[Samba] Minimum Permissions Required to Associate to a Windows Server 2003 AD Realm

Tavis tavis at galaxytelecom.net
Wed Sep 8 22:10:27 GMT 2004 

This is a repeat of an earlier email with more debugging information.

The issue i'm experiencing is that the windows account i'm using to join 
samba to the ADS realm (with net join ads -U ...) needs to be in the 
"administrator" group on the Win2k3 DC otherwise the join fails and net 
returns "ads_join_realm: Insufficient access" error. The join is 
successful if the account is added to the "administrator" group.

What i'm trying to accomplish is joining the samba server to the ADS 
Realm using an account that has the absolute minimum privileges required 
as this account is only going to be used to join/remove the samba server 
from the realm.

I've taken some traces showing the exchange in either case and attached 
them to this email (samba.fail where the account "lin1" IS NOT in the 
administrator group, samba.success where the account "lin1" IS in the 
administrator group) it seems that at index 26 the samba server sends a 
"Modify Request" to the Win2k3 DC that is rejected unless the user is in 
the administrator group.

Now as a side note, i am able to join Windows XP/2k3 clients to the 
realm using this account without being added to the administrator group.

At this point, i'm assuming that perhaps there is some quirky behaviour 
on samba's part that is causing this issue? or perhaps some 
permission(s) is(are) required that should be documented?

I've googled around and searched through the samba mailing lists, all 
references i'v found to this problem concluded without  anything to 
suggest what the actual problem was. (usually, "i redid everything from 
scratch and "it just worked" ")


System is running debian 3.0r2 Woody with Debian Testing Kerberos libraries
- libkrb5-dev  1.3.4-3
- libkrb53     1.3.4-3
- krb5-user    1.3.4-3
- krb5-config  1.6

Linux lin1.dev.hq.galnet.ca 2.4.27-flaneur_grsec2 #1 SMP Fri Aug 13 
03:00:15 UTC 2004 i686 unknown.
Kernel is a plain kernel.org kernel patched with 
grsecurity-2.0.1-2.4.27.patch from www.grsecurity.net

Samba version is 3.0.6 (fresh install from source) :
/configure --prefix=/usr/local/samba --with-configdir=/etc/samba \
--with-logfilebase=/var/log/samba --with-smbmount \
--with-pam_smbpass --with-syslog --with-ads --with-winbind

Relevant smb.conf configuration
#######################################################
[global]
        workgroup = DEV
        realm = DEV.HQ.GALNET.CA
        netbios name = LIN1_DEV
        server string = lin1.dev.hq.galnet.ca
        security = ADS
        password server = windev1.dev.hq.galnet.ca
        restrict anonymous = 2
        lanman auth = No
        ntlm auth = No
        client NTLMv2 auth = Yes
        client lanman auth = No
        client plaintext auth = No
        log file = /var/log/samba/log.%m
        disable netbios = Yes
        server signing = auto
        deadtime = 15
        max smbd processes = 1000
        socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=8192 
SO_SNDBUF=8192
        load printers = No
        local master = No
        domain master = No
        pid directory = /var/run/samba
        strict sync = Yes
        sync always = Yes
        hide special files = Yes
        hide unreadable = Yes
        include = /etc/samba/smb.conf.shares
        follow symlinks = No
######################################################

Environment is pure Win2k3 ADS, Running in both forest and domain native 
2003 mode

Here is the output from a "net join ads -d 3 -U lin1%password":
#######################################################
[2004/09/08 21:49:58, 3] param/loadparm.c:lp_load(3911)
  lp_load: refreshing parameters
[2004/09/08 21:49:58, 3] param/loadparm.c:init_globals(1324)
  Initialising global parameters
[2004/09/08 21:49:58, 3] param/params.c:pm_process(566)
  params.c:pm_process() - Processing configuration file 
"/etc/samba/smb.conf"
[2004/09/08 21:49:58, 3] param/loadparm.c:do_section(3404)
  Processing section "[global]"
[2004/09/08 21:49:58, 3] param/params.c:pm_process(566)
  params.c:pm_process() - Processing configuration file 
"/etc/samba/smb.conf.shares"
[2004/09/08 21:49:58, 2] lib/interface.c:add_interface(79)
  added interface ip=192.168.0.231 bcast=192.168.3.255 nmask=255.255.252.0
[2004/09/08 21:49:58, 3] libads/ldap.c:ads_connect(247)
  Connected to LDAP server 192.168.2.80
[2004/09/08 21:49:58, 3] libads/ldap.c:ads_server_info(2318)
  got ldap server name windev1 at DEV.HQ.GALNET.CA, using bind path: 
dc=DEV,dc=HQ,dc=GALNET,dc=CA
[2004/09/08 21:49:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
  ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2004/09/08 21:49:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2004/09/08 21:49:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2004/09/08 21:49:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
  ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2004/09/08 21:49:58, 3] libads/sasl.c:ads_sasl_spnego_bind(211)
  ads_sasl_spnego_bind: got server principal name =windev1$@DEV.HQ.GALNET.CA
[2004/09/08 21:49:58, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313)
  krb5_cc_get_principal failed (No credentials cache found)
[2004/09/08 21:49:58, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(252)
  Ticket in ccache[MEMORY:net_ads] expiration Thu, 09 Sep 2004 07:49:57 GMT
[2004/09/08 21:49:58, 0] libads/ldap.c:ads_add_machine_acct(1283)
  ads_add_machine_acct: Host account for lin1_dev already exists - 
modifying old account
[2004/09/08 21:49:58, 0] libads/ldap.c:ads_join_realm(1617)
  ads_add_machine_acct (lin1_dev): Insufficient access
ads_join_realm: Insufficient access
[2004/09/08 21:49:58, 2] utils/net.c:main(792)
  return code = -1

######################################################

More information about the samba mailing list