/opt/samba/samba-3.4.0pre1/bin/net -U Administrator%password rpc rights list david38 SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege david38 has full rights, But this user cannot join a samba machine to the domain: /opt/samba/samba-3.4.0pre1/bin/net -U david38%password rpc join Creation of workstation account failed Unable to join domain SAMBATEST. However Administrator(uid=0) is able to do this successfully /opt/samba/samba-3.4.0pre1/bin/net -U Administrator%password rpc join Joined domain SAMBATEST. I have a feeling this is related to 6314. Log: http://dmarkey.com/~dmarkey/samba3.4pre1/net/samba.david38 Possible Problem: [2009/05/06 02:09:50, 10] winbindd/winbindd.c:533(process_request) process_request: request fn INTERFACE_VERSION [2009/05/06 02:09:50, 3] winbindd/winbindd_misc.c:754(winbindd_interface_version) [23758]: request interface version [2009/05/06 02:09:50, 10] winbindd/winbindd.c:533(process_request) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2009/05/06 02:09:50, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir) [23758]: request location of privileged pipe [2009/05/06 02:09:50, 10] winbindd/winbindd.c:533(process_request) process_request: request fn ALLOCATE_UID [2009/05/06 02:09:50, 2] winbindd/winbindd_sid.c:613(winbindd_allocate_uid) winbindd_allocate_uid: non-privileged access denied! [2009/05/06 02:09:50, 0] passdb/pdb_ldap.c:5106(ldapsam_create_user) ldapsam_create_user: Unable to allocate a new user id: bailing out! [2009/05/06 02:09:50, 1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug) samr_CreateUser2: struct samr_CreateUser2 out: struct samr_CreateUser2 user_handle : * user_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 access_granted : * access_granted : 0x00000000 (0) rid : * rid : 0x000004b6 (1206) result : NT_STATUS_UNSUCCESSFUL
the new samr changes might have fixed this, i'll test today.
debian5:~# /opt/samba/bin/net -U administrator%password rpc rights grant SAMBATEST\\addmachine SeMachineAccountPrivilege Successfully granted rights. debian5:~# /opt/samba/bin/net -U addmachine rpc join Enter addmachine's password: Creation of workstation account failed User specified does not have administrator privileges Unable to join domain SAMBATEST-2. debian5:~# /opt/samba/bin/net -V Version 3.4.0pre1-GIT-bfe7383-test Doesnt seem like this is fixed yet. It does say that the user needs "Administrator" privileges, does this differ from having SeMachineAccountPrivilege? As a shot in the dark i tried to give "addmachine" all available privilege. that didnt work either.
net -U administrator%password rpc group addmem "Domain admins" "david" net -U david rpc join Enter david's password: Joined domain SAMBA-34-2. Adding the user to "Domain admins" does give them the right to add to the domain however.
David, can you get me a debug level 10 log from the server when: opt/samba/bin/net -U addmachine rpc join Enter addmachine's password: Creation of workstation account failed User specified does not have administrator privileges fails please ? Thanks ! Jeremy.
This bug is invalid. I was trying to do a PDC loopback join. One needs to be in the "Domain Admins"/512 group, when a user is in the domain admins group this succeeds. A user with the SeMachineAccountPrivilege is able to join a domain member(non BDC/PDC) This is all expected behavior