Samba 4 insufficientAccessRights when modifying Configuration
Brian C. Huffman
bhuffman at etinternational.com
Tue Jul 31 08:18:49 MDT 2012
Unfortunately I can run it as Administrator but it appears that
programatically it still tries to install as the machine account. I did
some research and it turns out that the vendor intends you to run it on
the AD server itself (which won't be possible for Samba).
However while trying to work around this, I found a difference between
Samba and a Windows 2008 AD server. With the Win2k8 AD server, I'm able
to add the machine account, with inherited write permissions to
CN=DisplaySpecifiers,CN=Configuration and then the installer succeeds.
When I try to do the same with Samba, it doesn't give me any warnings,
but it silently refuses to add the permissions to the descendants of
DisplaySpecifiers. Is this known / intended behavior?
Thanks,
Brian
On 07/31/2012 01:48 AM, Andrew Bartlett wrote:
> On Mon, 2012-07-30 at 14:05 -0400, Brian C. Huffman wrote:
>> Another difference seems to be how it binds. I'm not sure what this
>> means, but the Client Name (Principal) part of the Kerberos ticket is
>> different. Reminder - the modify performed by ADSI succeeds whereas the
>> one by the installer fails.
>>
>> (Installer):
>> Client
>> Realm: XMEN.ETI
>> Client Name
>> (Principal): bhuffman-v1$
>> (ADSI):
>> (Principal): Administrator
> This is the key detail. Install as administrator and it should just
> work. It is not generally expected that a machine account has
> permission to modify the directory.
>
> Andrew Bartlett
>
More information about the samba-technical
mailing list