can I join win2000 domain with normal domain user?

Andrew Bartlett abartlet at samba.org
Wed May 21 15:07:27 GMT 2003


On Wed, 2003-05-21 at 22:19, lin li wrote:
> 
> 
> 
> >From: Marc Kaplan <MKaplan at snapappliance.com>
> >To: Andrew Bartlett <abartlet at samba.org>, Lin Li <goldli at hotmail.com>
> >CC: samba-technical at lists.samba.org
> >Subject: RE: can I join win2000 domain with normal domain user?
> >Date: Tue, 20 May 2003 16:42:13 -0700
> >
> > > On Wed, 2003-05-21 at 06:50, Lin Li wrote:
> > > > Hi,
> > > >
> > > > I'm using samba 3.0 alpha23. I found I need a domain admin
> > > to join the win2000 active directory. WIth a win2000 client,
> > > a normal domain user can do that. Is this a missing feature?
> > >
> > > It should work the same as a Win2k client now.  That patch has been in
> > > there for a couple of months now.
> > >
> > > I'll need some more information on how the 'net join' fails.
> > >
> > > Andrew Bartlett
> > >
> >A "normal" domain user still needs permissions to join for both Win2k and
> >Samba. Even in Windows not all users can join, the need to be members of 
> >the
> >proper groups, have been delegated control of a particular OU, or been 
> >given
> >explicit permissions to add workstations to the domain.
> >
> >			-Marc
> 
> 
> Here is the error I got with 'net ads join':
> ---------------------
> [2003/05/21 20:08:05, 1] libsmb/clikrb5.c:krb5_mk_req2(267)
>   krb5_cc_get_principal failed (No credentials cache found)
> [2003/05/21 20:08:05, 0] libads/ldap.c:ads_join_realm(1361)
>   ads_add_machine_acct: Insufficient access
> ads_join_realm: Insufficient access
> ----------------------
> I can join the win2k client to the domain with the same domain user.

Can I get some traces of that?  (an ethereal sniff of the Win2k client
joining the domain without an admin password)

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030521/bf296a6b/attachment.bin


More information about the samba-technical mailing list