I'm trying to join a w2k native domain with a samba 3.0.7 client. It works as
long as I use the "Administrator" account or someone who is a member of the
"Account Operators" group.
However, now I want to join the domain in the situation where a computer account
was already created in AD. When creating this account, there is an option to
select which group/user should be able to perform the final join. The default is
"Administrators", but I changed that to "Users". This means that an user can
join the domain as long as he/she authenticates correctly. It works with WinXP
PRO (I can join the domain as a regular user), but not samba:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: usuario100@DOMAIN.INT
Valid starting Expires Service principal
09/15/04 14:53:30 09/16/04 00:53:25 krbtgt/DOMAIN.INT@DOMAIN.INT
renew until 09/16/04 14:53:30
# net ads join
[2004/09/15 14:53:36, 0] libads/ldap.c:ads_add_machine_acct(1283)
ads_add_machine_acct: Host account for pandora already exists - modifying old
[2004/09/15 14:53:36, 0] libads/ldap.c:ads_join_realm(1617)
ads_add_machine_acct (pandora): Insufficient access
ads_join_realm: Insufficient access
tcpdumping shows that this error happens when samba tries to modify the computer
account attributes via an ldap modify operation. As I understood it, samba first
modifies/adds some attributes via LDAP and then changes the computer password
via kerberos. It fails at the LDAP stage with "insufficient access".
So, should this be possible with samba 3? Joining a domain as a
non-administrator and non-account-operators user? It is from winxp pro.
this is not our bug. the access control is implemented by the DC.
Make sure that the ACL on the directory object allows the necessary
Is n't it valid one since with the same user creds it is possible to join from a
windows workstation to the same DC, but its not possible with samba.(acls are
same in both cases)