Possible Bug/Quirk in Samba ADS Join Behaviour

Tavis tavis at galaxytelecom.net
Thu Sep 9 21:44:48 GMT 2004


Now i'm not an expert on ldap, kerberose or window nt, so i'm going to 
provide all the evidence that led me to think that there may be a 
bug/quirk here.

The issue surrounds the action of joining a Samba 3.0.6 server to a 
native 2003 ADS realm using an account that has the "Add workstations to 
domain" permission but is NOT in the "Administrators" group

According to the traces i took with ethereal it shows samba sending 
either an "LDAP Update Request" or an "LDAP Modify Request" to change 
certain attributes related to its account. Unless the account used to 
join the realm is in the "Administrators" group this update/modify 
request fails and samba terminates the join.

I also tried using a Windows XP (sp1) client to join the domain with the 
same account used by samba and the join succeded.

Looking at the traces it looks like the XP client sends the same "LDAP 
Modify Request" as samba but only tries to change the:
 "DnsHostName" and "ServicePrincipalName" attributes which the server 
accepts
where samba tries to change the:
"dNSHostName", "userPrincipleName" "servicePrincipalName", 
"operatingSystem", "operatingSystemVersion" attributes however the 
server does not accept these changes and this is where the join seems to 
fail

When the account is in the "Administrators" group the DC accepts samba 
"LDP Modify Request" and the join succeeds.

The traces are contained in the archive at 
http://dream.cx/traces/trace_logs.tar.gz
samba_nopreauth - indicates that there isn't a machine account in 
existence on the DC
samba_preauth - indicates that a machine account exists on the DC (from 
a previously successful AD join)
likewise for the winxp-sp1 files
all files except for the .debug files are dumps from ethereal in libpcap 
format
the .debug files are STDERR and STDOUT from running the "net -d 10 ads 
join - U asdf%asdf" command


I'd posted somthing about this on the Samba General mailing list, but at 
that point i was assuming that there was(were) some privilege(s) needed 
to be given to the account that samba used to join the domain.

I've seen quite a few references to this specific error 
("ads_join_realm: Insufficient access") in the samba mailing lists and 
various message boards but no one seems to have found a difinitive solution

command used "net -d 10 ads join -U USER%PASSWORD"

System is running debian 3.0r2 Woody with Debian Testing Kerberos libraries
- libkrb5-dev  1.3.4-3
- libkrb53     1.3.4-3
- krb5-user    1.3.4-3
- krb5-config  1.6

Linux lin1.dev.hq.galnet.ca 2.4.27-flaneur_grsec2 #1 SMP Fri Aug 13 
03:00:15 UTC 2004 i686 unknown.
Kernel is a plain kernel.org kernel patched with 
grsecurity-2.0.1-2.4.27.patch from www.grsecurity.net (not using GRACLS, 
just the network, chroot and proc features)

Samba version is 3.0.6 (fresh install from source) :
/configure --prefix=/usr/local/samba --with-configdir=/etc/samba \
--with-logfilebase=/var/log/samba --with-smbmount \
--with-pam_smbpass --with-syslog --with-ads --with-winbind

Relevant smb.conf configuration
#######################################################
[global]
       workgroup = DEV
       realm = DEV.HQ.GALNET.CA
       netbios name = LIN1_DEV
       server string = lin1.dev.hq.galnet.ca
       security = ADS
       password server = windev1.dev.hq.galnet.ca
       restrict anonymous = 2
       lanman auth = No
       ntlm auth = No
       client NTLMv2 auth = Yes
       client lanman auth = No
       client plaintext auth = No
       log file = /var/log/samba/log.%m
       disable netbios = Yes
       server signing = auto
       deadtime = 15
       max smbd processes = 1000
       socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=8192 
SO_SNDBUF=8192
       load printers = No
       local master = No
       domain master = No
       pid directory = /var/run/samba
       strict sync = Yes
       sync always = Yes
       hide special files = Yes
       hide unreadable = Yes
       include = /etc/samba/smb.conf.shares
       follow symlinks = No
######################################################


More information about the samba-technical mailing list