[Samba] Minimum Permissions Required to Associate to a Windows Server 2003 AD Realm

Tavis tavis at galaxytelecom.net
Tue Sep 7 21:14:19 GMT 2004

In the associated group policy, any authenticated user currently has 
"Add Workstations to domain" access, this is a dev network btw ;P

Also, using a windows XP client, i can join the machine to the ads realm 
using the same account that i try to use (and fails) with the samba server

ADS Server, is Windows Server 2003 Enterprise running in forest and 
domain mode of windows server 2003, there must be some permission that 
Samba requires to join an ADS Realm that i'm not aware of.. has anyone 
else come across a similar problem?

Samba version is 3.0.6, if anyone is following this let me know if you 
need a debug log, although it seems that its purely a windows 
configuration issue

Daniel Ramaley wrote:

>I don't know about Samba specifically, but in the active directory here 
>i have an account just for joining Windows machines to the domain. The 
>account only has 2 permissions set in group policy, both of which apply 
>to computer objects: Write All Properties, and Reset Password.
>On Tuesday 07 September 2004 03:27 pm, Tavis wrote:
>>I'm setting up a windows server 2003 ADS Realm with a few samba
>>servers associating to it, however i've found that the accounts on
>>the DC that i use to associate samba with need to be in the
>>administrator group otherwise the association fails.
>>("ads_join_realm: Insufficient access")
>>I'm just curious what the absolute minimum privileges are on the
>>Windows Server 2003 DC to allow the Samba server to Join the ADS
>>Realm? I don't like the idea of giving the accounts used by samba
>>administrative access, and it just doesn't seem necessary.

More information about the samba mailing list