[Samba] samba-tool join domain fails
Axel
ako77 at arcor.de
Wed Sep 25 12:30:01 MDT 2013
Rowland Penny schrieb:
> On 25/09/13 16:57, Axel wrote:
>> Rowland Penny schrieb:
>>> On 25/09/13 15:36, Axel wrote:
>>>> Rowland Penny schrieb:
>>>>> On 25/09/13 14:43, Axel wrote:
>>>>>> Yes, this works all the time:
>>>>>>
>>>>>> root at samba-dc1:~# kinit admin
>>>>>> admin at INTRANET.DOMAIN.DE's Password:
>>>>>> root at samba-dc1:~# klist
>>>>>> Credentials cache: FILE:/tmp/krb5cc_0
>>>>>> Principal: admin at INTRANET.DOMAIN.DE
>>>>>> Issued Expires Principal
>>>>>> Sep 25 15:31:44 2013 Sep 26 01:31:42 2013
>>>>>> krbtgt/INTRANET.DOMAIN.DE at INTRANET.DOMAIN.DE
>>>>>> root at samba-dc1:~#
>>>>>>
>>>>>> The Security-Monitor on Windows 2003 DC told me (in german):
>>>>>>
>>>>>> Ereignistyp: Erfolgsüberw.
>>>>>> Ereignisquelle: Security
>>>>>> Ereigniskategorie: Verzeichnisdienstzugriff
>>>>>> Ereigniskennung: 566
>>>>>> Datum: 25.09.2013
>>>>>> Zeit: 15:35:28
>>>>>> Benutzer: INTRANET\admin
>>>>>> Computer: WI-PAS01
>>>>>> Beschreibung:
>>>>>> Objektvorgang:
>>>>>> Objektserver: DS
>>>>>> Vorgangstyp Object Access
>>>>>> Objekttyp: organizationalUnit
>>>>>> Objektname: OU=Domain
>>>>>> Controllers,DC=intranet,DC=domain,DC=de
>>>>>> Handlekennung: -
>>>>>> Primärer Benutzername: WI-PAS01$
>>>>>> Primäre Domäne: INTRANET
>>>>>> Primäre Anmeldekennung: (0x0,0x3E7)
>>>>>> Clientbenutzername: admin
>>>>>> Clientdomäne: INTRANET
>>>>>> Clientanmeldekennung: (0x0,0x5B2D755F)
>>>>>> Zugriffe Untergeordnetes Objekt erzeugen
>>>>>>
>>>>>> Eigenschaften:
>>>>>> Untergeordnetes Objekt erzeugen
>>>>>> computer
>>>>>>
>>>>>> Weitere Info: CN=SAMBA-DC1,OU=Domain
>>>>>> Controllers,DC=intranet,DC=domain,DC=de
>>>>>> Weitere Info2: %{34f6dfb0-e508-4124-a996-d80843a31445}
>>>>>> Zugriffsmaske: 0x1
>>>>>>
>>>>>> and:
>>>>>>
>>>>>> Ereignistyp: Erfolgsüberw.
>>>>>> Ereignisquelle: Security
>>>>>> Ereigniskategorie: An-/Abmeldung
>>>>>> Ereigniskennung: 540
>>>>>> Datum: 25.09.2013
>>>>>> Zeit: 15:35:28
>>>>>> Benutzer: INTRANET\admin
>>>>>> Computer: WI-PAS01
>>>>>> Beschreibung:
>>>>>> Erfolgreiche Netzwerkanmeldung:
>>>>>> Benutzername: admin
>>>>>> Domäne: INTRANET
>>>>>> Anmeldekennung: (0x0,0x5B2D755F)
>>>>>> Anmeldetyp: 3
>>>>>> Anmeldevorgang: Kerberos
>>>>>> Authentifizierungspaket: Kerberos
>>>>>> Arbeitsstationsname:
>>>>>> Anmelde-GUID: {05cd8dd6-7c8b-c9ee-d237-3c482ca39c89}
>>>>>> Aufruferbenutzername: -
>>>>>> Aufruferdomäne: -
>>>>>> Aufruferanmeldekennung: -
>>>>>> Aufruferprozesskennung: -
>>>>>> Übertragene Dienste: -
>>>>>> Quellnetzwerkadresse: 192.168.200.210
>>>>>> Quellport: 43028
>>>>>>
>>>>>> Login from samba-dc1.intranet.domain.de and IP 192.168.200.210
>>>>>> works. NO insufficient user rights!
>>>>>>
>>>>>> Another test - copying SYSVOL - works too:
>>>>>> smbclient -U admin //wi-pas01/SYSVOL -c 'prompt;recurse;mget
>>>>>> intranet.domain.de'
>>>>>>
>>>>>> That's all...
