can I join win2000 domain with normal domain user?

lin li goldli at
Wed May 21 12:19:21 GMT 2003

>From: Marc Kaplan <MKaplan at>
>To: Andrew Bartlett <abartlet at>, Lin Li <goldli at>
>CC: samba-technical at
>Subject: RE: can I join win2000 domain with normal domain user?
>Date: Tue, 20 May 2003 16:42:13 -0700
> > On Wed, 2003-05-21 at 06:50, Lin Li wrote:
> > > Hi,
> > >
> > > I'm using samba 3.0 alpha23. I found I need a domain admin
> > to join the win2000 active directory. WIth a win2000 client,
> > a normal domain user can do that. Is this a missing feature?
> >
> > It should work the same as a Win2k client now.  That patch has been in
> > there for a couple of months now.
> >
> > I'll need some more information on how the 'net join' fails.
> >
> > Andrew Bartlett
> >
>A "normal" domain user still needs permissions to join for both Win2k and
>Samba. Even in Windows not all users can join, the need to be members of 
>proper groups, have been delegated control of a particular OU, or been 
>explicit permissions to add workstations to the domain.
>			-Marc

Here is the error I got with 'net ads join':
[2003/05/21 20:08:05, 1] libsmb/clikrb5.c:krb5_mk_req2(267)
  krb5_cc_get_principal failed (No credentials cache found)
[2003/05/21 20:08:05, 0] libads/ldap.c:ads_join_realm(1361)
  ads_add_machine_acct: Insufficient access
ads_join_realm: Insufficient access
I can join the win2k client to the domain with the same domain user.


STOP MORE SPAM with the new MSN 8 and get 2 months FREE*

More information about the samba-technical mailing list