[Samba] samba-tool join domain fails
Rowland Penny
rowlandpenny at googlemail.com
Wed Sep 25 10:03:41 MDT 2013
On 25/09/13 16:57, Axel wrote:
> Rowland Penny schrieb:
>> On 25/09/13 15:36, Axel wrote:
>>> Rowland Penny schrieb:
>>>> On 25/09/13 14:43, Axel wrote:
>>>>> Yes, this works all the time:
>>>>>
>>>>> root at samba-dc1:~# kinit admin
>>>>> admin at INTRANET.DOMAIN.DE's Password:
>>>>> root at samba-dc1:~# klist
>>>>> Credentials cache: FILE:/tmp/krb5cc_0
>>>>> Principal: admin at INTRANET.DOMAIN.DE
>>>>> Issued Expires Principal
>>>>> Sep 25 15:31:44 2013 Sep 26 01:31:42 2013
>>>>> krbtgt/INTRANET.DOMAIN.DE at INTRANET.DOMAIN.DE
>>>>> root at samba-dc1:~#
>>>>>
>>>>> The Security-Monitor on Windows 2003 DC told me (in german):
>>>>>
>>>>> Ereignistyp: Erfolgsüberw.
>>>>> Ereignisquelle: Security
>>>>> Ereigniskategorie: Verzeichnisdienstzugriff
>>>>> Ereigniskennung: 566
>>>>> Datum: 25.09.2013
>>>>> Zeit: 15:35:28
>>>>> Benutzer: INTRANET\admin
>>>>> Computer: WI-PAS01
>>>>> Beschreibung:
>>>>> Objektvorgang:
>>>>> Objektserver: DS
>>>>> Vorgangstyp Object Access
>>>>> Objekttyp: organizationalUnit
>>>>> Objektname: OU=Domain Controllers,DC=intranet,DC=domain,DC=de
>>>>> Handlekennung: -
>>>>> Primärer Benutzername: WI-PAS01$
>>>>> Primäre Domäne: INTRANET
>>>>> Primäre Anmeldekennung: (0x0,0x3E7)
>>>>> Clientbenutzername: admin
>>>>> Clientdomäne: INTRANET
>>>>> Clientanmeldekennung: (0x0,0x5B2D755F)
>>>>> Zugriffe Untergeordnetes Objekt erzeugen
>>>>>
>>>>> Eigenschaften:
>>>>> Untergeordnetes Objekt erzeugen
>>>>> computer
>>>>>
>>>>> Weitere Info: CN=SAMBA-DC1,OU=Domain
>>>>> Controllers,DC=intranet,DC=domain,DC=de
>>>>> Weitere Info2: %{34f6dfb0-e508-4124-a996-d80843a31445}
>>>>> Zugriffsmaske: 0x1
>>>>>
>>>>> and:
>>>>>
>>>>> Ereignistyp: Erfolgsüberw.
>>>>> Ereignisquelle: Security
>>>>> Ereigniskategorie: An-/Abmeldung
>>>>> Ereigniskennung: 540
>>>>> Datum: 25.09.2013
>>>>> Zeit: 15:35:28
>>>>> Benutzer: INTRANET\admin
>>>>> Computer: WI-PAS01
>>>>> Beschreibung:
>>>>> Erfolgreiche Netzwerkanmeldung:
>>>>> Benutzername: admin
>>>>> Domäne: INTRANET
>>>>> Anmeldekennung: (0x0,0x5B2D755F)
>>>>> Anmeldetyp: 3
>>>>> Anmeldevorgang: Kerberos
>>>>> Authentifizierungspaket: Kerberos
>>>>> Arbeitsstationsname:
>>>>> Anmelde-GUID: {05cd8dd6-7c8b-c9ee-d237-3c482ca39c89}
>>>>> Aufruferbenutzername: -
>>>>> Aufruferdomäne: -
>>>>> Aufruferanmeldekennung: -
>>>>> Aufruferprozesskennung: -
>>>>> Übertragene Dienste: -
>>>>> Quellnetzwerkadresse: 192.168.200.210
>>>>> Quellport: 43028
>>>>>
>>>>> Login from samba-dc1.intranet.domain.de and IP 192.168.200.210
>>>>> works. NO insufficient user rights!
>>>>>
>>>>> Another test - copying SYSVOL - works too:
>>>>> smbclient -U admin //wi-pas01/SYSVOL -c 'prompt;recurse;mget
>>>>> intranet.domain.de'
>>>>>
>>>>> That's all...
