[Samba] net ads join without an admin account

robiwan at arcor.de robiwan at arcor.de
Mon Aug 8 11:25:25 GMT 2005 

Dear Samba-Friends,

You are my last hope to solve my samba-problem. I read so many manpages and everywhere i see the same to join an ADS-Domain:
net ads join -UAdministrator%password 

All i want, is to join to a Windows2003 ADS Domain WITHOUT knowing the admin passwort of 
the Windows Domain Controller.

Here are the Details:
Other People in my Company create for me a computer account in the domain controller. I am not allowed to do this.
The kerberos things seems to work very well
The net ads join fails.

Besides: With "security=domain" a "net rpc join" always succeed without any password.

Thats what i am doing:

W4DEMRCO0010006:~# kinit awm-meier.robert
Password for awm-meier.robert at T-HUGO.COM:
******

W4DEMRCO0010006:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: awm-meier.robert at T-HUGO.COM
Valid starting     Expires            Service principal
08/05/05 10:11:39  08/05/05 20:11:39  krbtgt/T-HUGO.COM at T-HUGO.COM
08/05/05 10:12:01  08/05/05 20:11:39  s4de8nsaaax$@T-HUGO.COM
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
W4DEMRCO0010006:~#


W4DEMRCO0010006:~# net ads info
LDAP server: 10.175.162.6
LDAP server name: s4de8nsaaax
Realm: T-HUGO.COM
Bind Path: dc=T-HUGO,dc=COM
LDAP port: 389
Server time: Fri, 05 Aug 2005 10:20:34 GMT
KDC server: 10.175.162.6
Server time offset: 10
W4DEMRCO0010006:~#


W4DEMRCO0010006:~# net ads status
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: W4DEMRCO0010006
distinguishedName: CN=W4DEMRCO0010006,OU=TAComputers,DC=t-HUGO,DC=com
instanceType: 4
whenCreated: 20041011110348.0Z
whenChanged: 20050803095614.0Z
uSNCreated: 12291830
uSNChanged: 47883523
name: W4DEMRCO0010006
objectGUID: 4928b1f1-c9cf-41c2-a7bd-d2c2541dfa12
userAccountControl: 4096
badPwdCount: 15
codePage: 0
countryCode: 0
badPasswordTime: 127675468181987325
lastLogon: 127675350239782101
pwdLastSet: 127675344833817539
primaryGroupID: 515
objectSid: S-1-5-21-1524055796-552238918-151151879-30349
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: W4DEMRCO0010006$
sAMAccountType: 805306369
dNSHostName: W4DEMRCO0010006.rsnhm.t-HUGO.com
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=ads-komitel,DC=de
isCriticalSystemObject: FALSE
dSCorePropagationData: 20050503160726.0Z
dSCorePropagationData: 16010101000001.0Z
lastLogonTimestamp: 127673518289512517
W4DEMRCO0010006:~#


W4DEMRCO0010006:~# net ads join
[2005/08/05 10:15:00, 0] libads/ldap.c:ads_add_machine_acct(1405)
  ads_add_machine_acct: Host account for w4demrco0010006 already exists - modifying old account
[2005/08/05 10:15:00, 0] libads/ldap.c:ads_join_realm(1763)
  ads_join_realm: ads_add_machine_acct failed (w4demrco0010006): Insufficient access
ads_join_realm: Insufficient access
W4DEMRCO0010006:~#


My smb.conf:
;
; /etc/smb.conf
;
;
[global]
workgroup = MYNETWORK
netbios name = W4DEMRCO0010006
server string = Lotsa Room
security = ADS
realm = T-HUGO.COM
auth methods = winbind
password server = 10.175.162.6
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
lanman auth = No
ntlm auth = No
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
syslog = 0
log file = /var/log/samba/log.%m
max log size = 10000
smb ports = 445
disable netbios = Yes
max xmit = 65535
name resolve order = host wins lmhosts bcast
#tried both spnego Yes and No same diff.
use spnego = Yes
# use spnego = No
server signing = auto
deadtime = 10080
socket options = IPTOS_LOWDELAY TCP_NODELAY
logon path =
logon home =
os level = 49
preferred master = No
local master = No
domain master = No
dns proxy = No
ldap ssl = no
idmap uid = 10000-40000
idmap gid = 10000-40000
winbind separator = +
winbind nested groups = Yes
winbind cache time = 20
template homedir = /home/%D/%U
invalid users = root
ea support = Yes
hide special files = Yes
hide unreadable = Yes
use kerberos keytab = Yes
client use spnego = yes


Many, many thanks in Advance

Robert 



Machen Sie aus 14 Cent spielend bis zu 100 Euro!
Die neue Gaming-Area von Arcor - über 50 Onlinespiele im Angebot.
http://www.arcor.de/rd/emf-gaming-1

More information about the samba mailing list