Joining Linux to Windows domain

Lennart Sorensen lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org
Thu Feb 24 17:49:38 UTC 2005 

On Tue, Feb 22, 2005 at 10:34:07PM -0500, Fraser Campbell wrote:
> I have joined Linux machines to Windows PDCs before with cooperation from the 
> Windows admins.  Basically Windows admin adds your machine to the domain, you 
> join the domain with a special invocation of smbpasswd and life is good.
> 
> I'm now in a situation where I'd like to add my machine to the domain without 
> involving the windows admins because I know they will not do it ... but I 
> haven't been told that I should not do it :-)
> 
> I have XP on my laptop as well, I presume that all I really need is the 
> machine account password ... can I find a machine account password within my 
> Windows XP drive and use those credentials within Linux?  Any other ideas?

This is based on what I know is the case whan samba is the PDC and you
join a domain.  Maybe it is different with a windows PDC, but I doubt
it.

1: A machine account is created on the PDC without a key by the admin,
or it is created when connecting by providing a username/password
during to join of a user that has authority to create such an account on
the fly.

2: The machine connects to the PDC, and they negotiate creating a new
keyset between each other since there was no key yet for the connection.
After this point, no other machine can connect pretending to be the
joined machine since only the PDC and the joined machine will have the
correct matched key pairs to talk to each other.  This is to prevent
spoofing either of the PDC or the client.  The only way to rejoin a
machine after reinstalling it if necesary is to reset the machine
account to a blank (no key) state and have it rejoin after that.

I don't know if the key is stored plaintext in the registry on a windows
machine, but it might be.  If so, it might be possible to copy that to
your linux box, assuming it has the same hostname, (and perhaps ip) as
far as the PDC is concerned, and that only one of them will be connected
at any given time.

Have you checked on google?

Lennart Sorensen
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list