Bug 1773 - "Insufficient Access" while joining W2K (native) domain
"Insufficient Access" while joining W2K (native) domain
Status: RESOLVED INVALID
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control
3.0.7
All Linux
: P3 normal
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-09-15 11:15 UTC by Andreas Hasenack
Modified: 2005-04-18 23:29 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Hasenack 2004-09-15 11:15:18 UTC
I'm trying to join a w2k native domain with a samba 3.0.7 client. It works as
long as I use the "Administrator" account or someone who is a member of the
"Account Operators" group.

However, now I want to join the domain in the situation where a computer account
was already created in AD. When creating this account, there is an option to
select which group/user should be able to perform the final join. The default is
"Administrators", but I changed that to "Users". This means that an user can
join the domain as long as he/she authenticates correctly. It works with WinXP
PRO (I can join the domain as a regular user), but not samba:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: usuario100@DOMAIN.INT

Valid starting     Expires            Service principal
09/15/04 14:53:30  09/16/04 00:53:25  krbtgt/DOMAIN.INT@DOMAIN.INT
        renew until 09/16/04 14:53:30

# net ads join
[2004/09/15 14:53:36, 0] libads/ldap.c:ads_add_machine_acct(1283)
  ads_add_machine_acct: Host account for pandora already exists - modifying old
account
[2004/09/15 14:53:36, 0] libads/ldap.c:ads_join_realm(1617)
  ads_add_machine_acct (pandora): Insufficient access
ads_join_realm: Insufficient access

tcpdumping shows that this error happens when samba tries to modify the computer
account attributes via an ldap modify operation. As I understood it, samba first
modifies/adds some attributes via LDAP and then changes the computer password
via kerberos. It fails at the LDAP stage with "insufficient access".

So, should this be possible with samba 3? Joining a domain as a
non-administrator and non-account-operators user? It is from winxp pro.
Comment 1 Gerald (Jerry) Carter 2005-01-17 12:22:10 UTC
this is not our bug.  the access control is implemented by the DC.
Make sure that the ACL on the directory object allows the necessary 
access.  
Comment 2 Ram Panguluri 2005-04-18 23:29:52 UTC
Is n't it valid one since with the same user creds it is possible to join from a
windows workstation to the same DC, but its not possible with samba.(acls are
same in both cases)
Thanks