Samba 4 insufficientAccessRights when modifying Configuration
Brian C. Huffman
bhuffman at etinternational.com
Wed Aug 1 07:49:11 MDT 2012
Matthieu,
I used the MMC "Active Directory Users and Computers" to make the change
you suggested. Unfortunately I still get the insufficientAccessRights.
So now I'm not sure what's going on because your idea made sense and
sounded very promising.
Brian
On 07/31/2012 11:52 PM, Matthieu Patou wrote:
> On 07/31/2012 07:18 AM, Brian C. Huffman wrote:
>> Unfortunately I can run it as Administrator but it appears that
>> programatically it still tries to install as the machine account. I
>> did some research and it turns out that the vendor intends you to run
>> it on the AD server itself (which won't be possible for Samba).
>>
> I suspect they expect you to run it on one of the DC, in this case the
> computer account is member of the domain controllers that have a lot
> of rights !
>
>> However while trying to work around this, I found a difference
>> between Samba and a Windows 2008 AD server. With the Win2k8 AD
>> server, I'm able to add the machine account, with inherited write
>> permissions to CN=DisplaySpecifiers,CN=Configuration and then the
>> installer succeeds. When I try to do the same with Samba, it doesn't
>> give me any warnings, but it silently refuses to add the permissions
>> to the descendants of DisplaySpecifiers. Is this known / intended
>> behavior?
>>
> As nadya said we now this "issue" the way to do it for you is to add
> the machine account via ADSI or ldbedit to the domain admins group, it
> should do the job. Once the installation is finished, remove it from
> this group.
>
> Matthieu.
>
>
More information about the samba-technical
mailing list