[Samba] Re: Joining samba to AD domain with a non-admin user
Antti Andreimann
Antti.Andreimann at mail.ee
Fri Jul 18 20:29:37 GMT 2003
Ühel kenal päeval (reede, 18. juuli 2003 03:12) kirjutas Chere Zhou:
> So my question is, is this supported, or broken, or am I using it wrong?
Well it is supported, but not extensively tested with different users.
Therefore it is great that You are actually trying this feature out.
> The failure happens during ldap_add_s called from ads_add_machine_acct().
The failure in ldap_add_s seems to indicate that AD is refusing to add the
machine account maybe due to insufficent rights, but maybe because there is
already an account for the machine.
Do You get any other error messages as well? Failure to delete the account
prior to adding for instance?
> I do kinit before the "net ads join" command. However I haven't found
> where the kerberos ticket was used before the failure although the ticket
> does make a difference.
The first thing that comes to my mind is that maybe You should try
net ads join -U username.
This way the net command will get a brand new ticket from AD. It should use
kerberos cache othervise and actually both ways should work, but maybe there
is some unknown bug.
Another thing that You could try is to remove the machine account from AD by
hand (if it exists) prior to joining it with samba.
I am looking forward to receiving Your feed-back if and how any of those
suggestions worked.
--
Antti Andreimann
Using Linux since 1993
Member of ELUG since 29.01.2000
More information about the samba
mailing list