>>>>>>
>>>>>>
>>>>>>
>>>>>> Rowland Penny schrieb:
>>>>>>> On 25/09/13 13:18, Axel wrote:
>>>>>>>> Of course,
>>>>>>>>
>>>>>>>> Rowland Penny schrieb:
>>>>>>>>> On 25/09/13 12:37, Axel wrote:
>>>>>>>>>> Anyone? Join failed - cleaning up
>>>>>>>>>>> checking sAMAccountName
>>>>>>>>>>> ERROR(ldb): uncaught exception - LDAP error 50
>>>>>>>>>>> LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00000522: SecErr:
>>>>>>>>>>> DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
>>>>>>>>>>>> <>
>>>>>>>>>>> File
>>>>>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>>>>>>>>>>> line 175, in _run
>>>>>>>>>>> return self.run(*args, **kwargs)
>>>>>>>>>>> File
>>>>>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
>>>>>>>>>>> line 552, in run
>>>>>>>>>>> machinepass=machinepass, use_ntvfs=use_ntvfs,
>>>>>>>>>>> dns_backend=dns_backend)
>>>>>>>>>>> File
>>>>>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
>>>>>>>>>>> 1104, in join_DC
>>>>>>>>>>> ctx.do_join()
>>>>>>>>>>> File
>>>>>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
>>>>>>>>>>> 1007, in do_join
>>>>>>>>>>> ctx.join_add_objects()
>>>>>>>>>>> File
>>>>>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
>>>>>>>>>>> 499, in join_add_objects
>>>>>>>>>>> ctx.samdb.add(rec)
>>>>>>>>>>> </code>
>>>>>>>>>>>
>>>>>>>>>>> It seems to be, that all prerequisites fine. DNS, ACL etc.,
>>>>>>>>>>> ping works fine... also resolutions of fqdn's
>>>>>>>>>>>
>>>>>>>>>>> Can someone help?
>>>>>>>>>>>
>>>>>>>>>>> Thanks & Cheers
>>>>>>>>>>> axel
>>>>>>>>>>>
>>>>>>>>> Well I think this:
>>>>>>>>>
>>>>>>>>> ERROR(ldb): uncaught exception - LDAP error 50
>>>>>>>>> LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00000522: SecErr:
>>>>>>>>> DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
>>>>>>>>>
>>>>>>>>> says it all.
>>>>>>>>>
>>>>>>>>> Does user intranet/admin exist and if so, do they have the
>>>>>>>>> right to add a machine to the domain, also have you tried
>>>>>>>>> replacing intranet/admin with Administrator?
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>> as i said in my first mail, that is THE Domain Administrator
>>>>>>>> (renamed in my environment to admin). This "admin" has all
>>>>>>>> rights to this domain since 2005 :)
>>>>>>>> Same problem with another Domain-Administrator Account.
>>>>>>>>
>>>>>>>> I've also tried with "Administrator" like you suggested. Same
>>>>>>>> issue...
>>>>>>>>
>>>>>>>> Thanks to your reply,
>>>>>>>> axel
>>>>>>>>
>>>>>>> OK, I did this yesterday, but with a samba4 DC joining to
>>>>>>> another samba4 DC, try this:
>>>>>>>
>>>>>>> kinit admin
>>>>>>>
>>>>>>> /usr/local/samba/bin/samba-tool domain join intranet.domain.de
>>>>>>> DC -Uadmin --realm=intranet.domain.de
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>> Yes, admin can log into the servers, but does he have the right to
>>>>> add workstations to the domain?
>>>>> Also was Administrator renamed or was a new user called admin
>>>>> created?
>>>>>
>>>>> Rowland
>>>> Like i said, "admin" ist the main domain-administrator and has all
>>>> rights to this domain. He wasn't created new, just renamed.
>>>>
>>>> Axel
>>>>
>>> Well if admin has all the required rights, I wonder if it is a
>>> problem with access rights to sam.ldb, on my secondary DC this
>>> belongs to root:root and the root user has read + write access and
>>> getfacl shows:
>>> getfacl: Removing leading '/' from absolute path names
>>> # file: usr/local/samba/private/sam.ldb
>>> # owner: root
>>> # group: root
>>> user::rw-
>>> group::---
>>> other::---
>>>
>>> so you need to be root to alter it, should you be running the
>>> command with sudo? do you have root user enabled i.e. are you
>>> running as root?
>>>
>>> I take it that /etc/resolv.conf points to your windows server (or
>>> something that points to it)
>>>
>>> One other thing that I can think of is that samba-tool domain join
>>> is hardcoded to the Administrator but I do not really think this is
>>> likely.
>>>
>>> Lastly, because its debian, Apparmor, if this is on, try turning it
>>> off.
>>>
>>> Rowland
>>>
>> Look at my code. Im running with root. getfacls shows:
>>
>> root at samba-dc1:/# getfacl /var/lib/samba/private/sam.ldb
>> getfacl: Removing leading '/' from absolute path names
>> # file: var/lib/samba/private/sam.ldb
>> # owner: root
>> # group: root
>> user::rw-
>> group::---
>> other::---
>>
>> resolv.conf:
>> root at samba-dc1:/# cat /etc/resolv.conf
>> domain intranet.domain.de
>> search intranet.domain.de
>> nameserver 127.0.0.1
>> nameserver 192.168.200.10 <-- Windows DC wi-pas01
>> nameserver 192.168.200.254
>>
>> Hmm, im wondering.........
>>
>>
> When I did my 'domain join' I had resolv.conf pointing to just the
> samba4 AD DC, so you could try that, but frankly after that I have run
> out of ideas.
>
> Rowland
No chance... same issue, also when i renamed admin to administrator.
I'm running out of ideas, too.
It's a great pity... thanks for your support!
Axel
More information about the samba
mailing list