[Samba] Re: Joining samba to AD domain with a non-admin user

Antti Andreimann Antti.Andreimann at mail.ee
Fri Jul 18 20:29:37 GMT 2003

Ühel kenal päeval (reede, 18. juuli 2003 03:12) kirjutas Chere Zhou:

> So my question is, is this supported, or broken, or am I using it wrong? 

Well it is supported, but not extensively tested with different users.
Therefore it is great that You are actually trying this feature out.

> The failure happens during ldap_add_s called from ads_add_machine_acct(). 

The failure in ldap_add_s seems to indicate that AD is refusing to add the 
machine account maybe due to insufficent rights, but maybe because there is 
already an account for the machine.
Do You get any other error messages as well? Failure to delete the account 
prior to adding for instance?

> I do kinit before the "net ads join" command.  However I haven't found
> where the kerberos ticket was used before the failure although the ticket
> does make a difference.

The first thing that comes to my mind is that maybe You should try
net ads join -U username.
This way the net command will get a brand new ticket from AD. It should use 
kerberos cache othervise and actually both ways should work, but maybe there 
is some unknown bug.
Another thing that You could try is to remove the machine account from AD by 
hand (if it exists) prior to joining it with samba.
I am looking forward to receiving Your feed-back if and how any of those 
suggestions worked.

            Antti Andreimann
       Using Linux since 1993
Member of ELUG since 29.01.2000

More information about the samba mailing list