[Samba] Samba 4.1.6 - Unable to domain join a Windows machine using default account (non-admin) to my samba domain - Access Denied Error

Marc Muehlfeld mmuehlfeld at samba.org
Tue Jun 10 06:59:18 MDT 2014


Am 10.06.2014 01:40, schrieb Lexi Wright:
>  I was able to reproduce the issue using Windows Server 2003 machine also a
> Windows Server 2008 machine.I was able to see that the
> sec_access_check_ds() always returns an NT_STATUS_ACCESS_DENIED which in
> turn results in an LDB_ERR_INSUFFICIENT_RIGHTS error being thrown from the
> dsdb_check_access_on_dn_internal(). The field 'bits_remaining' in the
> access check implementation, always ends up getting a value 1. Is there
> anything that I am doing wrong here? Is this an expected behavior ? Any
> help would be greatly appreciated.

In a MS AD, per default non-domain admins can join max. 10 machines to
the domain. Normally it should be the same in Samba AD (if not it's a
bug or missing feature and a bug report should be opened). But I have
never checked this against Samba AD, because this is always one of the
first things I turn off. :-)

Is it disabled at your site or have you exceeded this limit for that

This is how I allow technicans to join machines without that limit and
without telling them the domain admin password:



More information about the samba mailing list