I'm trying to join a w2k native domain with a samba 3.0.7 client. It works as long as I use the "Administrator" account or someone who is a member of the "Account Operators" group. However, now I want to join the domain in the situation where a computer account was already created in AD. When creating this account, there is an option to select which group/user should be able to perform the final join. The default is "Administrators", but I changed that to "Users". This means that an user can join the domain as long as he/she authenticates correctly. It works with WinXP PRO (I can join the domain as a regular user), but not samba: # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: usuario100@DOMAIN.INT Valid starting Expires Service principal 09/15/04 14:53:30 09/16/04 00:53:25 krbtgt/DOMAIN.INT@DOMAIN.INT renew until 09/16/04 14:53:30 # net ads join [2004/09/15 14:53:36, 0] libads/ldap.c:ads_add_machine_acct(1283) ads_add_machine_acct: Host account for pandora already exists - modifying old account [2004/09/15 14:53:36, 0] libads/ldap.c:ads_join_realm(1617) ads_add_machine_acct (pandora): Insufficient access ads_join_realm: Insufficient access tcpdumping shows that this error happens when samba tries to modify the computer account attributes via an ldap modify operation. As I understood it, samba first modifies/adds some attributes via LDAP and then changes the computer password via kerberos. It fails at the LDAP stage with "insufficient access". So, should this be possible with samba 3? Joining a domain as a non-administrator and non-account-operators user? It is from winxp pro.
this is not our bug. the access control is implemented by the DC. Make sure that the ACL on the directory object allows the necessary access.
Is n't it valid one since with the same user creds it is possible to join from a windows workstation to the same DC, but its not possible with samba.(acls are same in both cases) Thanks