Samba 4 insufficientAccessRights when modifying Configuration

Nadezhda Ivanova nivanova at
Tue Jul 31 09:05:55 MDT 2012

It is known, but not intended, we have to fix the descriptor propagation.

On Tue, Jul 31, 2012 at 5:18 PM, Brian C. Huffman <
bhuffman at> wrote:

> Unfortunately I can run it as Administrator but it appears that
> programatically it still tries to install as the machine account.  I did
> some research and it turns out that the vendor intends you to run it on the
> AD server itself (which won't be possible for Samba).
> However while trying to work around this, I found a difference between
> Samba and a Windows 2008 AD server.  With the Win2k8 AD server, I'm able to
> add the machine account, with inherited write permissions to
> CN=DisplaySpecifiers,CN=**Configuration and then the installer succeeds.
>  When I try to do the same with Samba, it doesn't give me any warnings, but
> it silently refuses to add the permissions to the descendants of
> DisplaySpecifiers.  Is this known / intended behavior?
> Thanks,
> Brian
> On 07/31/2012 01:48 AM, Andrew Bartlett wrote:
>> On Mon, 2012-07-30 at 14:05 -0400, Brian C. Huffman wrote:
>>> Another difference seems to be how it binds.  I'm not sure what this
>>> means, but the Client Name (Principal) part of the Kerberos ticket is
>>> different.  Reminder - the modify performed by ADSI succeeds whereas the
>>> one by the installer fails.
>>> (Installer):
>>>                                                               Client
>>> Realm: XMEN.ETI
>>>                                                               Client Name
>>> (Principal): bhuffman-v1$
>>> (ADSI):
>>> (Principal): Administrator
>> This is the key detail.  Install as administrator and it should just
>> work.  It is not generally expected that a machine account has
>> permission to modify the directory.
>> Andrew Bartlett

More information about the samba-technical mailing list