[Samba] Join ADS domain - Insufficient Access
eric roseme
eroseme at emonster.rose.hp.com
Tue Nov 1 17:13:55 GMT 2005
http://marc.theaimsgroup.com/?l=samba&m=112681698521084&w=2
Eric Roseme
Mark F wrote:
> SLES 9 SP2
> samba-3.0.14a-0.4
> heimdal-lib-0.6.1rc3-55.15
> samba-winbind-3.0.14a-0.4
> pam-modules-9-18.10
> pam_krb5-1.3-201.7
>
> I've been searching for days for a concrete answer to this question:
>
> Is it possible to join an ADS domain from a Linux Samba server without
> having Administrator privileges? Yes or No.
>
> If so exactly what are the minimal requirements for joining the Linux
> box to the domain.
>
> I can get a Kerberos ticket, no problem
>
> However when I try to join the domain I get:
>
> app1:~ # net ads join -S servername -d 3 -w domain -U tester%password
> [2005/11/01 07:44:58, 3] param/loadparm.c:lp_load(3907)
> lp_load: refreshing parameters
> [2005/11/01 07:44:58, 3] param/loadparm.c:init_globals(1321)
> Initialising global parameters
> [2005/11/01 07:44:58, 3] param/params.c:pm_process(573)
> params.c:pm_process() - Processing configuration file
> "/etc/samba/smb.conf"
> [2005/11/01 07:44:58, 3] param/loadparm.c:do_section(3409)
> Processing section "[global]"
> [2005/11/01 07:44:58, 2] lib/interface.c:add_interface(81)
> added interface ip=IPADDRESS bcast=IPADDRESS nmask=255.255.255.0
> [2005/11/01 07:44:58, 3] libads/ldap.c:ads_connect(285)
> Connected to LDAP server LDAPIPADDRESS
> [2005/11/01 07:44:58, 3] libads/ldap.c:ads_server_info(2469)
> got ldap server name SERVERNAME at FQDN, using bind path:
> dc=SERVER,dc=DOMAIN,dc=GOV
> [2005/11/01 07:44:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
> ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
> [2005/11/01 07:44:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
> [2005/11/01 07:44:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
> [2005/11/01 07:44:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
> ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
> [2005/11/01 07:44:58, 3] libads/sasl.c:ads_sasl_spnego_bind(211)
> ads_sasl_spnego_bind: got server principal name =SERVERNAME1$@FQDN
> [2005/11/01 07:44:58, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381)
> ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
> [2005/11/01 07:44:58, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(318)
> Ticket in ccache[MEMORY:net_ads] expiration Tue, 01 Nov 2005 17:46:24 GMT
> [2005/11/01 07:44:58, 0] libads/ldap.c:ads_add_machine_acct(1405)
> ads_add_machine_acct: Host account for app1 already exists - modifying
> old account
> [2005/11/01 07:44:58, 0] libads/ldap.c:ads_join_realm(1763)
> ads_join_realm: ads_add_machine_acct failed (app1): Insufficient access
> ads_join_realm: Insufficient access
> [2005/11/01 07:44:58, 2] utils/net.c:main(902)
> return code = -1
>
> ---------------
> I have no access to the domain but the Domain admin has assured me he
> has set it up exactly as he would to allow a Windows client to join. Is
> this correct?
>
> Thanks,
> -Mark
>
More information about the samba
mailing list