[Samba] SAMBA ADS integration - windows user account rights

Tue Dec 18 17:49:48 GMT 2007

You may be running into this issue:

http://support.microsoft.com/kb/251335

--
Aaron

Bert Verhaeghe wrote:
> Hi all,
> 
> first of all is it possible to join a Linux machine to AD using a
> windows user account that is not a member of the group Domain Admins?
> Cause when I do this I get the following error while executing `net ads
> join -d 3 -U syncuser`: 
> 
> 
> #net ads join -d 3 -U  syncuser
> [2007/12/11 13:47:12, 3] param/loadparm.c:lp_load(4953)  lp_load:
> refreshing parameters
> [2007/12/11 13:47:12, 3] param/loadparm.c:init_globals(1418)
> Initialising global parameters 
> [2007/12/11 13:47:12, 3] param/params.c:pm_process(572)
> params.c:pm_process() - Processing configuration file
> "/etc/samba/smb.conf"
> [2007/12/11 13:47:12, 3] param/loadparm.c:do_section(3695) Processing
> section "[global]" 
> [2007/12/11 13:47:12, 2] lib/interface.c:add_interface(81) added
> interface ip=10.0.0.3 bcast=10.0.0.255 nmask=255.255.255.0 
> octopussync's password: 
> [2007/12/11 13:47:17, 3] libsmb/namequery.c:get_dc_list(1426)
> get_dc_list: preferred server list: ", DC"
> [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_lmhosts(939)
> resolve_lmhosts: Attempting lmhosts lookup for name DC<0x20> 
> [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_wins(836)
> resolve_wins: Attempting wins lookup for name DC<0x20>
> [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_wins(839)
> resolve_wins: WINS server resolution selected and no WINS servers
> listed. 
> [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_hosts(1002)
> resolve_hosts: Attempting host lookup for name DC<0x20>
> [2007/12/11 13:47:17, 3] libads/ldap.c:ads_connect(287) Connected to
> LDAP server 10.0.0.1
> [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
> ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
> [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 
> [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
> [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
> ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 
> [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(219)
> ads_sasl_spnego_bind: got server principal name =dc$@DOMAIN.LOCAL
> [2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_krb5_mk_req(552)
> ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache
> found) 
> [2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488)
> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration
> Tue, 11 Dec 2007 23:47:05 UTC
> [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_start_connection(1426)
> Connecting to host= DC.domain.local
> [2007/12/11 13:47:17, 3] lib/util_sock.c:open_socket_out(874) Connecting
> to 10.0.0.1 at port 445
> [2007/12/11 13:47:17, 3]
> libsmb/cliconnect.c:cli_session_setup_spnego(721) Doing spnego session
> setup (blob length=107) 
> [2007/12/11 13:47:17, 3]
> libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 48018
> 1 2 2
> [2007/12/11 13:47:17, 3]
> libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 113554
> 1 2 2
> [2007/12/11 13:47:17, 3]
> libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 113554
> 1 2 2 3 
> [2007/12/11 13:47:17, 3]
> libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 3 6 1 4 1
> 311 2 2 10
> [2007/12/11 13:47:17, 3]
> libsmb/cliconnect.c:cli_session_setup_spnego(754) got principal=dc
> $@DOMAIN.LOCAL
> [2007/12/11 13:47:17, 2]
> libsmb/cliconnect.c:cli_session_setup_kerberos(546) Doing kerberos
> session setup
> [2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488)
> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect]
> expiration Tue, 11 Dec 2007 23:47:05 UTC 
> [2007/12/11 13:47:17, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
> rpc_pipe_bind: Remote machine DC.domain.local pipe \lsarpc fnum 0x400c
> bind request returned ok.
> [2007/12/11 13:47:17, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224)
> lsa_io_sec_qos: length c does not match size 8 
> [2007/12/11 13:47:17, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
> rpc_pipe_bind: Remote machine DC.domain.local pipe \samr fnum 0x400a
> bind request returned ok.
> Failed to set password for machine account (NT_STATUS_ACCESS_DENIED) 
> Failed to join domain!
> [2007/12/11 13:47:17, 2] utils/net.c:main(988) return code = -1
> 
> 
> But when the user is added to the Domain Admins group, the join is
> successful.
> 
> And if the latter is possible, which permissions should the windows user
> account have? 
> 
> Thx in advance
> 
> bert
> 
> 