[Samba] How to join a domain without using root?

John H Terpstra jht at samba.org
Mon Jul 3 22:19:08 GMT 2006

On Monday 03 July 2006 13:45, Steve A wrote:
> This is part of a larger post that was maybe too complicated for me to get
> the right answer, so I'm breaking it down and will do it bit by bit.
> Server is Samba-3 PDC, clients are NT4 & XP.
> I can join the domain using root credentials (so the add machine script
> works), but not when using 'administrator'.
> unixuser 'administrator' has primary unixgroup 'ntadmins'.
> 'ntadmins' is mapped to sambagroup 'Domain Admins'.
> Samba 'administrator' has SID from <net getlocalsid>-500
> I cannot join the domain using 'administrator' - I get error "The machine
> account for this computer either does not exist or is anaccessible".  But
> if I change the unix uid/gid for 'administrator' - it works.
> So...
> 1.
> To clarify, does Samba automatically map usernames in smbpasswd to
> identical unix usernames?
> 2.
> I was referred to the 'net' command to map some NT rights to NT groups.
> However, when I type 'net rpc rights list accounts' there are no domain
> groups listed, only 'BUILTIN\...' groups.  Is this correct?  Because I
> would like to add the SeMachineAccountPrivilege to the
> DOMAIN\Administrators group (if that's the right way to solve my problem).

Suggest you read the chapter in the Samba3-HOWTO regarding User Rights and 
Privileges. The answer to your question is in there.

- John T.

More information about the samba mailing list