[Samba] SAMBA ADS integration - windows user account rights

Tue Dec 18 17:13:07 GMT 2007

Hi all,

first of all is it possible to join a Linux machine to AD using a
windows user account that is not a member of the group Domain Admins?
Cause when I do this I get the following error while executing `net ads
join -d 3 -U syncuser`: 

#net ads join -d 3 -U  syncuser
[2007/12/11 13:47:12, 3] param/loadparm.c:lp_load(4953)  lp_load:
refreshing parameters
[2007/12/11 13:47:12, 3] param/loadparm.c:init_globals(1418)
Initialising global parameters 
[2007/12/11 13:47:12, 3] param/params.c:pm_process(572)
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
[2007/12/11 13:47:12, 3] param/loadparm.c:do_section(3695) Processing
section "[global]" 
[2007/12/11 13:47:12, 2] lib/interface.c:add_interface(81) added
interface ip=10.0.0.3 bcast=10.0.0.255 nmask=255.255.255.0 
octopussync's password: 
[2007/12/11 13:47:17, 3] libsmb/namequery.c:get_dc_list(1426)
get_dc_list: preferred server list: ", DC"
[2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_lmhosts(939)
resolve_lmhosts: Attempting lmhosts lookup for name DC<0x20> 
[2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_wins(836)
resolve_wins: Attempting wins lookup for name DC<0x20>
[2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_wins(839)
resolve_wins: WINS server resolution selected and no WINS servers
listed. 
[2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_hosts(1002)
resolve_hosts: Attempting host lookup for name DC<0x20>
[2007/12/11 13:47:17, 3] libads/ldap.c:ads_connect(287) Connected to
LDAP server 10.0.0.1
[2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 
[2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 
[2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(219)
ads_sasl_spnego_bind: got server principal name =dc$@DOMAIN.LOCAL
[2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_krb5_mk_req(552)
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache
found) 
[2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration
Tue, 11 Dec 2007 23:47:05 UTC
[2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_start_connection(1426)
Connecting to host= DC.domain.local
[2007/12/11 13:47:17, 3] lib/util_sock.c:open_socket_out(874) Connecting
to 10.0.0.1 at port 445
[2007/12/11 13:47:17, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(721) Doing spnego session
setup (blob length=107) 
[2007/12/11 13:47:17, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 48018
1 2 2
[2007/12/11 13:47:17, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 113554
1 2 2
[2007/12/11 13:47:17, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 113554
1 2 2 3 
[2007/12/11 13:47:17, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 3 6 1 4 1
311 2 2 10
[2007/12/11 13:47:17, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(754) got principal=dc
$@DOMAIN.LOCAL
[2007/12/11 13:47:17, 2]
libsmb/cliconnect.c:cli_session_setup_kerberos(546) Doing kerberos
session setup
[2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect]
expiration Tue, 11 Dec 2007 23:47:05 UTC 
[2007/12/11 13:47:17, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
rpc_pipe_bind: Remote machine DC.domain.local pipe \lsarpc fnum 0x400c
bind request returned ok.
[2007/12/11 13:47:17, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224)
lsa_io_sec_qos: length c does not match size 8 
[2007/12/11 13:47:17, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
rpc_pipe_bind: Remote machine DC.domain.local pipe \samr fnum 0x400a
bind request returned ok.
Failed to set password for machine account (NT_STATUS_ACCESS_DENIED) 
Failed to join domain!
[2007/12/11 13:47:17, 2] utils/net.c:main(988) return code = -1

But when the user is added to the Domain Admins group, the join is
successful.

And if the latter is possible, which permissions should the windows user
account have? 

Thx in advance

bert