[Samba] samba-tool join domain fails
Gregory Sloop
gregs at sloop.net
Wed Sep 25 13:35:22 MDT 2013
Top posting:
In resolv.conf - remove any DNS servers other than the AD one.
Is the AD server actually responding to DNS queries from the S4 box?
I have not followed this thread carefully, so my suggestion could
easily be wrong - but DNS from the real AD controller is *really*
important, and IMO, it shouldn't be getting answers from ANY other
servers. [And you should be *sure* it really IS getting answers,
rather than a refusal.]
-Greg
A> Rowland Penny schrieb:
>> On 25/09/13 16:57, Axel wrote:
>>> Rowland Penny schrieb:
>>>> On 25/09/13 15:36, Axel wrote:
>>>>> Rowland Penny schrieb:
>>>>>> On 25/09/13 14:43, Axel wrote:
>>>>>>> Yes, this works all the time:
>>>>>>>
>>>>>>> root at samba-dc1:~# kinit admin
>>>>>>> admin at INTRANET.DOMAIN.DE's Password:
>>>>>>> root at samba-dc1:~# klist
>>>>>>> Credentials cache: FILE:/tmp/krb5cc_0
>>>>>>> Principal: admin at INTRANET.DOMAIN.DE
>>>>>>> Issued Expires Principal
>>>>>>> Sep 25 15:31:44 2013 Sep 26 01:31:42 2013
>>>>>>> krbtgt/INTRANET.DOMAIN.DE at INTRANET.DOMAIN.DE
>>>>>>> root at samba-dc1:~#
>>>>>>>
>>>>>>> The Security-Monitor on Windows 2003 DC told me (in german):
>>>>>>>
>>>>>>> Ereignistyp: Erfolgsüberw.
>>>>>>> Ereignisquelle: Security
>>>>>>> Ereigniskategorie: Verzeichnisdienstzugriff
>>>>>>> Ereigniskennung: 566
>>>>>>> Datum: 25.09.2013
>>>>>>> Zeit: 15:35:28
>>>>>>> Benutzer: INTRANET\admin
>>>>>>> Computer: WI-PAS01
>>>>>>> Beschreibung:
>>>>>>> Objektvorgang:
>>>>>>> Objektserver: DS
>>>>>>> Vorgangstyp Object Access
>>>>>>> Objekttyp: organizationalUnit
>>>>>>> Objektname: OU=Domain
>>>>>>> Controllers,DC=intranet,DC=domain,DC=de
>>>>>>> Handlekennung: -
>>>>>>> Primärer Benutzername: WI-PAS01$
>>>>>>> Primäre Domäne: INTRANET
>>>>>>> Primäre Anmeldekennung: (0x0,0x3E7)
>>>>>>> Clientbenutzername: admin
>>>>>>> Clientdomäne: INTRANET
>>>>>>> Clientanmeldekennung: (0x0,0x5B2D755F)
>>>>>>> Zugriffe Untergeordnetes Objekt erzeugen
>>>>>>>
>>>>>>> Eigenschaften:
>>>>>>> Untergeordnetes Objekt erzeugen
>>>>>>> computer
>>>>>>>
>>>>>>> Weitere Info: CN=SAMBA-DC1,OU=Domain
>>>>>>> Controllers,DC=intranet,DC=domain,DC=de
>>>>>>> Weitere Info2: %{34f6dfb0-e508-4124-a996-d80843a31445}
>>>>>>> Zugriffsmaske: 0x1
>>>>>>>
>>>>>>> and:
>>>>>>>
>>>>>>> Ereignistyp: Erfolgsüberw.
>>>>>>> Ereignisquelle: Security
>>>>>>> Ereigniskategorie: An-/Abmeldung
>>>>>>> Ereigniskennung: 540
>>>>>>> Datum: 25.09.2013
>>>>>>> Zeit: 15:35:28
>>>>>>> Benutzer: INTRANET\admin
>>>>>>> Computer: WI-PAS01
>>>>>>> Beschreibung:
>>>>>>> Erfolgreiche Netzwerkanmeldung:
>>>>>>> Benutzername: admin
>>>>>>> Domäne: INTRANET
>>>>>>> Anmeldekennung: (0x0,0x5B2D755F)
>>>>>>> Anmeldetyp: 3
>>>>>>> Anmeldevorgang: Kerberos
>>>>>>> Authentifizierungspaket: Kerberos
>>>>>>> Arbeitsstationsname:
>>>>>>> Anmelde-GUID: {05cd8dd6-7c8b-c9ee-d237-3c482ca39c89}
>>>>>>> Aufruferbenutzername: -
>>>>>>> Aufruferdomäne: -
>>>>>>> Aufruferanmeldekennung: -
>>>>>>> Aufruferprozesskennung: -
>>>>>>> Übertragene Dienste: -
>>>>>>> Quellnetzwerkadresse: 192.168.200.210
>>>>>>> Quellport: 43028
>>>>>>>
>>>>>>> Login from samba-dc1.intranet.domain.de and IP 192.168.200.210
>>>>>>> works. NO insufficient user rights!
>>>>>>>
>>>>>>> Another test - copying SYSVOL - works too:
>>>>>>> smbclient -U admin //wi-pas01/SYSVOL -c 'prompt;recurse;mget
>>>>>>> intranet.domain.de'
>>>>>>>
>>>>>>> That's all...
