[Samba] FIXED: Chasing the "ads_add_machine_acct: Insufficient access" problem

Greg Folkert greg at gregfolkert.net
Wed Jul 21 01:01:40 GMT 2004


Fix provided below.
On Tue, 2004-07-20 at 18:06, Greg Folkert wrote:
> Okay, the jist  of this whole thing, I get this infamous (?) problem, I
> have been trying to search though the archives of samba-general on gmane
> and also in my archive of this list. I have only seen requests for the
> magical answer.
> 
> Environment: W2K/W2K3 mixed ADS going Native ADS only soon. Samba 3.0.4
> compiled from source on a RHEL AS30 machine. MIT Kerberos v1.3.4 also
> compiled from source.
> 
> Kernel == 2.4.21-15.0.2.ELhugemem #1 SMP Wed Jun 16 22:36:51 EDT 2004
> i686 athlon i386 GNU/Linux
> 
> 
> Here is the problem in a nutshell:
> 
>         [root at roar root]# net ads join Computers -S mydc1.mynetwork.com
>         [2004/07/20 15:06:09, 0] libads/ldap.c:ads_join_realm(1336)
>           ads_add_machine_acct: Insufficient access
>         ads_join_realm: Insufficient access
> 
> and the important pieces of smb.conf:
> 
>         [global]
>                 workgroup = MYNETWORK
>                 netbios name = ROAR
>                 server string = Lotsa Room
>                 security = ADS
>                 realm = MYNETWORK.COM
>                 auth methods = winbind
>                 password server = mydc1.mynetwork.com
>                 passwd program = /usr/bin/passwd %u
>                 passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
>                 lanman auth = No
>                 ntlm auth = No
>                 client NTLMv2 auth = Yes
>                 client lanman auth = No
>                 client plaintext auth = No
>                 syslog = 0
>                 log file = /var/log/samba/log.%m
>                 max log size = 10000
>                 smb ports = 445
>                 disable netbios = Yes
>                 max xmit = 65535
>                 name resolve order = host wins lmhosts bcast
>         #tried both spnego Yes and No same diff.
>                 use spnego = Yes
>         #       use spnego = No
>                 server signing = auto
>                 deadtime = 10080
>                 socket options = IPTOS_LOWDELAY TCP_NODELAY
>                 logon path =
>                 logon home =
>                 os level = 49
>                 preferred master = No
>                 local master = No
>                 domain master = No
>                 dns proxy = No
>                 ldap ssl = no
>                 idmap uid = 10000-40000
>                 idmap gid = 10000-40000
>                 winbind separator = +
>                 winbind nested groups = Yes
>                 winbind cache time = 20
>                 template homedir = /home/%D/%U
>                 invalid users = root
>                 ea support = Yes
>                 hide special files = Yes
>                 hide unreadable = Yes
> 
> And here is my klist:
> 
>         [root at mash root]# klist
>         Ticket cache: FILE:/tmp/krb5cc_0
>         Default principal: roarad at MYNETWORK.COM
>         
>         Valid starting     Expires            Service principal
>         07/20/04 16:21:53  07/21/04 02:22:01  krbtgt/MYNETWORK.COM at MYNETWORK.COM
>                 renew until 07/21/04 16:21:53
>         
>         
>         Kerberos 4 ticket cache: /tmp/tkt0
>         klist: You have no tickets cached
> 
> Yes, roarad at MYNETWORK.COM has rights to create users and machines in the
> AD Tree in "Computers"
> 
> So, now, given that this is an existing problem in v3.0.4, I have to
> show the way I configured and compiled it. I also compiled MIT Kerberos
> v1.3.4 the proper way (similar to this). Personally I like integrations.
> 
> Here is the configure for samba v3.0.4: 
> 
>         ./configure --program-prefix= --prefix=/usr --exec-prefix=/usr \
>         --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc \
>         --datadir=/usr/share --includedir=/usr/include \
>         --libdir=/usr/lib --libexecdir=/usr/libexec \ 
>         --localstatedir=/var --sharedstatedir=/usr/com \
>         --mandir=/usr/share/man --infodir=/usr/share/info
>         --with-acl-support --with-automount \
>         --with-codepagedir=/usr/share/samba/codepages --with-fhs \
>         --with-libsmbclient --with-lockdir=/var/cache/samba --with-pam \
>         --with-pam_smbpass --with-piddir=/var/run \
>         --with-privatedir=/etc/samba --with-quotas --with-smbmount \
>         --with-swatdir=/usr/share/swat --with-syslog --with-utmp \
>         --with-vfs --without-smbwrapper --with-ads --with-winbind \
>         --with-krb5
> 
> Here is the configure for krb5-1.3.4:
> 
>         ./configure --program-prefix= --prefix=/usr --exec-prefix=/usr \
>         --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc \
>         --datadir=/usr/share --includedir=/usr/include \
>         --libdir=/usr/lib --libexecdir=/usr/libexec \
>         --localstatedir=/var --sharedstatedir=/usr/com \
>         --mandir=/usr/share/man --infodir=/usr/share/info CC=gcc \
>         CFLAGS="-O2 -g -pipe -march=i386 -mcpu=i686 -I/usr/include/et \
>         -fPIC" LDFLAGS= CPPFLAGS="-I/usr/include/et" --enable-shared \
>         --enable-static --bindir=/usr/kerberos/bin \
>         --mandir=/usr/kerberos/man --sbindir=/usr/kerberos/sbin \
>         --datadir=/usr/kerberos/share --localstatedir=/var/kerberos \
>         --with-krb4 --with-system-et --with-system-ss --without-tcl \
>         --enable-dns
> 
> Now, maybe this could be one of those problems where some one has had a
> chance to fix this. Or maybe someone used a workaround, or knows WHY.
> 
> All I know, W2K/W2K3 AD driven Kerberos is heavily undocumented. And
> provides little in the way of useful logs... telling me what might be
> the problem on that end.
> 
> Much thanks to anyone that has a good fix or knows where to look or
> *SOMETHING*

Much thanks to ME!

I went home after asking this.

I ate dinner, did some online gaming... did the family thing.

I decided to start over with a fresh smb.conf.

I logged into the machine, check my kerberos ticket, being still valid,
and having changed nothing for 2+ hours, I thought what the heck. I
tried again:

        [root at roar root]# net ads join Computers -S mydc1.mynetwork.com
        [2004/07/20 19:36:12, 0] libads/ldap.c:ads_add_machine_acct(1086)
          Warning: ads_set_machine_sd: Unexpected information received
        Using short domain name -- MYNETWORK
        Joined 'ROAR' to realm 'MYNETWORK.COM'

I have to say, this baffles me. But is understandable, given I have
worked with Novell Netware and eDIR (or NDS as it was previously known)
for 9+ years. Time was nearly always the fix for these kinds of things.
Replication issues, Synchronization issue, massive changes and overall
performance.

Patience is a virtue even these days. I just wish some companies did
have this virtue as well.
-- 
greg, greg at gregfolkert.net

The technology that is
Stronger, better, faster:  Linux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040720/6603fe0a/attachment.bin


More information about the samba mailing list