[Samba] samba-tool join domain fails

Rowland Penny rowlandpenny at googlemail.com
Wed Sep 25 09:00:37 MDT 2013 

On 25/09/13 15:36, Axel wrote:
> Rowland Penny schrieb:
>> On 25/09/13 14:43, Axel wrote:
>>> Yes, this works all the time:
>>>
>>> root at samba-dc1:~# kinit admin
>>> admin at INTRANET.DOMAIN.DE's Password:
>>> root at samba-dc1:~# klist
>>> Credentials cache: FILE:/tmp/krb5cc_0
>>>         Principal: admin at INTRANET.DOMAIN.DE
>>>   Issued                Expires               Principal
>>> Sep 25 15:31:44 2013  Sep 26 01:31:42 2013 
>>> krbtgt/INTRANET.DOMAIN.DE at INTRANET.DOMAIN.DE
>>> root at samba-dc1:~#
>>>
>>> The Security-Monitor on Windows 2003 DC told me (in german):
>>>
>>> Ereignistyp:    Erfolgsüberw.
>>> Ereignisquelle:    Security
>>> Ereigniskategorie:    Verzeichnisdienstzugriff
>>> Ereigniskennung:    566
>>> Datum:        25.09.2013
>>> Zeit:        15:35:28
>>> Benutzer:        INTRANET\admin
>>> Computer:    WI-PAS01
>>> Beschreibung:
>>> Objektvorgang:
>>>      Objektserver:    DS
>>>      Vorgangstyp    Object Access
>>>      Objekttyp:    organizationalUnit
>>>      Objektname:    OU=Domain Controllers,DC=intranet,DC=domain,DC=de
>>>      Handlekennung:    -
>>>      Primärer Benutzername:    WI-PAS01$
>>>      Primäre Domäne:    INTRANET
>>>      Primäre Anmeldekennung:    (0x0,0x3E7)
>>>      Clientbenutzername:    admin
>>>      Clientdomäne:    INTRANET
>>>      Clientanmeldekennung:    (0x0,0x5B2D755F)
>>>      Zugriffe    Untergeordnetes Objekt erzeugen
>>>
>>>      Eigenschaften:
>>>     Untergeordnetes Objekt erzeugen
>>>     computer
>>>
>>>      Weitere Info:    CN=SAMBA-DC1,OU=Domain 
>>> Controllers,DC=intranet,DC=domain,DC=de
>>>      Weitere Info2:    %{34f6dfb0-e508-4124-a996-d80843a31445}
>>>      Zugriffsmaske:    0x1
>>>
>>> and:
>>>
>>> Ereignistyp:    Erfolgsüberw.
>>> Ereignisquelle:    Security
>>> Ereigniskategorie:    An-/Abmeldung
>>> Ereigniskennung:    540
>>> Datum:        25.09.2013
>>> Zeit:        15:35:28
>>> Benutzer:        INTRANET\admin
>>> Computer:    WI-PAS01
>>> Beschreibung:
>>> Erfolgreiche Netzwerkanmeldung:
>>>      Benutzername:    admin
>>>      Domäne:        INTRANET
>>>      Anmeldekennung:        (0x0,0x5B2D755F)
>>>      Anmeldetyp:    3
>>>      Anmeldevorgang:    Kerberos
>>>      Authentifizierungspaket:    Kerberos
>>>      Arbeitsstationsname:
>>>      Anmelde-GUID:    {05cd8dd6-7c8b-c9ee-d237-3c482ca39c89}
>>>      Aufruferbenutzername:    -
>>>      Aufruferdomäne:    -
>>>      Aufruferanmeldekennung:    -
>>>      Aufruferprozesskennung: -
>>>      Übertragene Dienste: -
>>>      Quellnetzwerkadresse:    192.168.200.210
>>>      Quellport:    43028
>>>
>>> Login from samba-dc1.intranet.domain.de and IP 192.168.200.210 
>>> works. NO insufficient user rights!
>>>
>>> Another test - copying SYSVOL - works too:
>>> smbclient -U admin //wi-pas01/SYSVOL -c 'prompt;recurse;mget 
>>> intranet.domain.de'
>>>
>>> That's all...
>>>
>>>
>>>
>>> Rowland Penny schrieb:
>>>> On 25/09/13 13:18, Axel wrote:
>>>>> Of course,
>>>>>
>>>>> Rowland Penny schrieb:
>>>>>> On 25/09/13 12:37, Axel wrote:
>>>>>>> Anyone? Join failed - cleaning up
>>>>>>>> checking sAMAccountName
>>>>>>>> ERROR(ldb): uncaught exception - LDAP error 50 
>>>>>>>> LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00000522: SecErr: 
