[Samba] samba-tool join domain fails

Axel ako77 at arcor.de
Wed Sep 25 08:36:55 MDT 2013 

Rowland Penny schrieb:
> On 25/09/13 14:43, Axel wrote:
>> Yes, this works all the time:
>>
>> root at samba-dc1:~# kinit admin
>> admin at INTRANET.DOMAIN.DE's Password:
>> root at samba-dc1:~# klist
>> Credentials cache: FILE:/tmp/krb5cc_0
>>         Principal: admin at INTRANET.DOMAIN.DE
>>   Issued                Expires               Principal
>> Sep 25 15:31:44 2013  Sep 26 01:31:42 2013 
>> krbtgt/INTRANET.DOMAIN.DE at INTRANET.DOMAIN.DE
>> root at samba-dc1:~#
>>
>> The Security-Monitor on Windows 2003 DC told me (in german):
>>
>> Ereignistyp:    Erfolgsüberw.
>> Ereignisquelle:    Security
>> Ereigniskategorie:    Verzeichnisdienstzugriff
>> Ereigniskennung:    566
>> Datum:        25.09.2013
>> Zeit:        15:35:28
>> Benutzer:        INTRANET\admin
>> Computer:    WI-PAS01
>> Beschreibung:
>> Objektvorgang:
>>      Objektserver:    DS
>>      Vorgangstyp    Object Access
>>      Objekttyp:    organizationalUnit
>>      Objektname:    OU=Domain Controllers,DC=intranet,DC=domain,DC=de
>>      Handlekennung:    -
>>      Primärer Benutzername:    WI-PAS01$
>>      Primäre Domäne:    INTRANET
>>      Primäre Anmeldekennung:    (0x0,0x3E7)
>>      Clientbenutzername:    admin
>>      Clientdomäne:    INTRANET
>>      Clientanmeldekennung:    (0x0,0x5B2D755F)
>>      Zugriffe    Untergeordnetes Objekt erzeugen
>>
>>      Eigenschaften:
>>     Untergeordnetes Objekt erzeugen
>>     computer
>>
>>      Weitere Info:    CN=SAMBA-DC1,OU=Domain 
>> Controllers,DC=intranet,DC=domain,DC=de
>>      Weitere Info2:    %{34f6dfb0-e508-4124-a996-d80843a31445}
>>      Zugriffsmaske:    0x1
>>
>> and:
>>
>> Ereignistyp:    Erfolgsüberw.
>> Ereignisquelle:    Security
>> Ereigniskategorie:    An-/Abmeldung
>> Ereigniskennung:    540
>> Datum:        25.09.2013
>> Zeit:        15:35:28
>> Benutzer:        INTRANET\admin
>> Computer:    WI-PAS01
>> Beschreibung:
>> Erfolgreiche Netzwerkanmeldung:
>>      Benutzername:    admin
>>      Domäne:        INTRANET
>>      Anmeldekennung:        (0x0,0x5B2D755F)
>>      Anmeldetyp:    3
>>      Anmeldevorgang:    Kerberos
>>      Authentifizierungspaket:    Kerberos
>>      Arbeitsstationsname:
>>      Anmelde-GUID:    {05cd8dd6-7c8b-c9ee-d237-3c482ca39c89}
>>      Aufruferbenutzername:    -
>>      Aufruferdomäne:    -
>>      Aufruferanmeldekennung:    -
>>      Aufruferprozesskennung: -
>>      Übertragene Dienste: -
>>      Quellnetzwerkadresse:    192.168.200.210
>>      Quellport:    43028
>>
>> Login from samba-dc1.intranet.domain.de and IP 192.168.200.210 works. 
>> NO insufficient user rights!
>>
>> Another test - copying SYSVOL - works too:
>> smbclient -U admin //wi-pas01/SYSVOL -c 'prompt;recurse;mget 
>> intranet.domain.de'
>>
>> That's all...
>>
>>
>>
>> Rowland Penny schrieb:
>>> On 25/09/13 13:18, Axel wrote:
>>>> Of course,
>>>>
>>>> Rowland Penny schrieb:
>>>>> On 25/09/13 12:37, Axel wrote:
>>>>>> Anyone? Join failed - cleaning up
>>>>>>> checking sAMAccountName
>>>>>>> ERROR(ldb): uncaught exception - LDAP error 50 
>>>>>>> LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00000522: SecErr: 
>>>>>>> DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
>>>>>>>> <>
>>>>>>>   File 
>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
>>>>>>> line 175, in _run
>>>>>>>     return self.run(*args, **kwargs)
>>>>>>>   File 
>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", 
>>>>>>> line 552, in run
>>>>>>>     machinepass=machinepass, use_ntvfs=use_ntvfs, 
>>>>>>> dns_backend=dns_backend)
>>>>>>>   File 
>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", 
>>>>>>> line 1104, in join_DC
>>>>>>>     ctx.do_join()
>>>>>>>   File 
>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", 
>>>>>>> line 1007, in do_join
>>>>>>>     ctx.join_add_objects()
>>>>>>>   File 
>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", 
>>>>>>> line 499, in join_add_objects
>>>>>>>     ctx.samdb.add(rec)
>>>>>>> </code>
>>>>>>>
>>>>>>> It seems to be, that all prerequisites fine. DNS, ACL etc., ping 
>>>>>>> works fine... also resolutions of fqdn's
>>>>>>>
>>>>>>> Can someone help?
>>>>>>>
>>>>>>> Thanks & Cheers
>>>>>>>  axel
>>>>>>>
>>>>> Well I think this:
>>>>>
>>>>> ERROR(ldb): uncaught exception - LDAP error 50 
>>>>> LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00000522: SecErr: 
>>>>> DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
>>>>>
>>>>> says it all.
>>>>>
>>>>> Does user intranet/admin exist and if so, do they have the right 
>>>>> to add a machine to the domain, also have you tried replacing 
>>>>> intranet/admin with Administrator?
>>>>>
>>>>> Rowland
>>>> as i said in my first mail, that is THE Domain Administrator 
>>>> (renamed in my environment to admin). This "admin" has all rights 
>>>> to this domain since 2005 :)
>>>> Same problem with another Domain-Administrator Account.
>>>>
>>>> I've also tried with "Administrator" like you suggested. Same issue...
>>>>
>>>> Thanks to your reply,
>>>>  axel
>>>>
>>> OK, I did this yesterday, but with a samba4 DC joining to another 
>>> samba4 DC, try this:
>>>
>>> kinit admin
>>>
>>> /usr/local/samba/bin/samba-tool domain join intranet.domain.de DC 
>>> -Uadmin --realm=intranet.domain.de
>>>
>>> Rowland
>>>
> Yes, admin can log into the servers, but does he have the right to add 
> workstations to the domain?
> Also was Administrator renamed or was a new user called admin created?
>
> Rowland
Like i said, "admin" ist the main domain-administrator and has all 
rights to this domain. He wasn't created new, just renamed.

Axel

More information about the samba mailing list