>>>>>
>>>>>
>>>>>
>>>>> Rowland Penny schrieb:
>>>>>> On 25/09/13 13:18, Axel wrote:
>>>>>>> Of course,
>>>>>>>
>>>>>>> Rowland Penny schrieb:
>>>>>>>> On 25/09/13 12:37, Axel wrote:
>>>>>>>>> Anyone? Join failed - cleaning up
>>>>>>>>>> checking sAMAccountName
>>>>>>>>>> ERROR(ldb): uncaught exception - LDAP error 50
>>>>>>>>>> LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00000522: SecErr:
>>>>>>>>>> DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
>>>>>>>>>>> <>
>>>>>>>>>> File
>>>>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>>>>>>>>>> line 175, in _run
>>>>>>>>>> return self.run(*args, **kwargs)
>>>>>>>>>> File
>>>>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
>>>>>>>>>> line 552, in run
>>>>>>>>>> machinepass=machinepass, use_ntvfs=use_ntvfs,
>>>>>>>>>> dns_backend=dns_backend)
>>>>>>>>>> File
>>>>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
>>>>>>>>>> line 1104, in join_DC
>>>>>>>>>> ctx.do_join()
>>>>>>>>>> File
>>>>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
>>>>>>>>>> line 1007, in do_join
>>>>>>>>>> ctx.join_add_objects()
>>>>>>>>>> File
>>>>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
>>>>>>>>>> line 499, in join_add_objects
>>>>>>>>>> ctx.samdb.add(rec)
>>>>>>>>>> </code>
>>>>>>>>>>
>>>>>>>>>> It seems to be, that all prerequisites fine. DNS, ACL etc.,
>>>>>>>>>> ping works fine... also resolutions of fqdn's
>>>>>>>>>>
>>>>>>>>>> Can someone help?
>>>>>>>>>>
>>>>>>>>>> Thanks & Cheers
>>>>>>>>>> axel
>>>>>>>>>>
>>>>>>>> Well I think this:
>>>>>>>>
>>>>>>>> ERROR(ldb): uncaught exception - LDAP error 50
>>>>>>>> LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00000522: SecErr:
>>>>>>>> DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
>>>>>>>>
>>>>>>>> says it all.
>>>>>>>>
>>>>>>>> Does user intranet/admin exist and if so, do they have the
>>>>>>>> right to add a machine to the domain, also have you tried
>>>>>>>> replacing intranet/admin with Administrator?
>>>>>>>>
>>>>>>>> Rowland
>>>>>>> as i said in my first mail, that is THE Domain Administrator
>>>>>>> (renamed in my environment to admin). This "admin" has all
>>>>>>> rights to this domain since 2005 :)
>>>>>>> Same problem with another Domain-Administrator Account.
>>>>>>>
>>>>>>> I've also tried with "Administrator" like you suggested. Same
>>>>>>> issue...
>>>>>>>
>>>>>>> Thanks to your reply,
>>>>>>> axel
>>>>>>>
>>>>>> OK, I did this yesterday, but with a samba4 DC joining to another
>>>>>> samba4 DC, try this:
>>>>>>
>>>>>> kinit admin
>>>>>>
>>>>>> /usr/local/samba/bin/samba-tool domain join intranet.domain.de DC
>>>>>> -Uadmin --realm=intranet.domain.de
>>>>>>
>>>>>> Rowland
>>>>>>
>>>> Yes, admin can log into the servers, but does he have the right to
>>>> add workstations to the domain?
>>>> Also was Administrator renamed or was a new user called admin created?
>>>>
>>>> Rowland
>>> Like i said, "admin" ist the main domain-administrator and has all
>>> rights to this domain. He wasn't created new, just renamed.
>>>
>>> Axel
>>>
>> Well if admin has all the required rights, I wonder if it is a
>> problem with access rights to sam.ldb, on my secondary DC this
>> belongs to root:root and the root user has read + write access and
>> getfacl shows:
>> getfacl: Removing leading '/' from absolute path names
>> # file: usr/local/samba/private/sam.ldb
>> # owner: root
>> # group: root
>> user::rw-
>> group::---
>> other::---
>>
>> so you need to be root to alter it, should you be running the command
>> with sudo? do you have root user enabled i.e. are you running as root?
>>
>> I take it that /etc/resolv.conf points to your windows server (or
>> something that points to it)
>>
>> One other thing that I can think of is that samba-tool domain join is
>> hardcoded to the Administrator but I do not really think this is likely.
>>
>> Lastly, because its debian, Apparmor, if this is on, try turning it off.
>>
>> Rowland
>>
> Look at my code. Im running with root. getfacls shows:
>
> root at samba-dc1:/# getfacl /var/lib/samba/private/sam.ldb
> getfacl: Removing leading '/' from absolute path names
> # file: var/lib/samba/private/sam.ldb
> # owner: root
> # group: root
> user::rw-
> group::---
> other::---
>
> resolv.conf:
> root at samba-dc1:/# cat /etc/resolv.conf
> domain intranet.domain.de
> search intranet.domain.de
> nameserver 127.0.0.1
> nameserver 192.168.200.10 <-- Windows DC wi-pas01
> nameserver 192.168.200.254
>
> Hmm, im wondering.........
>
>
When I did my 'domain join' I had resolv.conf pointing to just the
samba4 AD DC, so you could try that, but frankly after that I have run
out of ideas.
Rowland
More information about the samba
mailing list