[Samba] Chasing the "ads_add_machine_acct: Insufficient access"
problem
Greg Folkert
greg at gregfolkert.net
Tue Jul 20 22:06:38 GMT 2004
Okay, the jist of this whole thing, I get this infamous (?) problem, I
have been trying to search though the archives of samba-general on gmane
and also in my archive of this list. I have only seen requests for the
magical answer.
Environment: W2K/W2K3 mixed ADS going Native ADS only soon. Samba 3.0.4
compiled from source on a RHEL AS30 machine. MIT Kerberos v1.3.4 also
compiled from source.
Kernel == 2.4.21-15.0.2.ELhugemem #1 SMP Wed Jun 16 22:36:51 EDT 2004
i686 athlon i386 GNU/Linux
Here is the problem in a nutshell:
[root at roar root]# net ads join Computers -S mydc1.mynetwork.com
[2004/07/20 15:06:09, 0] libads/ldap.c:ads_join_realm(1336)
ads_add_machine_acct: Insufficient access
ads_join_realm: Insufficient access
and the important pieces of smb.conf:
[global]
workgroup = MYNETWORK
netbios name = ROAR
server string = Lotsa Room
security = ADS
realm = MYNETWORK.COM
auth methods = winbind
password server = mydc1.mynetwork.com
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
lanman auth = No
ntlm auth = No
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
syslog = 0
log file = /var/log/samba/log.%m
max log size = 10000
smb ports = 445
disable netbios = Yes
max xmit = 65535
name resolve order = host wins lmhosts bcast
#tried both spnego Yes and No same diff.
use spnego = Yes
# use spnego = No
server signing = auto
deadtime = 10080
socket options = IPTOS_LOWDELAY TCP_NODELAY
logon path =
logon home =
os level = 49
preferred master = No
local master = No
domain master = No
dns proxy = No
ldap ssl = no
idmap uid = 10000-40000
idmap gid = 10000-40000
winbind separator = +
winbind nested groups = Yes
winbind cache time = 20
template homedir = /home/%D/%U
invalid users = root
ea support = Yes
hide special files = Yes
hide unreadable = Yes
And here is my klist:
[root at mash root]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: roarad at MYNETWORK.COM
Valid starting Expires Service principal
07/20/04 16:21:53 07/21/04 02:22:01 krbtgt/MYNETWORK.COM at MYNETWORK.COM
renew until 07/21/04 16:21:53
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Yes, roarad at MYNETWORK.COM has rights to create users and machines in the
AD Tree in "Computers"
So, now, given that this is an existing problem in v3.0.4, I have to
show the way I configured and compiled it. I also compiled MIT Kerberos
v1.3.4 the proper way (similar to this). Personally I like integrations.
Here is the configure for samba v3.0.4:
./configure --program-prefix= --prefix=/usr --exec-prefix=/usr \
--bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc \
--datadir=/usr/share --includedir=/usr/include \
--libdir=/usr/lib --libexecdir=/usr/libexec \
--localstatedir=/var --sharedstatedir=/usr/com \
--mandir=/usr/share/man --infodir=/usr/share/info
--with-acl-support --with-automount \
--with-codepagedir=/usr/share/samba/codepages --with-fhs \
--with-libsmbclient --with-lockdir=/var/cache/samba --with-pam \
--with-pam_smbpass --with-piddir=/var/run \
--with-privatedir=/etc/samba --with-quotas --with-smbmount \
--with-swatdir=/usr/share/swat --with-syslog --with-utmp \
--with-vfs --without-smbwrapper --with-ads --with-winbind \
--with-krb5
Here is the configure for krb5-1.3.4:
./configure --program-prefix= --prefix=/usr --exec-prefix=/usr \
--bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc \
--datadir=/usr/share --includedir=/usr/include \
--libdir=/usr/lib --libexecdir=/usr/libexec \
--localstatedir=/var --sharedstatedir=/usr/com \
--mandir=/usr/share/man --infodir=/usr/share/info CC=gcc \
CFLAGS="-O2 -g -pipe -march=i386 -mcpu=i686 -I/usr/include/et \
-fPIC" LDFLAGS= CPPFLAGS="-I/usr/include/et" --enable-shared \
--enable-static --bindir=/usr/kerberos/bin \
--mandir=/usr/kerberos/man --sbindir=/usr/kerberos/sbin \
--datadir=/usr/kerberos/share --localstatedir=/var/kerberos \
--with-krb4 --with-system-et --with-system-ss --without-tcl \
--enable-dns
Now, maybe this could be one of those problems where some one has had a
chance to fix this. Or maybe someone used a workaround, or knows WHY.
All I know, W2K/W2K3 AD driven Kerberos is heavily undocumented. And
provides little in the way of useful logs... telling me what might be
the problem on that end.
Much thanks to anyone that has a good fix or knows where to look or
*SOMETHING*
--
greg, greg at gregfolkert.net
The technology that is
Stronger, better, faster: Linux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040720/76e67a40/attachment.bin
More information about the samba
mailing list