[Samba] Insufficient access error

jack.palmadesso at siemens.com jack.palmadesso at siemens.com
Fri May 21 19:49:39 GMT 2004


I've been working on getting Samba 3.0.4-2 to join our test W2k3 Active
Directory for most of the day.  When I try to join with this command :

net ads join -U w702a-palmadesso "w702\NonCatComputers"

According to my official Samba HowTo Book  this should join the domain
specified in my smb.conf. Instead I get the following output :

[root at w72l-tux samba]# net ads join -U w702a-palmadesso
"w702\NonCatComputers"
w702a-palmadesso's password:
[2004/05/21 15:05:23, 0] libads/ldap.c:ads_join_realm(1336)
  ads_add_machine_acct: Insufficient access
ads_join_realm: Insufficient access

I can exchange Kerberos tickets from the output of   klist :


[root at w72l-tux samba]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: w702a-palmadesso at TWW007.SITEST.NET
 
Valid starting     Expires            Service principal
05/21/04 13:20:11  05/21/04 23:20:13
krbtgt/TWW007.SITEST.NET at TWW007.SITEST.NET
        renew until 05/22/04 13:20:11
05/21/04 13:20:53  05/21/04 23:20:13  orla1h2a$@TWW007.SITEST.NET
        renew until 05/22/04 13:20:11

As far as I can tell this means kerberos 5 is working properly and
exchanging tickets with our AD domain controller.   KINIT works as well.

I can confirm that I am at least talking with AD LDAP because when I try to
join a bogus OU I get the following:

[root at w72l-tux samba]# net ads join -U w702a-palmadesso
"W702a\NonCatComputers"
w702a-palmadesso's password:
ads_join_realm: organizational unit W702a\NonCatComputers does not exist
(dn:ou=NonCatComputers,ou=W702a,dc=TWW007,dc=SITEST,dc=NET)

If you compare this to the first one you will notice that the difference is
w702   vs   w702a.     The w702a  OU does not exist and gives the proper
response.  So to me this is partially working but I still cannot join the
domain.   As an experiment I was added to the administrators group in our
test domain and we added the computer account into the domain manually.
When this object already exists in AD I get a similar error but still
basically the same as follows :

[root at w72l-tux samba]# net ads join -U w702a-palmadesso
"W702\NonCatComputers"
w702a-palmadesso's password:
[2004/05/21 13:21:15, 0] libads/ldap.c:ads_add_machine_acct(1006)
  Host account for w72l-tux already exists - modifying old account
[2004/05/21 13:21:15, 0] libads/ldap.c:ads_join_realm(1336)
  ads_add_machine_acct: Insufficient access
ads_join_realm: Insufficient access

Some other people on here seem to be experiencing the same problems.
Thanks for any help.

Jack


More information about the samba mailing list