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Rowland Penny schrieb:
>>>>>>>> On 25/09/13 13:18, Axel wrote:
>>>>>>>>> Of course,
>>>>>>>>>
>>>>>>>>> Rowland Penny schrieb:
>>>>>>>>>> On 25/09/13 12:37, Axel wrote:
>>>>>>>>>>> Anyone? Join failed - cleaning up
>>>>>>>>>>>> checking sAMAccountName
>>>>>>>>>>>> ERROR(ldb): uncaught exception - LDAP error 50
>>>>>>>>>>>> LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00000522: SecErr:
>>>>>>>>>>>> DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
>>>>>>>>>>>>> <>
>>>>>>>>>>>> File
>>>>>>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>>>>>>>>>>>> line 175, in _run
>>>>>>>>>>>> return self.run(*args, **kwargs)
>>>>>>>>>>>> File
>>>>>>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
>>>>>>>>>>>> line 552, in run
>>>>>>>>>>>> machinepass=machinepass, use_ntvfs=use_ntvfs,
>>>>>>>>>>>> dns_backend=dns_backend)
>>>>>>>>>>>> File
>>>>>>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
>>>>>>>>>>>> 1104, in join_DC
>>>>>>>>>>>> ctx.do_join()
>>>>>>>>>>>> File
>>>>>>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
>>>>>>>>>>>> 1007, in do_join
>>>>>>>>>>>> ctx.join_add_objects()
>>>>>>>>>>>> File
>>>>>>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
>>>>>>>>>>>> 499, in join_add_objects
>>>>>>>>>>>> ctx.samdb.add(rec)
>>>>>>>>>>>> </code>
>>>>>>>>>>>>
>>>>>>>>>>>> It seems to be, that all prerequisites fine. DNS, ACL etc.,
>>>>>>>>>>>> ping works fine... also resolutions of fqdn's
>>>>>>>>>>>>
>>>>>>>>>>>> Can someone help?
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks & Cheers
>>>>>>>>>>>> axel
>>>>>>>>>>>>
>>>>>>>>>> Well I think this:
>>>>>>>>>>
>>>>>>>>>> ERROR(ldb): uncaught exception - LDAP error 50
>>>>>>>>>> LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00000522: SecErr:
>>>>>>>>>> DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
>>>>>>>>>>
>>>>>>>>>> says it all.
>>>>>>>>>>
>>>>>>>>>> Does user intranet/admin exist and if so, do they have the
>>>>>>>>>> right to add a machine to the domain, also have you tried
>>>>>>>>>> replacing intranet/admin with Administrator?
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>> as i said in my first mail, that is THE Domain Administrator
>>>>>>>>> (renamed in my environment to admin). This "admin" has all
>>>>>>>>> rights to this domain since 2005 :)
>>>>>>>>> Same problem with another Domain-Administrator Account.
>>>>>>>>>
>>>>>>>>> I've also tried with "Administrator" like you suggested. Same
>>>>>>>>> issue...
>>>>>>>>>
>>>>>>>>> Thanks to your reply,
>>>>>>>>> axel
>>>>>>>>>
>>>>>>>> OK, I did this yesterday, but with a samba4 DC joining to
>>>>>>>> another samba4 DC, try this:
>>>>>>>>
>>>>>>>> kinit admin
>>>>>>>>
>>>>>>>> /usr/local/samba/bin/samba-tool domain join intranet.domain.de
>>>>>>>> DC -Uadmin --realm=intranet.domain.de
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>> Yes, admin can log into the servers, but does he have the right to
>>>>>> add workstations to the domain?
>>>>>> Also was Administrator renamed or was a new user called admin
>>>>>> created?
>>>>>>
>>>>>> Rowland
>>>>> Like i said, "admin" ist the main domain-administrator and has all
>>>>> rights to this domain. He wasn't created new, just renamed.
>>>>>
>>>>> Axel
>>>>>
>>>> Well if admin has all the required rights, I wonder if it is a
>>>> problem with access rights to sam.ldb, on my secondary DC this
>>>> belongs to root:root and the root user has read + write access and
>>>> getfacl shows:
>>>> getfacl: Removing leading '/' from absolute path names
>>>> # file: usr/local/samba/private/sam.ldb
>>>> # owner: root
>>>> # group: root
>>>> user::rw-
>>>> group::---
>>>> other::---
>>>>
>>>> so you need to be root to alter it, should you be running the
>>>> command with sudo? do you have root user enabled i.e. are you
>>>> running as root?
>>>>
>>>> I take it that /etc/resolv.conf points to your windows server (or
>>>> something that points to it)
>>>>
>>>> One other thing that I can think of is that samba-tool domain join
>>>> is hardcoded to the Administrator but I do not really think this is
>>>> likely.
>>>>
>>>> Lastly, because its debian, Apparmor, if this is on, try turning it
>>>> off.
>>>>
>>>> Rowland
>>>>
>>> Look at my code. Im running with root. getfacls shows:
>>>
>>> root at samba-dc1:/# getfacl /var/lib/samba/private/sam.ldb
>>> getfacl: Removing leading '/' from absolute path names
>>> # file: var/lib/samba/private/sam.ldb
>>> # owner: root
>>> # group: root
>>> user::rw-
>>> group::---
>>> other::---
>>>
>>> resolv.conf:
>>> root at samba-dc1:/# cat /etc/resolv.conf
>>> domain intranet.domain.de
>>> search intranet.domain.de
>>> nameserver 127.0.0.1
>>> nameserver 192.168.200.10 <-- Windows DC wi-pas01
>>> nameserver 192.168.200.254
>>>
>>> Hmm, im wondering.........
>>>
>>>
>> When I did my 'domain join' I had resolv.conf pointing to just the
>> samba4 AD DC, so you could try that, but frankly after that I have run
>> out of ideas.
>>
>> Rowland
A> No chance... same issue, also when i renamed admin to administrator.
A> I'm running out of ideas, too.
A> It's a great pity... thanks for your support!
A> Axel
--
Gregory Sloop, Principal: Sloop Network & Computer Consulting
Voice: 503.251.0452 x82
EMail: gregs at sloop.net
http://www.sloop.net
---
More information about the samba
mailing list