[Samba] Chasing the "ads_add_machine_acct: Insufficient access" problem

Greg Folkert greg at gregfolkert.net
Tue Jul 20 22:06:38 GMT 2004 

Okay, the jist  of this whole thing, I get this infamous (?) problem, I
have been trying to search though the archives of samba-general on gmane
and also in my archive of this list. I have only seen requests for the
magical answer.

Environment: W2K/W2K3 mixed ADS going Native ADS only soon. Samba 3.0.4
compiled from source on a RHEL AS30 machine. MIT Kerberos v1.3.4 also
compiled from source.

Kernel == 2.4.21-15.0.2.ELhugemem #1 SMP Wed Jun 16 22:36:51 EDT 2004
i686 athlon i386 GNU/Linux


Here is the problem in a nutshell:

        [root at roar root]# net ads join Computers -S mydc1.mynetwork.com
        [2004/07/20 15:06:09, 0] libads/ldap.c:ads_join_realm(1336)
          ads_add_machine_acct: Insufficient access
        ads_join_realm: Insufficient access

and the important pieces of smb.conf:

        [global]
                workgroup = MYNETWORK
                netbios name = ROAR
                server string = Lotsa Room
                security = ADS
                realm = MYNETWORK.COM
                auth methods = winbind
                password server = mydc1.mynetwork.com
                passwd program = /usr/bin/passwd %u
                passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
                lanman auth = No
                ntlm auth = No
                client NTLMv2 auth = Yes
                client lanman auth = No
                client plaintext auth = No
                syslog = 0
                log file = /var/log/samba/log.%m
                max log size = 10000
                smb ports = 445
                disable netbios = Yes
                max xmit = 65535
                name resolve order = host wins lmhosts bcast
        #tried both spnego Yes and No same diff.
                use spnego = Yes
        #       use spnego = No
                server signing = auto
                deadtime = 10080
                socket options = IPTOS_LOWDELAY TCP_NODELAY
                logon path =
                logon home =
                os level = 49
                preferred master = No
                local master = No
                domain master = No
                dns proxy = No
                ldap ssl = no
                idmap uid = 10000-40000
                idmap gid = 10000-40000
                winbind separator = +
                winbind nested groups = Yes
                winbind cache time = 20
                template homedir = /home/%D/%U
                invalid users = root
                ea support = Yes
                hide special files = Yes
                hide unreadable = Yes

And here is my klist:

        [root at mash root]# klist
        Ticket cache: FILE:/tmp/krb5cc_0
        Default principal: roarad at MYNETWORK.COM
        
        Valid starting     Expires            Service principal
        07/20/04 16:21:53  07/21/04 02:22:01  krbtgt/MYNETWORK.COM at MYNETWORK.COM
                renew until 07/21/04 16:21:53
        
        
        Kerberos 4 ticket cache: /tmp/tkt0
        klist: You have no tickets cached

Yes, roarad at MYNETWORK.COM has rights to create users and machines in the
AD Tree in "Computers"

So, now, given that this is an existing problem in v3.0.4, I have to
show the way I configured and compiled it. I also compiled MIT Kerberos
v1.3.4 the proper way (similar to this). Personally I like integrations.

Here is the configure for samba v3.0.4: 

        ./configure --program-prefix= --prefix=/usr --exec-prefix=/usr \
        --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc \
        --datadir=/usr/share --includedir=/usr/include \
        --libdir=/usr/lib --libexecdir=/usr/libexec \ 
        --localstatedir=/var --sharedstatedir=/usr/com \
        --mandir=/usr/share/man --infodir=/usr/share/info
        --with-acl-support --with-automount \
        --with-codepagedir=/usr/share/samba/codepages --with-fhs \
        --with-libsmbclient --with-lockdir=/var/cache/samba --with-pam \
        --with-pam_smbpass --with-piddir=/var/run \
        --with-privatedir=/etc/samba --with-quotas --with-smbmount \
        --with-swatdir=/usr/share/swat --with-syslog --with-utmp \
        --with-vfs --without-smbwrapper --with-ads --with-winbind \
        --with-krb5

Here is the configure for krb5-1.3.4:

        ./configure --program-prefix= --prefix=/usr --exec-prefix=/usr \
        --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc \
        --datadir=/usr/share --includedir=/usr/include \
        --libdir=/usr/lib --libexecdir=/usr/libexec \
        --localstatedir=/var --sharedstatedir=/usr/com \
        --mandir=/usr/share/man --infodir=/usr/share/info CC=gcc \
        CFLAGS="-O2 -g -pipe -march=i386 -mcpu=i686 -I/usr/include/et \
        -fPIC" LDFLAGS= CPPFLAGS="-I/usr/include/et" --enable-shared \
        --enable-static --bindir=/usr/kerberos/bin \
        --mandir=/usr/kerberos/man --sbindir=/usr/kerberos/sbin \
        --datadir=/usr/kerberos/share --localstatedir=/var/kerberos \
        --with-krb4 --with-system-et --with-system-ss --without-tcl \
        --enable-dns

Now, maybe this could be one of those problems where some one has had a
chance to fix this. Or maybe someone used a workaround, or knows WHY.

All I know, W2K/W2K3 AD driven Kerberos is heavily undocumented. And
provides little in the way of useful logs... telling me what might be
the problem on that end.

Much thanks to anyone that has a good fix or knows where to look or
*SOMETHING*

-- 
greg, greg at gregfolkert.net

The technology that is
Stronger, better, faster:  Linux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040720/76e67a40/attachment.bin

More information about the samba mailing list