[Samba] Samba 4.1.6 - Unable to domain join a Windows machine using default account (non-admin) to my samba domain - Access Denied Error
Marc Muehlfeld
mmuehlfeld at samba.org
Tue Jun 10 06:59:18 MDT 2014
Hello,
Am 10.06.2014 01:40, schrieb Lexi Wright:
> I was able to reproduce the issue using Windows Server 2003 machine also a
> Windows Server 2008 machine.I was able to see that the
> sec_access_check_ds() always returns an NT_STATUS_ACCESS_DENIED which in
> turn results in an LDB_ERR_INSUFFICIENT_RIGHTS error being thrown from the
> dsdb_check_access_on_dn_internal(). The field 'bits_remaining' in the
> access check implementation, always ends up getting a value 1. Is there
> anything that I am doing wrong here? Is this an expected behavior ? Any
> help would be greatly appreciated.
In a MS AD, per default non-domain admins can join max. 10 machines to
the domain. Normally it should be the same in Samba AD (if not it's a
bug or missing feature and a bug report should be opened). But I have
never checked this against Samba AD, because this is always one of the
first things I turn off. :-)
Is it disabled at your site or have you exceeded this limit for that
account?
This is how I allow technicans to join machines without that limit and
without telling them the domain admin password:
https://wiki.samba.org/index.php/Delegating_Administration_Permissions#Delegating_.27Joining_Computers_to_the_domain.27-permissions
Regards,
Marc
More information about the samba
mailing list