Samba 4 insufficientAccessRights when modifying Configuration
Nadezhda Ivanova
nivanova at samba.org
Tue Jul 31 09:05:55 MDT 2012
It is known, but not intended, we have to fix the descriptor propagation.
On Tue, Jul 31, 2012 at 5:18 PM, Brian C. Huffman <
bhuffman at etinternational.com> wrote:
> Unfortunately I can run it as Administrator but it appears that
> programatically it still tries to install as the machine account. I did
> some research and it turns out that the vendor intends you to run it on the
> AD server itself (which won't be possible for Samba).
>
> However while trying to work around this, I found a difference between
> Samba and a Windows 2008 AD server. With the Win2k8 AD server, I'm able to
> add the machine account, with inherited write permissions to
> CN=DisplaySpecifiers,CN=**Configuration and then the installer succeeds.
> When I try to do the same with Samba, it doesn't give me any warnings, but
> it silently refuses to add the permissions to the descendants of
> DisplaySpecifiers. Is this known / intended behavior?
>
> Thanks,
> Brian
>
>
> On 07/31/2012 01:48 AM, Andrew Bartlett wrote:
>
>> On Mon, 2012-07-30 at 14:05 -0400, Brian C. Huffman wrote:
>>
>>> Another difference seems to be how it binds. I'm not sure what this
>>> means, but the Client Name (Principal) part of the Kerberos ticket is
>>> different. Reminder - the modify performed by ADSI succeeds whereas the
>>> one by the installer fails.
>>>
>>> (Installer):
>>> Client
>>> Realm: XMEN.ETI
>>> Client Name
>>> (Principal): bhuffman-v1$
>>> (ADSI):
>>> (Principal): Administrator
>>>
>> This is the key detail. Install as administrator and it should just
>> work. It is not generally expected that a machine account has
>> permission to modify the directory.
>>
>> Andrew Bartlett
>>
>>
>
More information about the samba-technical
mailing list