[Samba] Joining samba to AD domain with a non-admin user

[Chere Zhou]

I need help to resolve this issue.

I saw that Andrew put a patch by Antti to enable users without full admin 
access to join samba into an AD domain.  I am playing with it and always get 
"Insufficient access".  Using the same user, I can join a Windows box into 
the domain just fine.  The user is a member of "domain users", but not 
"domain admins".  I can use a user in "domain admins" to join the AD domain 
fine too.  I tried with beta3, and it's the same as alpha24 and alpha21 (a21 
did not have Antti's patch).  

So my question is, is this supported, or broken, or am I using it wrong?  The 
failure happens during ldap_add_s called from ads_add_machine_acct().  I do 
kinit before the "net ads join" command.  However I haven't found where the 
kerberos ticket was used before the failure although the ticket does make a 
difference.

Thanks,
Chere