[Samba] Minimum Permissions Required to Associate to a Windows
Server 2003 AD Realm
Tavis
tavis at galaxytelecom.net
Wed Sep 8 23:08:52 GMT 2004
You can find the two traces mentioned in this email here
http://dream.cx/traces/samba.fail
http://dream.cx/traces/samba.success
Tavis wrote:
> This is a repeat of an earlier email with more debugging information.
>
> The issue i'm experiencing is that the windows account i'm using to
> join samba to the ADS realm (with net join ads -U ...) needs to be in
> the "administrator" group on the Win2k3 DC otherwise the join fails
> and net returns "ads_join_realm: Insufficient access" error. The join
> is successful if the account is added to the "administrator" group.
>
> What i'm trying to accomplish is joining the samba server to the ADS
> Realm using an account that has the absolute minimum privileges
> required as this account is only going to be used to join/remove the
> samba server from the realm.
>
> I've taken some traces showing the exchange in either case and
> attached them to this email (samba.fail where the account "lin1" IS
> NOT in the administrator group, samba.success where the account "lin1"
> IS in the administrator group) it seems that at index 26 the samba
> server sends a "Modify Request" to the Win2k3 DC that is rejected
> unless the user is in the administrator group.
>
> Now as a side note, i am able to join Windows XP/2k3 clients to the
> realm using this account without being added to the administrator group.
>
> At this point, i'm assuming that perhaps there is some quirky
> behaviour on samba's part that is causing this issue? or perhaps some
> permission(s) is(are) required that should be documented?
>
> I've googled around and searched through the samba mailing lists, all
> references i'v found to this problem concluded without anything to
> suggest what the actual problem was. (usually, "i redid everything
> from scratch and "it just worked" ")
>
>
> System is running debian 3.0r2 Woody with Debian Testing Kerberos
> libraries
> - libkrb5-dev 1.3.4-3
> - libkrb53 1.3.4-3
> - krb5-user 1.3.4-3
> - krb5-config 1.6
>
> Linux lin1.dev.hq.galnet.ca 2.4.27-flaneur_grsec2 #1 SMP Fri Aug 13
> 03:00:15 UTC 2004 i686 unknown.
> Kernel is a plain kernel.org kernel patched with
> grsecurity-2.0.1-2.4.27.patch from www.grsecurity.net
>
> Samba version is 3.0.6 (fresh install from source) :
> /configure --prefix=/usr/local/samba --with-configdir=/etc/samba \
> --with-logfilebase=/var/log/samba --with-smbmount \
> --with-pam_smbpass --with-syslog --with-ads --with-winbind
>
> Relevant smb.conf configuration
> #######################################################
> [global]
> workgroup = DEV
> realm = DEV.HQ.GALNET.CA
> netbios name = LIN1_DEV
> server string = lin1.dev.hq.galnet.ca
> security = ADS
> password server = windev1.dev.hq.galnet.ca
> restrict anonymous = 2
> lanman auth = No
> ntlm auth = No
> client NTLMv2 auth = Yes
> client lanman auth = No
> client plaintext auth = No
> log file = /var/log/samba/log.%m
> disable netbios = Yes
> server signing = auto
> deadtime = 15
> max smbd processes = 1000
> socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=8192
> SO_SNDBUF=8192
> load printers = No
> local master = No
> domain master = No
> pid directory = /var/run/samba
> strict sync = Yes
> sync always = Yes
> hide special files = Yes
> hide unreadable = Yes
> include = /etc/samba/smb.conf.shares
> follow symlinks = No
> ######################################################
>
> Environment is pure Win2k3 ADS, Running in both forest and domain
> native 2003 mode
>
> Here is the output from a "net join ads -d 3 -U lin1%password":
> #######################################################
> [2004/09/08 21:49:58, 3] param/loadparm.c:lp_load(3911)
> lp_load: refreshing parameters
> [2004/09/08 21:49:58, 3] param/loadparm.c:init_globals(1324)
> Initialising global parameters
> [2004/09/08 21:49:58, 3] param/params.c:pm_process(566)
> params.c:pm_process() - Processing configuration file
> "/etc/samba/smb.conf"
> [2004/09/08 21:49:58, 3] param/loadparm.c:do_section(3404)
> Processing section "[global]"
> [2004/09/08 21:49:58, 3] param/params.c:pm_process(566)
> params.c:pm_process() - Processing configuration file
> "/etc/samba/smb.conf.shares"
> [2004/09/08 21:49:58, 2] lib/interface.c:add_interface(79)
> added interface ip=192.168.0.231 bcast=192.168.3.255 nmask=255.255.252.0
> [2004/09/08 21:49:58, 3] libads/ldap.c:ads_connect(247)
> Connected to LDAP server 192.168.2.80
> [2004/09/08 21:49:58, 3] libads/ldap.c:ads_server_info(2318)
> got ldap server name windev1 at DEV.HQ.GALNET.CA, using bind path:
> dc=DEV,dc=HQ,dc=GALNET,dc=CA
> [2004/09/08 21:49:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
> ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
> [2004/09/08 21:49:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
> [2004/09/08 21:49:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
> [2004/09/08 21:49:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
> ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
> [2004/09/08 21:49:58, 3] libads/sasl.c:ads_sasl_spnego_bind(211)
> ads_sasl_spnego_bind: got server principal name
> =windev1$@DEV.HQ.GALNET.CA
> [2004/09/08 21:49:58, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313)
> krb5_cc_get_principal failed (No credentials cache found)
> [2004/09/08 21:49:58, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(252)
> Ticket in ccache[MEMORY:net_ads] expiration Thu, 09 Sep 2004 07:49:57
> GMT
> [2004/09/08 21:49:58, 0] libads/ldap.c:ads_add_machine_acct(1283)
> ads_add_machine_acct: Host account for lin1_dev already exists -
> modifying old account
> [2004/09/08 21:49:58, 0] libads/ldap.c:ads_join_realm(1617)
> ads_add_machine_acct (lin1_dev): Insufficient access
> ads_join_realm: Insufficient access
> [2004/09/08 21:49:58, 2] utils/net.c:main(792)
> return code = -1
>
> ######################################################
>
More information about the samba
mailing list