Samba 4 insufficientAccessRights when modifying Configuration

Brian C. Huffman bhuffman at etinternational.com
Wed Aug 1 08:01:24 MDT 2012


Yep - In fact, I removed the machine account from Domain Admins, tried 
again, and did a diff between the two modify responses. Kerberos info is 
different and the timestamps are different, but everything else is the same.

Brian

On 08/01/2012 09:51 AM, Nadezhda Ivanova wrote:
> Is it the same error on the same operation?
>
> On Wed, Aug 1, 2012 at 4:49 PM, Brian C. Huffman 
> <bhuffman at etinternational.com <mailto:bhuffman at etinternational.com>> 
> wrote:
>
>     Matthieu,
>
>     I used the MMC "Active Directory Users and Computers" to make the
>     change you suggested.  Unfortunately I still get the
>     insufficientAccessRights.  So now I'm not sure what's going on
>     because your idea made sense and sounded very promising.
>
>     Brian
>
>
>
>
>     On 07/31/2012 11:52 PM, Matthieu Patou wrote:
>
>         On 07/31/2012 07:18 AM, Brian C. Huffman wrote:
>
>             Unfortunately I can run it as Administrator but it appears
>             that programatically it still tries to install as the
>             machine account.  I did some research and it turns out
>             that the vendor intends you to run it on the AD server
>             itself (which won't be possible for Samba).
>
>         I suspect they expect you to run it on one of the DC, in this
>         case the computer account is member of the domain controllers
>         that have a lot of rights !
>
>             However while trying to work around this, I found a
>             difference between Samba and a Windows 2008 AD server.
>              With the Win2k8 AD server, I'm able to add the machine
>             account, with inherited write permissions to
>             CN=DisplaySpecifiers,CN=Configuration and then the
>             installer succeeds.  When I try to do the same with Samba,
>             it doesn't give me any warnings, but it silently refuses
>             to add the permissions to the descendants of
>             DisplaySpecifiers.  Is this known / intended behavior?
>
>         As nadya said we now this "issue" the way to do it for you is
>         to add the machine account via ADSI or ldbedit to the domain
>         admins group, it should do the job. Once the installation is
>         finished, remove it from this group.
>
>         Matthieu.
>
>
>
>



More information about the samba-technical mailing list