Joining a Windows 2008 R2 error

Andrew Bartlett abartlet at samba.org
Thu Sep 16 14:48:00 MDT 2010 

On Tue, 2010-09-14 at 16:58 -0500, David Gonzalez wrote:
> Hi,
> 
> UPDATE: Dynamic DNS updates work now, just change the  update-policy {}; to
> allow-update { any; };
> and donot add or comment out these lines on smb.conf.
> 
> //      tkey-gssapi-credential "DNS/samba.dghvoip.com";
> //      tkey-domain "SAMBA.DGHVOIP.COM";

That's rather an insecure configuration.  Did you try and ensure that
BIND had access to the keytab as instructed?  We do know that this is a
difficult area to get right however, and are working to try and make it
more automate, and less prone to failure. 

> Now, I've "sucesfully" joined a W2k8 server machine to my domain, the
> dcpromo it but these errors show on my logs:
> 
> Failed to modify SPNs on CN=VMW2K8,CN=Computers,DC=samba,DC=dghvoip,DC=com:
> error in module acl: insufficient access rights (50)
> [Tue Sep 14 16:49:45 2010 COT, 0
> ../rpc_server/drsuapi/writespn.c:103:dcesrv_drsuapi_DsWriteAccountSpn()]
> Failed to modify SPNs on CN=VMW2K8,CN=Computers,DC=samba,DC=dghvoip,DC=com:
> error in module acl: insufficient access rights (50)
> [Tue Sep 14 16:49:45 2010 COT, 0
> ../rpc_server/drsuapi/writespn.c:103:dcesrv_drsuapi_DsWriteAccountSpn()]
> Failed to modify SPNs on cn=vmw2k8,cn=computers,dc=samba,dc=dghvoip,dc=com:
> error in module acl: insufficient access rights (50)

Exactly which version is this?

> And after the w2k8 start this shows up on samba.log
> 
> /usr/local/samba/sbin/samba_dnsupdate:     import samba
> [Tue Sep 14 16:52:10 2010 COT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: ImportError: No module named samba
> [Tue Sep 14 16:52:10 2010 COT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_spnupdate: Traceback (most recent call last):
> [Tue Sep 14 16:52:10 2010 COT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_spnupdate:   File
> "/usr/local/samba/sbin/samba_spnupdate", line 30, in ?
> [Tue Sep 14 16:52:10 2010 COT, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]

It seems that something is wrong with the pythonpath - the script isn't
finding the installed python libraries. 

In any case, you would do well to run the code we just updated
yesterday, as we fixed an issue with that script and kerberos-enabled
nsupdate -g. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100917/5785128e/attachment.pgp>

More information about the samba-technical mailing list