>>>>>>>> DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
>>>>>>>>> <>
>>>>>>>>   File 
>>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
>>>>>>>> line 175, in _run
>>>>>>>>     return self.run(*args, **kwargs)
>>>>>>>>   File 
>>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", 
>>>>>>>> line 552, in run
>>>>>>>>     machinepass=machinepass, use_ntvfs=use_ntvfs, 
>>>>>>>> dns_backend=dns_backend)
>>>>>>>>   File 
>>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", 
>>>>>>>> line 1104, in join_DC
>>>>>>>>     ctx.do_join()
>>>>>>>>   File 
>>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", 
>>>>>>>> line 1007, in do_join
>>>>>>>>     ctx.join_add_objects()
>>>>>>>>   File 
>>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", 
>>>>>>>> line 499, in join_add_objects
>>>>>>>>     ctx.samdb.add(rec)
>>>>>>>> </code>
>>>>>>>>
>>>>>>>> It seems to be, that all prerequisites fine. DNS, ACL etc., 
>>>>>>>> ping works fine... also resolutions of fqdn's
>>>>>>>>
>>>>>>>> Can someone help?
>>>>>>>>
>>>>>>>> Thanks & Cheers
>>>>>>>>  axel
>>>>>>>>
>>>>>> Well I think this:
>>>>>>
>>>>>> ERROR(ldb): uncaught exception - LDAP error 50 
>>>>>> LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00000522: SecErr: 
>>>>>> DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
>>>>>>
>>>>>> says it all.
>>>>>>
>>>>>> Does user intranet/admin exist and if so, do they have the right 
>>>>>> to add a machine to the domain, also have you tried replacing 
>>>>>> intranet/admin with Administrator?
>>>>>>
>>>>>> Rowland
>>>>> as i said in my first mail, that is THE Domain Administrator 
>>>>> (renamed in my environment to admin). This "admin" has all rights 
>>>>> to this domain since 2005 :)
>>>>> Same problem with another Domain-Administrator Account.
>>>>>
>>>>> I've also tried with "Administrator" like you suggested. Same 
>>>>> issue...
>>>>>
>>>>> Thanks to your reply,
>>>>>  axel
>>>>>
>>>> OK, I did this yesterday, but with a samba4 DC joining to another 
>>>> samba4 DC, try this:
>>>>
>>>> kinit admin
>>>>
>>>> /usr/local/samba/bin/samba-tool domain join intranet.domain.de DC 
>>>> -Uadmin --realm=intranet.domain.de
>>>>
>>>> Rowland
>>>>
>> Yes, admin can log into the servers, but does he have the right to 
>> add workstations to the domain?
>> Also was Administrator renamed or was a new user called admin created?
>>
>> Rowland
> Like i said, "admin" ist the main domain-administrator and has all 
> rights to this domain. He wasn't created new, just renamed.
>
> Axel
>
Well if admin has all the required rights, I wonder if it is a problem 
with access rights to sam.ldb, on my secondary DC this belongs to 
root:root and the root user has read + write access and getfacl shows:
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/private/sam.ldb
# owner: root
# group: root
user::rw-
group::---
other::---

so you need to be root to alter it, should you be running the command 
with sudo? do you have root user enabled i.e. are you running as root?

I take it that /etc/resolv.conf points to your windows server (or 
something that points to it)

One other thing that I can think of is that samba-tool domain join is 
hardcoded to the Administrator but I do not really think this is likely.

Lastly, because its debian, Apparmor, if this is on, try turning it off.

Rowland

More information about the samba mailing list