can I join win2000 domain with normal domain user?

lin li goldli at hotmail.com
Wed May 21 17:31:41 GMT 2003 



>From: Andrew Bartlett <abartlet at samba.org>
>To: lin li <goldli at hotmail.com>
>CC: MKaplan at snapappliance.com, abartlet at samba.org,   
>samba-technical at lists.samba.org
>Subject: RE: can I join win2000 domain with normal domain user?
>Date: 22 May 2003 01:06:51 +1000
>
>On Wed, 2003-05-21 at 22:19, lin li wrote:
> >
> >
> >
> > >From: Marc Kaplan <MKaplan at snapappliance.com>
> > >To: Andrew Bartlett <abartlet at samba.org>, Lin Li <goldli at hotmail.com>
> > >CC: samba-technical at lists.samba.org
> > >Subject: RE: can I join win2000 domain with normal domain user?
> > >Date: Tue, 20 May 2003 16:42:13 -0700
> > >
> > > > On Wed, 2003-05-21 at 06:50, Lin Li wrote:
> > > > > Hi,
> > > > >
> > > > > I'm using samba 3.0 alpha23. I found I need a domain admin
> > > > to join the win2000 active directory. WIth a win2000 client,
> > > > a normal domain user can do that. Is this a missing feature?
> > > >
> > > > It should work the same as a Win2k client now.  That patch has been 
>in
> > > > there for a couple of months now.
> > > >
> > > > I'll need some more information on how the 'net join' fails.
> > > >
> > > > Andrew Bartlett
> > > >
> > >A "normal" domain user still needs permissions to join for both Win2k 
>and
> > >Samba. Even in Windows not all users can join, the need to be members 
>of
> > >the
> > >proper groups, have been delegated control of a particular OU, or been
> > >given
> > >explicit permissions to add workstations to the domain.
> > >
> > >			-Marc
> >
> >
> > Here is the error I got with 'net ads join':
> > ---------------------
> > [2003/05/21 20:08:05, 1] libsmb/clikrb5.c:krb5_mk_req2(267)
> >   krb5_cc_get_principal failed (No credentials cache found)
> > [2003/05/21 20:08:05, 0] libads/ldap.c:ads_join_realm(1361)
> >   ads_add_machine_acct: Insufficient access
> > ads_join_realm: Insufficient access
> > ----------------------
> > I can join the win2k client to the domain with the same domain user.
>
>Can I get some traces of that?  (an ethereal sniff of the Win2k client
>joining the domain without an admin password)
>

The user I used to join the win2k client to the domain is only a member of 
'Domain Users'. It's not nessesary to be a domain admin.

Thanks,
Lin

_________________________________________________________________
Help STOP SPAM with the new MSN 8 and get 2 months FREE*   
http://join.msn.com/?page=features/junkmail

More information about the samba-technical mailing list