[Samba] samba-tool join domain fails

Axel ako77 at arcor.de
Wed Sep 25 09:57:50 MDT 2013 

Rowland Penny schrieb:
> On 25/09/13 15:36, Axel wrote:
>> Rowland Penny schrieb:
>>> On 25/09/13 14:43, Axel wrote:
>>>> Yes, this works all the time:
>>>>
>>>> root at samba-dc1:~# kinit admin
>>>> admin at INTRANET.DOMAIN.DE's Password:
>>>> root at samba-dc1:~# klist
>>>> Credentials cache: FILE:/tmp/krb5cc_0
>>>>         Principal: admin at INTRANET.DOMAIN.DE
>>>>   Issued                Expires               Principal
>>>> Sep 25 15:31:44 2013  Sep 26 01:31:42 2013 
>>>> krbtgt/INTRANET.DOMAIN.DE at INTRANET.DOMAIN.DE
>>>> root at samba-dc1:~#
>>>>
>>>> The Security-Monitor on Windows 2003 DC told me (in german):
>>>>
>>>> Ereignistyp:    Erfolgsüberw.
>>>> Ereignisquelle:    Security
>>>> Ereigniskategorie:    Verzeichnisdienstzugriff
>>>> Ereigniskennung:    566
>>>> Datum:        25.09.2013
>>>> Zeit:        15:35:28
>>>> Benutzer:        INTRANET\admin
>>>> Computer:    WI-PAS01
>>>> Beschreibung:
>>>> Objektvorgang:
>>>>      Objektserver:    DS
>>>>      Vorgangstyp    Object Access
>>>>      Objekttyp:    organizationalUnit
>>>>      Objektname:    OU=Domain Controllers,DC=intranet,DC=domain,DC=de
>>>>      Handlekennung:    -
>>>>      Primärer Benutzername:    WI-PAS01$
>>>>      Primäre Domäne:    INTRANET
>>>>      Primäre Anmeldekennung:    (0x0,0x3E7)
>>>>      Clientbenutzername:    admin
>>>>      Clientdomäne:    INTRANET
>>>>      Clientanmeldekennung:    (0x0,0x5B2D755F)
>>>>      Zugriffe    Untergeordnetes Objekt erzeugen
>>>>
>>>>      Eigenschaften:
>>>>     Untergeordnetes Objekt erzeugen
>>>>     computer
>>>>
>>>>      Weitere Info:    CN=SAMBA-DC1,OU=Domain 
>>>> Controllers,DC=intranet,DC=domain,DC=de
>>>>      Weitere Info2:    %{34f6dfb0-e508-4124-a996-d80843a31445}
>>>>      Zugriffsmaske:    0x1
>>>>
>>>> and:
>>>>
>>>> Ereignistyp:    Erfolgsüberw.
>>>> Ereignisquelle:    Security
>>>> Ereigniskategorie:    An-/Abmeldung
>>>> Ereigniskennung:    540
>>>> Datum:        25.09.2013
>>>> Zeit:        15:35:28
>>>> Benutzer:        INTRANET\admin
>>>> Computer:    WI-PAS01
>>>> Beschreibung:
>>>> Erfolgreiche Netzwerkanmeldung:
>>>>      Benutzername:    admin
>>>>      Domäne:        INTRANET
>>>>      Anmeldekennung:        (0x0,0x5B2D755F)
>>>>      Anmeldetyp:    3
>>>>      Anmeldevorgang:    Kerberos
>>>>      Authentifizierungspaket:    Kerberos
>>>>      Arbeitsstationsname:
>>>>      Anmelde-GUID:    {05cd8dd6-7c8b-c9ee-d237-3c482ca39c89}
>>>>      Aufruferbenutzername:    -
>>>>      Aufruferdomäne:    -
>>>>      Aufruferanmeldekennung:    -
>>>>      Aufruferprozesskennung: -
>>>>      Übertragene Dienste: -
>>>>      Quellnetzwerkadresse:    192.168.200.210
>>>>      Quellport:    43028
>>>>
>>>> Login from samba-dc1.intranet.domain.de and IP 192.168.200.210 
>>>> works. NO insufficient user rights!
>>>>
>>>> Another test - copying SYSVOL - works too:
>>>> smbclient -U admin //wi-pas01/SYSVOL -c 'prompt;recurse;mget 
>>>> intranet.domain.de'
>>>>
>>>> That's all...
>>>>
>>>>
>>>>
>>>> Rowland Penny schrieb:
>>>>> On 25/09/13 13:18, Axel wrote:
>>>>>> Of course,
>>>>>>
>>>>>> Rowland Penny schrieb:
>>>>>>> On 25/09/13 12:37, Axel wrote:
>>>>>>>> Anyone? Join failed - cleaning up
>>>>>>>>> checking sAMAccountName
>>>>>>>>> ERROR(ldb): uncaught exception - LDAP error 50 
>>>>>>>>> LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00000522: SecErr: 
>>>>>>>>> DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
>>>>>>>>>> <>
>>>>>>>>>   File 
>>>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
>>>>>>>>> line 175, in _run
>>>>>>>>>     return self.run(*args, **kwargs)
>>>>>>>>>   File 
>>>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", 
