[Samba] Re: Joining samba to AD domain with a non-admin user

Chere Zhou qzhou at isilon.com
Sat Jul 19 00:24:53 GMT 2003 

Well, I know that the user I am using does not have rights to delete from 
LDAP, neither joining a windows box nor samba.  So I am careful enough to 
delete the account from ADS first.  Otherwise, it will fail at deleteing the 
computer account for both Win and samba.

Secondly, using -U or not with net ads join does not make a difference.  I 
did debug through there to find that it is the ldap_add_s fails.  However, I 
do not see how my kerberos user principal is being used for the LDAP 
connection, though different principal does make the difference.  I guess 
it's the bind to LDAP call?  But the ads.auth.user_name is always root, which 
is the Unix account I am working on, and ads.auth.password always "".


On Friday 18 July 2003 01:29 pm, Antti Andreimann wrote:
> Ühel kenal päeval (reede, 18. juuli 2003 03:12) kirjutas Chere Zhou:
> > So my question is, is this supported, or broken, or am I using it wrong?
>
> Well it is supported, but not extensively tested with different users.
> Therefore it is great that You are actually trying this feature out.
>
> > The failure happens during ldap_add_s called from ads_add_machine_acct().
>
> The failure in ldap_add_s seems to indicate that AD is refusing to add the
> machine account maybe due to insufficent rights, but maybe because there is
> already an account for the machine.
> Do You get any other error messages as well? Failure to delete the account
> prior to adding for instance?
>
> > I do kinit before the "net ads join" command.  However I haven't found
> > where the kerberos ticket was used before the failure although the ticket
> > does make a difference.
>
> The first thing that comes to my mind is that maybe You should try
> net ads join -U username.
> This way the net command will get a brand new ticket from AD. It should use
> kerberos cache othervise and actually both ways should work, but maybe
> there is some unknown bug.
> Another thing that You could try is to remove the machine account from AD
> by hand (if it exists) prior to joining it with samba.
> I am looking forward to receiving Your feed-back if and how any of those
> suggestions worked.

More information about the samba mailing list