[Samba] samba-tool join domain fails

Rowland Penny rowlandpenny at googlemail.com
Wed Sep 25 08:02:37 MDT 2013 

On 25/09/13 14:43, Axel wrote:
> Yes, this works all the time:
>
> root at samba-dc1:~# kinit admin
> admin at INTRANET.DOMAIN.DE's Password:
> root at samba-dc1:~# klist
> Credentials cache: FILE:/tmp/krb5cc_0
>         Principal: admin at INTRANET.DOMAIN.DE
>   Issued                Expires               Principal
> Sep 25 15:31:44 2013  Sep 26 01:31:42 2013 
> krbtgt/INTRANET.DOMAIN.DE at INTRANET.DOMAIN.DE
> root at samba-dc1:~#
>
> The Security-Monitor on Windows 2003 DC told me (in german):
>
> Ereignistyp:    Erfolgsüberw.
> Ereignisquelle:    Security
> Ereigniskategorie:    Verzeichnisdienstzugriff
> Ereigniskennung:    566
> Datum:        25.09.2013
> Zeit:        15:35:28
> Benutzer:        INTRANET\admin
> Computer:    WI-PAS01
> Beschreibung:
> Objektvorgang:
>      Objektserver:    DS
>      Vorgangstyp    Object Access
>      Objekttyp:    organizationalUnit
>      Objektname:    OU=Domain Controllers,DC=intranet,DC=domain,DC=de
>      Handlekennung:    -
>      Primärer Benutzername:    WI-PAS01$
>      Primäre Domäne:    INTRANET
>      Primäre Anmeldekennung:    (0x0,0x3E7)
>      Clientbenutzername:    admin
>      Clientdomäne:    INTRANET
>      Clientanmeldekennung:    (0x0,0x5B2D755F)
>      Zugriffe    Untergeordnetes Objekt erzeugen
>
>      Eigenschaften:
>     Untergeordnetes Objekt erzeugen
>     computer
>
>      Weitere Info:    CN=SAMBA-DC1,OU=Domain 
> Controllers,DC=intranet,DC=domain,DC=de
>      Weitere Info2:    %{34f6dfb0-e508-4124-a996-d80843a31445}
>      Zugriffsmaske:    0x1
>
> and:
>
> Ereignistyp:    Erfolgsüberw.
> Ereignisquelle:    Security
> Ereigniskategorie:    An-/Abmeldung
> Ereigniskennung:    540
> Datum:        25.09.2013
> Zeit:        15:35:28
> Benutzer:        INTRANET\admin
> Computer:    WI-PAS01
> Beschreibung:
> Erfolgreiche Netzwerkanmeldung:
>      Benutzername:    admin
>      Domäne:        INTRANET
>      Anmeldekennung:        (0x0,0x5B2D755F)
>      Anmeldetyp:    3
>      Anmeldevorgang:    Kerberos
>      Authentifizierungspaket:    Kerberos
>      Arbeitsstationsname:
>      Anmelde-GUID:    {05cd8dd6-7c8b-c9ee-d237-3c482ca39c89}
>      Aufruferbenutzername:    -
>      Aufruferdomäne:    -
>      Aufruferanmeldekennung:    -
>      Aufruferprozesskennung: -
>      Übertragene Dienste: -
>      Quellnetzwerkadresse:    192.168.200.210
>      Quellport:    43028
>
> Login from samba-dc1.intranet.domain.de and IP 192.168.200.210 works. 
> NO insufficient user rights!
>
> Another test - copying SYSVOL - works too:
> smbclient -U admin //wi-pas01/SYSVOL -c 'prompt;recurse;mget 
> intranet.domain.de'
>
> That's all...
>
>
>
> Rowland Penny schrieb:
>> On 25/09/13 13:18, Axel wrote:
>>> Of course,
>>>
>>> Rowland Penny schrieb:
>>>> On 25/09/13 12:37, Axel wrote:
>>>>> Anyone? Join failed - cleaning up
>>>>>> checking sAMAccountName
>>>>>> ERROR(ldb): uncaught exception - LDAP error 50 
>>>>>> LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00000522: SecErr: 
>>>>>> DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
>>>>>>> <>
>>>>>>   File 
>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
>>>>>> line 175, in _run
>>>>>>     return self.run(*args, **kwargs)
>>>>>>   File 
>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", 
>>>>>> line 552, in run
>>>>>>     machinepass=machinepass, use_ntvfs=use_ntvfs, 
>>>>>> dns_backend=dns_backend)
>>>>>>   File 
>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", 
>>>>>> line 1104, in join_DC
>>>>>>     ctx.do_join()
>>>>>>   File 
>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", 
>>>>>> line 1007, in do_join
>>>>>>     ctx.join_add_objects()
>>>>>>   File 
>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", 
>>>>>> line 499, in join_add_objects
>>>>>>     ctx.samdb.add(rec)
>>>>>> </code>
>>>>>>
>>>>>> It seems to be, that all prerequisites fine. DNS, ACL etc., ping 
>>>>>> works fine... also resolutions of fqdn's
>>>>>>
>>>>>> Can someone help?
>>>>>>
>>>>>> Thanks & Cheers
>>>>>>  axel
>>>>>>
>>>> Well I think this:
>>>>
>>>> ERROR(ldb): uncaught exception - LDAP error 50 
>>>> LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00000522: SecErr: DSID-031A0F44, 
>>>> problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
>>>>
>>>> says it all.
>>>>
>>>> Does user intranet/admin exist and if so, do they have the right to 
>>>> add a machine to the domain, also have you tried replacing 
>>>> intranet/admin with Administrator?
>>>>
>>>> Rowland
>>> as i said in my first mail, that is THE Domain Administrator 
>>> (renamed in my environment to admin). This "admin" has all rights to 
>>> this domain since 2005 :)
>>> Same problem with another Domain-Administrator Account.
>>>
>>> I've also tried with "Administrator" like you suggested. Same issue...
>>>
>>> Thanks to your reply,
>>>  axel
>>>
>> OK, I did this yesterday, but with a samba4 DC joining to another 
>> samba4 DC, try this:
>>
>> kinit admin
>>
>> /usr/local/samba/bin/samba-tool domain join intranet.domain.de DC 
>> -Uadmin --realm=intranet.domain.de
>>
>> Rowland
>>
Yes, admin can log into the servers, but does he have the right to add 
workstations to the domain?
Also was Administrator renamed or was a new user called admin created?

Rowland

More information about the samba mailing list