Bug 1773 - "Insufficient Access" while joining W2K (native) domain
Summary: "Insufficient Access" while joining W2K (native) domain
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.0.7
Hardware: All Linux
: P3 normal
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
Depends on:
Reported: 2004-09-15 11:15 UTC by Andreas Hasenack (mail address dead)
Modified: 2005-04-18 23:29 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Hasenack (mail address dead) 2004-09-15 11:15:18 UTC
I'm trying to join a w2k native domain with a samba 3.0.7 client. It works as
long as I use the "Administrator" account or someone who is a member of the
"Account Operators" group.

However, now I want to join the domain in the situation where a computer account
was already created in AD. When creating this account, there is an option to
select which group/user should be able to perform the final join. The default is
"Administrators", but I changed that to "Users". This means that an user can
join the domain as long as he/she authenticates correctly. It works with WinXP
PRO (I can join the domain as a regular user), but not samba:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: usuario100@DOMAIN.INT

Valid starting     Expires            Service principal
09/15/04 14:53:30  09/16/04 00:53:25  krbtgt/DOMAIN.INT@DOMAIN.INT
        renew until 09/16/04 14:53:30

# net ads join
[2004/09/15 14:53:36, 0] libads/ldap.c:ads_add_machine_acct(1283)
  ads_add_machine_acct: Host account for pandora already exists - modifying old
[2004/09/15 14:53:36, 0] libads/ldap.c:ads_join_realm(1617)
  ads_add_machine_acct (pandora): Insufficient access
ads_join_realm: Insufficient access

tcpdumping shows that this error happens when samba tries to modify the computer
account attributes via an ldap modify operation. As I understood it, samba first
modifies/adds some attributes via LDAP and then changes the computer password
via kerberos. It fails at the LDAP stage with "insufficient access".

So, should this be possible with samba 3? Joining a domain as a
non-administrator and non-account-operators user? It is from winxp pro.
Comment 1 Gerald (Jerry) Carter (dead mail address) 2005-01-17 12:22:10 UTC
this is not our bug.  the access control is implemented by the DC.
Make sure that the ACL on the directory object allows the necessary 
Comment 2 Ram Panguluri 2005-04-18 23:29:52 UTC
Is n't it valid one since with the same user creds it is possible to join from a
windows workstation to the same DC, but its not possible with samba.(acls are
same in both cases)