Possible Bug/Quirk in Samba ADS Join Behaviour
Tavis
tavis at galaxytelecom.net
Thu Sep 9 21:44:48 GMT 2004
Now i'm not an expert on ldap, kerberose or window nt, so i'm going to
provide all the evidence that led me to think that there may be a
bug/quirk here.
The issue surrounds the action of joining a Samba 3.0.6 server to a
native 2003 ADS realm using an account that has the "Add workstations to
domain" permission but is NOT in the "Administrators" group
According to the traces i took with ethereal it shows samba sending
either an "LDAP Update Request" or an "LDAP Modify Request" to change
certain attributes related to its account. Unless the account used to
join the realm is in the "Administrators" group this update/modify
request fails and samba terminates the join.
I also tried using a Windows XP (sp1) client to join the domain with the
same account used by samba and the join succeded.
Looking at the traces it looks like the XP client sends the same "LDAP
Modify Request" as samba but only tries to change the:
"DnsHostName" and "ServicePrincipalName" attributes which the server
accepts
where samba tries to change the:
"dNSHostName", "userPrincipleName" "servicePrincipalName",
"operatingSystem", "operatingSystemVersion" attributes however the
server does not accept these changes and this is where the join seems to
fail
When the account is in the "Administrators" group the DC accepts samba
"LDP Modify Request" and the join succeeds.
The traces are contained in the archive at
http://dream.cx/traces/trace_logs.tar.gz
samba_nopreauth - indicates that there isn't a machine account in
existence on the DC
samba_preauth - indicates that a machine account exists on the DC (from
a previously successful AD join)
likewise for the winxp-sp1 files
all files except for the .debug files are dumps from ethereal in libpcap
format
the .debug files are STDERR and STDOUT from running the "net -d 10 ads
join - U asdf%asdf" command
I'd posted somthing about this on the Samba General mailing list, but at
that point i was assuming that there was(were) some privilege(s) needed
to be given to the account that samba used to join the domain.
I've seen quite a few references to this specific error
("ads_join_realm: Insufficient access") in the samba mailing lists and
various message boards but no one seems to have found a difinitive solution
command used "net -d 10 ads join -U USER%PASSWORD"
System is running debian 3.0r2 Woody with Debian Testing Kerberos libraries
- libkrb5-dev 1.3.4-3
- libkrb53 1.3.4-3
- krb5-user 1.3.4-3
- krb5-config 1.6
Linux lin1.dev.hq.galnet.ca 2.4.27-flaneur_grsec2 #1 SMP Fri Aug 13
03:00:15 UTC 2004 i686 unknown.
Kernel is a plain kernel.org kernel patched with
grsecurity-2.0.1-2.4.27.patch from www.grsecurity.net (not using GRACLS,
just the network, chroot and proc features)
Samba version is 3.0.6 (fresh install from source) :
/configure --prefix=/usr/local/samba --with-configdir=/etc/samba \
--with-logfilebase=/var/log/samba --with-smbmount \
--with-pam_smbpass --with-syslog --with-ads --with-winbind
Relevant smb.conf configuration
#######################################################
[global]
workgroup = DEV
realm = DEV.HQ.GALNET.CA
netbios name = LIN1_DEV
server string = lin1.dev.hq.galnet.ca
security = ADS
password server = windev1.dev.hq.galnet.ca
restrict anonymous = 2
lanman auth = No
ntlm auth = No
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
log file = /var/log/samba/log.%m
disable netbios = Yes
server signing = auto
deadtime = 15
max smbd processes = 1000
socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=8192
SO_SNDBUF=8192
load printers = No
local master = No
domain master = No
pid directory = /var/run/samba
strict sync = Yes
sync always = Yes
hide special files = Yes
hide unreadable = Yes
include = /etc/samba/smb.conf.shares
follow symlinks = No
######################################################
More information about the samba-technical
mailing list