On Mon, 2011-11-21 at 15:10 +0000, John Hodrien wrote:
On Mon, 21 Nov 2011, Stephen Gallagher wrote:
> No, this is the entire point I was making. When you're joining the
> machine, you're doing so with Administrator credentials, not machine
> credentials. The privilege to change this value is not given to the
> machine, so it cannot change them later.
Nearly, but I wouldn't describe it as Administrator credentials. You're doing
it with credentials that can join a machine to the domain which is
significantly less privileged.
Question is, what *can* a machine do with its own credential? For example,
net ads keytab add works using a machine credential (at least it does on the
AD domain I'm testing against), so it can make service principals and update
its own ldap record as a result...
Well, I don't know how much of that is happening due to direct
modification of LDAP versus using RPC to initiate a routine to make the
changes. The latter can at least be validated.
Allowing direct access to LDAP attributes means that you have no control
over what they become.