[Samba] Minimum Permissions Required to Associate to a Windows
Server 2003 AD Realm
Tavis
tavis at galaxytelecom.net
Wed Sep 8 22:10:27 GMT 2004
This is a repeat of an earlier email with more debugging information.
The issue i'm experiencing is that the windows account i'm using to join
samba to the ADS realm (with net join ads -U ...) needs to be in the
"administrator" group on the Win2k3 DC otherwise the join fails and net
returns "ads_join_realm: Insufficient access" error. The join is
successful if the account is added to the "administrator" group.
What i'm trying to accomplish is joining the samba server to the ADS
Realm using an account that has the absolute minimum privileges required
as this account is only going to be used to join/remove the samba server
from the realm.
I've taken some traces showing the exchange in either case and attached
them to this email (samba.fail where the account "lin1" IS NOT in the
administrator group, samba.success where the account "lin1" IS in the
administrator group) it seems that at index 26 the samba server sends a
"Modify Request" to the Win2k3 DC that is rejected unless the user is in
the administrator group.
Now as a side note, i am able to join Windows XP/2k3 clients to the
realm using this account without being added to the administrator group.
At this point, i'm assuming that perhaps there is some quirky behaviour
on samba's part that is causing this issue? or perhaps some
permission(s) is(are) required that should be documented?
I've googled around and searched through the samba mailing lists, all
references i'v found to this problem concluded without anything to
suggest what the actual problem was. (usually, "i redid everything from
scratch and "it just worked" ")
System is running debian 3.0r2 Woody with Debian Testing Kerberos libraries
- libkrb5-dev 1.3.4-3
- libkrb53 1.3.4-3
- krb5-user 1.3.4-3
- krb5-config 1.6
Linux lin1.dev.hq.galnet.ca 2.4.27-flaneur_grsec2 #1 SMP Fri Aug 13
03:00:15 UTC 2004 i686 unknown.
Kernel is a plain kernel.org kernel patched with
grsecurity-2.0.1-2.4.27.patch from www.grsecurity.net
Samba version is 3.0.6 (fresh install from source) :
/configure --prefix=/usr/local/samba --with-configdir=/etc/samba \
--with-logfilebase=/var/log/samba --with-smbmount \
--with-pam_smbpass --with-syslog --with-ads --with-winbind
Relevant smb.conf configuration
#######################################################
[global]
workgroup = DEV
realm = DEV.HQ.GALNET.CA
netbios name = LIN1_DEV
server string = lin1.dev.hq.galnet.ca
security = ADS
password server = windev1.dev.hq.galnet.ca
restrict anonymous = 2
lanman auth = No
ntlm auth = No
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
log file = /var/log/samba/log.%m
disable netbios = Yes
server signing = auto
deadtime = 15
max smbd processes = 1000
socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=8192
SO_SNDBUF=8192
load printers = No
local master = No
domain master = No
pid directory = /var/run/samba
strict sync = Yes
sync always = Yes
hide special files = Yes
hide unreadable = Yes
include = /etc/samba/smb.conf.shares
follow symlinks = No
######################################################
Environment is pure Win2k3 ADS, Running in both forest and domain native
2003 mode
Here is the output from a "net join ads -d 3 -U lin1%password":
#######################################################
[2004/09/08 21:49:58, 3] param/loadparm.c:lp_load(3911)
lp_load: refreshing parameters
[2004/09/08 21:49:58, 3] param/loadparm.c:init_globals(1324)
Initialising global parameters
[2004/09/08 21:49:58, 3] param/params.c:pm_process(566)
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
[2004/09/08 21:49:58, 3] param/loadparm.c:do_section(3404)
Processing section "[global]"
[2004/09/08 21:49:58, 3] param/params.c:pm_process(566)
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf.shares"
[2004/09/08 21:49:58, 2] lib/interface.c:add_interface(79)
added interface ip=192.168.0.231 bcast=192.168.3.255 nmask=255.255.252.0
[2004/09/08 21:49:58, 3] libads/ldap.c:ads_connect(247)
Connected to LDAP server 192.168.2.80
[2004/09/08 21:49:58, 3] libads/ldap.c:ads_server_info(2318)
got ldap server name windev1 at DEV.HQ.GALNET.CA, using bind path:
dc=DEV,dc=HQ,dc=GALNET,dc=CA
[2004/09/08 21:49:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2004/09/08 21:49:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2004/09/08 21:49:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2004/09/08 21:49:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2004/09/08 21:49:58, 3] libads/sasl.c:ads_sasl_spnego_bind(211)
ads_sasl_spnego_bind: got server principal name =windev1$@DEV.HQ.GALNET.CA
[2004/09/08 21:49:58, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313)
krb5_cc_get_principal failed (No credentials cache found)
[2004/09/08 21:49:58, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(252)
Ticket in ccache[MEMORY:net_ads] expiration Thu, 09 Sep 2004 07:49:57 GMT
[2004/09/08 21:49:58, 0] libads/ldap.c:ads_add_machine_acct(1283)
ads_add_machine_acct: Host account for lin1_dev already exists -
modifying old account
[2004/09/08 21:49:58, 0] libads/ldap.c:ads_join_realm(1617)
ads_add_machine_acct (lin1_dev): Insufficient access
ads_join_realm: Insufficient access
[2004/09/08 21:49:58, 2] utils/net.c:main(792)
return code = -1
######################################################
More information about the samba
mailing list