Why does Samba want the root password when joining an ADS domain?

Question

Best practice on *NIX servers is to leave the root password unset and then use sudo. However, when one uses Samba's net join command, even through sudo, it still asks for the root password. Why? Doesn't it have all the local privileges it needs?

username@host:~$ sudo net join
[sudo] password for username:
Enter root's password:

OK. I have a hunch, based on other `net` commands, that since I didn't specify an AD user with `-U`, it's just going to try and use the AD username, "root". I don't get this same prompt when I specify `-U`. This isn't very intuitive in my opinion. — watkipet, Feb 19 '20 at 17:00
Instead of `-U username`, you might also be able to use `-P` (`--machine-pass`) to skip the password prompt. That works for me to run various `net` commands on the AD server itself when I'm logged in as root. — mivk, May 28 '20 at 10:57

score 1 · Accepted Answer · answered Feb 19 '20 at 22:07

1

Because that is who you are running the command as, you should use: -U a user that can join a computer to the domain, this is typically 'Administrator'

You also do not need local privileges, you need domain privileges.

answered Feb 19 '20 at 22:07

Rowland Penny

171
2

Makes sense now. It didn't when I asked the question. :) – watkipet Feb 19 '20 at 22:25

Why does Samba want the root password when joining an ADS domain?

1 Answers1