[Samba] FIXED: Chasing the "ads_add_machine_acct: Insufficient
access" problem
Greg Folkert
greg at gregfolkert.net
Wed Jul 21 01:01:40 GMT 2004
Fix provided below.
On Tue, 2004-07-20 at 18:06, Greg Folkert wrote:
> Okay, the jist of this whole thing, I get this infamous (?) problem, I
> have been trying to search though the archives of samba-general on gmane
> and also in my archive of this list. I have only seen requests for the
> magical answer.
>
> Environment: W2K/W2K3 mixed ADS going Native ADS only soon. Samba 3.0.4
> compiled from source on a RHEL AS30 machine. MIT Kerberos v1.3.4 also
> compiled from source.
>
> Kernel == 2.4.21-15.0.2.ELhugemem #1 SMP Wed Jun 16 22:36:51 EDT 2004
> i686 athlon i386 GNU/Linux
>
>
> Here is the problem in a nutshell:
>
> [root at roar root]# net ads join Computers -S mydc1.mynetwork.com
> [2004/07/20 15:06:09, 0] libads/ldap.c:ads_join_realm(1336)
> ads_add_machine_acct: Insufficient access
> ads_join_realm: Insufficient access
>
> and the important pieces of smb.conf:
>
> [global]
> workgroup = MYNETWORK
> netbios name = ROAR
> server string = Lotsa Room
> security = ADS
> realm = MYNETWORK.COM
> auth methods = winbind
> password server = mydc1.mynetwork.com
> passwd program = /usr/bin/passwd %u
> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
> lanman auth = No
> ntlm auth = No
> client NTLMv2 auth = Yes
> client lanman auth = No
> client plaintext auth = No
> syslog = 0
> log file = /var/log/samba/log.%m
> max log size = 10000
> smb ports = 445
> disable netbios = Yes
> max xmit = 65535
> name resolve order = host wins lmhosts bcast
> #tried both spnego Yes and No same diff.
> use spnego = Yes
> # use spnego = No
> server signing = auto
> deadtime = 10080
> socket options = IPTOS_LOWDELAY TCP_NODELAY
> logon path =
> logon home =
> os level = 49
> preferred master = No
> local master = No
> domain master = No
> dns proxy = No
> ldap ssl = no
> idmap uid = 10000-40000
> idmap gid = 10000-40000
> winbind separator = +
> winbind nested groups = Yes
> winbind cache time = 20
> template homedir = /home/%D/%U
> invalid users = root
> ea support = Yes
> hide special files = Yes
> hide unreadable = Yes
>
> And here is my klist:
>
> [root at mash root]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: roarad at MYNETWORK.COM
>
> Valid starting Expires Service principal
> 07/20/04 16:21:53 07/21/04 02:22:01 krbtgt/MYNETWORK.COM at MYNETWORK.COM
> renew until 07/21/04 16:21:53
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
>
> Yes, roarad at MYNETWORK.COM has rights to create users and machines in the
> AD Tree in "Computers"
>
> So, now, given that this is an existing problem in v3.0.4, I have to
> show the way I configured and compiled it. I also compiled MIT Kerberos
> v1.3.4 the proper way (similar to this). Personally I like integrations.
>
> Here is the configure for samba v3.0.4:
>
> ./configure --program-prefix= --prefix=/usr --exec-prefix=/usr \
> --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc \
> --datadir=/usr/share --includedir=/usr/include \
> --libdir=/usr/lib --libexecdir=/usr/libexec \
> --localstatedir=/var --sharedstatedir=/usr/com \
> --mandir=/usr/share/man --infodir=/usr/share/info
> --with-acl-support --with-automount \
> --with-codepagedir=/usr/share/samba/codepages --with-fhs \
> --with-libsmbclient --with-lockdir=/var/cache/samba --with-pam \
> --with-pam_smbpass --with-piddir=/var/run \
> --with-privatedir=/etc/samba --with-quotas --with-smbmount \
> --with-swatdir=/usr/share/swat --with-syslog --with-utmp \
> --with-vfs --without-smbwrapper --with-ads --with-winbind \
> --with-krb5
>
> Here is the configure for krb5-1.3.4:
>
> ./configure --program-prefix= --prefix=/usr --exec-prefix=/usr \
> --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc \
> --datadir=/usr/share --includedir=/usr/include \
> --libdir=/usr/lib --libexecdir=/usr/libexec \
> --localstatedir=/var --sharedstatedir=/usr/com \
> --mandir=/usr/share/man --infodir=/usr/share/info CC=gcc \
> CFLAGS="-O2 -g -pipe -march=i386 -mcpu=i686 -I/usr/include/et \
> -fPIC" LDFLAGS= CPPFLAGS="-I/usr/include/et" --enable-shared \
> --enable-static --bindir=/usr/kerberos/bin \
> --mandir=/usr/kerberos/man --sbindir=/usr/kerberos/sbin \
> --datadir=/usr/kerberos/share --localstatedir=/var/kerberos \
> --with-krb4 --with-system-et --with-system-ss --without-tcl \
> --enable-dns
>
> Now, maybe this could be one of those problems where some one has had a
> chance to fix this. Or maybe someone used a workaround, or knows WHY.
>
> All I know, W2K/W2K3 AD driven Kerberos is heavily undocumented. And
> provides little in the way of useful logs... telling me what might be
> the problem on that end.
>
> Much thanks to anyone that has a good fix or knows where to look or
> *SOMETHING*
Much thanks to ME!
I went home after asking this.
I ate dinner, did some online gaming... did the family thing.
I decided to start over with a fresh smb.conf.
I logged into the machine, check my kerberos ticket, being still valid,
and having changed nothing for 2+ hours, I thought what the heck. I
tried again:
[root at roar root]# net ads join Computers -S mydc1.mynetwork.com
[2004/07/20 19:36:12, 0] libads/ldap.c:ads_add_machine_acct(1086)
Warning: ads_set_machine_sd: Unexpected information received
Using short domain name -- MYNETWORK
Joined 'ROAR' to realm 'MYNETWORK.COM'
I have to say, this baffles me. But is understandable, given I have
worked with Novell Netware and eDIR (or NDS as it was previously known)
for 9+ years. Time was nearly always the fix for these kinds of things.
Replication issues, Synchronization issue, massive changes and overall
performance.
Patience is a virtue even these days. I just wish some companies did
have this virtue as well.
--
greg, greg at gregfolkert.net
The technology that is
Stronger, better, faster: Linux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040720/6603fe0a/attachment.bin
More information about the samba
mailing list