[Samba] Re: How to join a domain without using root?

Steve A gmane at rowyerboat.com
Mon Jul 3 22:54:22 GMT 2006

John H Terpstra wrote:
> On Monday 03 July 2006 13:45, Steve A wrote:
>> This is part of a larger post that was maybe too complicated for me to
>> get the right answer, so I'm breaking it down and will do it bit by bit.
>> Server is Samba-3 PDC, clients are NT4 & XP.
>> I can join the domain using root credentials (so the add machine script
>> works), but not when using 'administrator'.
>> unixuser 'administrator' has primary unixgroup 'ntadmins'.
>> 'ntadmins' is mapped to sambagroup 'Domain Admins'.
>> Samba 'administrator' has SID from <net getlocalsid>-500
>> I cannot join the domain using 'administrator' - I get error "The machine
>> account for this computer either does not exist or is anaccessible".  But
>> if I change the unix uid/gid for 'administrator' - it works.
>> So...
>> 1.
>> To clarify, does Samba automatically map usernames in smbpasswd to
>> identical unix usernames?
>> 2.
>> I was referred to the 'net' command to map some NT rights to NT groups.
>> However, when I type 'net rpc rights list accounts' there are no domain
>> groups listed, only 'BUILTIN\...' groups.  Is this correct?  Because I
>> would like to add the SeMachineAccountPrivilege to the
>> DOMAIN\Administrators group (if that's the right way to solve my
>> problem).
> Suggest you read the chapter in the Samba3-HOWTO regarding User Rights and
> Privileges. The answer to your question is in there.

Thanks for the reply John, but I bought your book specially.  Either it 
doesn't answer all my questions, or I'm clearly misunderstanding it.  I 
tried all this stuff but there was no way I could get it to say 
"Successfully granted rights", although it would appear to successfully 
remove them even though the 'list accounts' wouldn't show them.  I started 
from scratch and at this stage it now works.  I don't know what was wrong 
but hey...

Steve :) 

More information about the samba mailing list