>>>>>>>>> line 552, in run
>>>>>>>>>     machinepass=machinepass, use_ntvfs=use_ntvfs, 
>>>>>>>>> dns_backend=dns_backend)
>>>>>>>>>   File 
>>>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", 
>>>>>>>>> line 1104, in join_DC
>>>>>>>>>     ctx.do_join()
>>>>>>>>>   File 
>>>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", 
>>>>>>>>> line 1007, in do_join
>>>>>>>>>     ctx.join_add_objects()
>>>>>>>>>   File 
>>>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", 
>>>>>>>>> line 499, in join_add_objects
>>>>>>>>>     ctx.samdb.add(rec)
>>>>>>>>> </code>
>>>>>>>>>
>>>>>>>>> It seems to be, that all prerequisites fine. DNS, ACL etc., 
>>>>>>>>> ping works fine... also resolutions of fqdn's
>>>>>>>>>
>>>>>>>>> Can someone help?
>>>>>>>>>
>>>>>>>>> Thanks & Cheers
>>>>>>>>>  axel
>>>>>>>>>
>>>>>>> Well I think this:
>>>>>>>
>>>>>>> ERROR(ldb): uncaught exception - LDAP error 50 
>>>>>>> LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00000522: SecErr: 
>>>>>>> DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
>>>>>>>
>>>>>>> says it all.
>>>>>>>
>>>>>>> Does user intranet/admin exist and if so, do they have the right 
>>>>>>> to add a machine to the domain, also have you tried replacing 
>>>>>>> intranet/admin with Administrator?
>>>>>>>
>>>>>>> Rowland
>>>>>> as i said in my first mail, that is THE Domain Administrator 
>>>>>> (renamed in my environment to admin). This "admin" has all rights 
>>>>>> to this domain since 2005 :)
>>>>>> Same problem with another Domain-Administrator Account.
>>>>>>
>>>>>> I've also tried with "Administrator" like you suggested. Same 
>>>>>> issue...
>>>>>>
>>>>>> Thanks to your reply,
>>>>>>  axel
>>>>>>
>>>>> OK, I did this yesterday, but with a samba4 DC joining to another 
>>>>> samba4 DC, try this:
>>>>>
>>>>> kinit admin
>>>>>
>>>>> /usr/local/samba/bin/samba-tool domain join intranet.domain.de DC 
>>>>> -Uadmin --realm=intranet.domain.de
>>>>>
>>>>> Rowland
>>>>>
>>> Yes, admin can log into the servers, but does he have the right to 
>>> add workstations to the domain?
>>> Also was Administrator renamed or was a new user called admin created?
>>>
>>> Rowland
>> Like i said, "admin" ist the main domain-administrator and has all 
>> rights to this domain. He wasn't created new, just renamed.
>>
>> Axel
>>
> Well if admin has all the required rights, I wonder if it is a problem 
> with access rights to sam.ldb, on my secondary DC this belongs to 
> root:root and the root user has read + write access and getfacl shows:
> getfacl: Removing leading '/' from absolute path names
> # file: usr/local/samba/private/sam.ldb
> # owner: root
> # group: root
> user::rw-
> group::---
> other::---
>
> so you need to be root to alter it, should you be running the command 
> with sudo? do you have root user enabled i.e. are you running as root?
>
> I take it that /etc/resolv.conf points to your windows server (or 
> something that points to it)
>
> One other thing that I can think of is that samba-tool domain join is 
> hardcoded to the Administrator but I do not really think this is likely.
>
> Lastly, because its debian, Apparmor, if this is on, try turning it off.
>
> Rowland
>
Look at my code. Im running with root. getfacls shows:

root at samba-dc1:/# getfacl /var/lib/samba/private/sam.ldb
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/private/sam.ldb
# owner: root
# group: root
user::rw-
group::---
other::---

resolv.conf:
root at samba-dc1:/# cat /etc/resolv.conf
domain intranet.domain.de
search intranet.domain.de
nameserver 127.0.0.1
nameserver 192.168.200.10 <-- Windows DC wi-pas01
nameserver 192.168.200.254

Hmm, im wondering.........

More information about the samba mailing list