: S-1-1-0 . . . .

18