[Samba] ADS Join and Insufficient Access

Eric Roseme eroseme at emonster.rose.hp.com
Wed Nov 9 00:32:16 GMT 2005

M Maki wrote:

>My agency is moving all users and computers to a new domain. Our current domain uses AD and the new domain will use AD. My current samba servers are running 3.0.20a with ADS security with winbind on Debian Stable (Sarge) with no problems.
>I set up a test samba server using 3.0.20b, the new krb5.conf and smb.conf.
>kinit works fine. ("Authenticated to Kerberos v5")
>I prestage the server by adding it to my OU with rights to add it to the domain as I have always done.
>When I go to add it to the domain with
>  net ads join -U mmaki at NEW.DOMAIN.NET
>and enter my password
>I get
>  ads_add_machine_acct: Host account for smbtest already exists - modifying old account
>     (which is normal for prestaged machines)
>  ads_join_realm: ads_add_machine_acct failed (smbtest): Insufficient access
>  ads_join_realm: Insufficient access
>I have no problem adding Windows workstations with the same account, it's just adding the samba server.
>What could I be missing?
>Here is my smb.conf:
>       netbios name = smbtest
>       workgroup = NEW
>       realm = NEW.DOMAIN.NET
>       security = ADS
>       password server =
>       log file = /usr/local/samba/var/%m.log
>       preferred master = No
>       local master = No
>       domain master = No
>       idmap uid = 10000-40000
>       idmap gid = 10000-40000
>       # winbind use default domain = Yes
>       winbind enum users = No
>       winbind enum groups = No
>       winbind nested groups = Yes
>       socket options = TCP_NODELAY
>       socket options = SO_RCVBUF=8192
>       path = /home
>       read only = No
>       admin users = "NEW\mmaki"
I posted this on 11/01/05 (for the second time), see if it helps:


Eric Roseme

More information about the samba mailing list