[Samba] Join ADS domain - Insufficient Access

Mark F mfaine at knology.net
Tue Nov 1 13:53:32 GMT 2005 

SLES 9 SP2
samba-3.0.14a-0.4
heimdal-lib-0.6.1rc3-55.15
samba-winbind-3.0.14a-0.4
pam-modules-9-18.10
pam_krb5-1.3-201.7

I've been searching for days for a concrete answer to this question:

Is it possible to join an ADS domain from a Linux Samba server without 
having Administrator privileges? Yes or No.

If so exactly what are the minimal requirements for joining the Linux 
box to the domain.

I can get a Kerberos ticket, no problem

However when I try to join the domain I get:

app1:~ # net ads join -S servername -d 3 -w domain -U tester%password
[2005/11/01 07:44:58, 3] param/loadparm.c:lp_load(3907)
   lp_load: refreshing parameters
[2005/11/01 07:44:58, 3] param/loadparm.c:init_globals(1321)
   Initialising global parameters
[2005/11/01 07:44:58, 3] param/params.c:pm_process(573)
   params.c:pm_process() - Processing configuration file 
"/etc/samba/smb.conf"
[2005/11/01 07:44:58, 3] param/loadparm.c:do_section(3409)
   Processing section "[global]"
[2005/11/01 07:44:58, 2] lib/interface.c:add_interface(81)
   added interface ip=IPADDRESS bcast=IPADDRESS nmask=255.255.255.0
[2005/11/01 07:44:58, 3] libads/ldap.c:ads_connect(285)
   Connected to LDAP server LDAPIPADDRESS
[2005/11/01 07:44:58, 3] libads/ldap.c:ads_server_info(2469)
   got ldap server name SERVERNAME at FQDN, using bind path: 
dc=SERVER,dc=DOMAIN,dc=GOV
[2005/11/01 07:44:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
   ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2005/11/01 07:44:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
   ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2005/11/01 07:44:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
   ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2005/11/01 07:44:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
   ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2005/11/01 07:44:58, 3] libads/sasl.c:ads_sasl_spnego_bind(211)
   ads_sasl_spnego_bind: got server principal name =SERVERNAME1$@FQDN
[2005/11/01 07:44:58, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381)
   ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
[2005/11/01 07:44:58, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(318)
   Ticket in ccache[MEMORY:net_ads] expiration Tue, 01 Nov 2005 17:46:24 GMT
[2005/11/01 07:44:58, 0] libads/ldap.c:ads_add_machine_acct(1405)
   ads_add_machine_acct: Host account for app1 already exists - 
modifying old account
[2005/11/01 07:44:58, 0] libads/ldap.c:ads_join_realm(1763)
   ads_join_realm: ads_add_machine_acct failed (app1): Insufficient access
ads_join_realm: Insufficient access
[2005/11/01 07:44:58, 2] utils/net.c:main(902)
   return code = -1

---------------
I have no access to the domain but the Domain admin has assured me he 
has set it up exactly as he would to allow a Windows client to join.  Is 
this correct?

Thanks,
-Mark

More information about the samba mailing list