Samba 4 insufficientAccessRights when modifying Configuration
Brian C. Huffman
bhuffman at etinternational.com
Wed Aug 1 08:01:24 MDT 2012
Yep - In fact, I removed the machine account from Domain Admins, tried
again, and did a diff between the two modify responses. Kerberos info is
different and the timestamps are different, but everything else is the same.
Brian
On 08/01/2012 09:51 AM, Nadezhda Ivanova wrote:
> Is it the same error on the same operation?
>
> On Wed, Aug 1, 2012 at 4:49 PM, Brian C. Huffman
> <bhuffman at etinternational.com <mailto:bhuffman at etinternational.com>>
> wrote:
>
> Matthieu,
>
> I used the MMC "Active Directory Users and Computers" to make the
> change you suggested. Unfortunately I still get the
> insufficientAccessRights. So now I'm not sure what's going on
> because your idea made sense and sounded very promising.
>
> Brian
>
>
>
>
> On 07/31/2012 11:52 PM, Matthieu Patou wrote:
>
> On 07/31/2012 07:18 AM, Brian C. Huffman wrote:
>
> Unfortunately I can run it as Administrator but it appears
> that programatically it still tries to install as the
> machine account. I did some research and it turns out
> that the vendor intends you to run it on the AD server
> itself (which won't be possible for Samba).
>
> I suspect they expect you to run it on one of the DC, in this
> case the computer account is member of the domain controllers
> that have a lot of rights !
>
> However while trying to work around this, I found a
> difference between Samba and a Windows 2008 AD server.
> With the Win2k8 AD server, I'm able to add the machine
> account, with inherited write permissions to
> CN=DisplaySpecifiers,CN=Configuration and then the
> installer succeeds. When I try to do the same with Samba,
> it doesn't give me any warnings, but it silently refuses
> to add the permissions to the descendants of
> DisplaySpecifiers. Is this known / intended behavior?
>
> As nadya said we now this "issue" the way to do it for you is
> to add the machine account via ADSI or ldbedit to the domain
> admins group, it should do the job. Once the installation is
> finished, remove it from this group.
>
> Matthieu.
>
>
>
>
More information about the samba-technical
mailing list