[Samba] Samba 4.1.6 - Unable to domain join a Windows machine using default account (non-admin) to my samba domain - Access Denied Error

Lexi Wright lexiwright1788 at gmail.com
Tue Jun 10 10:33:28 MDT 2014 

Hello Mark,

I verified that the feature has not been turned off here and I haven't
exceeded the limit for the account. So, the following are the steps I
followed:

1. Provisioned a Samba domain on a linux machine.
2. Domain joined a Windows machine to the above domain using the Domain
admin account.
3. Launched ADUC and created a few users they belong to the group Domain
User)
4. Tried to domain join another Windows machine using one of the accounts
created in (3)

At step 4, encountered an "access denied" error. I also verified that this
wasn't happening in MS AD.

I increased the log level to 10 and tried debugging and figured out the
access check algorithm was returning an NT_STATUS_ACCESS_DENIED.

Do you think this can be possible a bug in Samba ? Looks like there was a
fix a few months ago for incorrectly handling of privileges in the method
sec_access_check_ds():

http://marc.info/?l=samba-technical&m=138235540825109&w=2


Thanks,
Lexi


On 10 June 2014 05:59, Marc Muehlfeld <mmuehlfeld at samba.org> wrote:

> Hello,
>
> Am 10.06.2014 01:40, schrieb Lexi Wright:
> >  I was able to reproduce the issue using Windows Server 2003 machine
> also a
> > Windows Server 2008 machine.I was able to see that the
> > sec_access_check_ds() always returns an NT_STATUS_ACCESS_DENIED which in
> > turn results in an LDB_ERR_INSUFFICIENT_RIGHTS error being thrown from
> the
> > dsdb_check_access_on_dn_internal(). The field 'bits_remaining' in the
> > access check implementation, always ends up getting a value 1. Is there
> > anything that I am doing wrong here? Is this an expected behavior ? Any
> > help would be greatly appreciated.
>
> In a MS AD, per default non-domain admins can join max. 10 machines to
> the domain. Normally it should be the same in Samba AD (if not it's a
> bug or missing feature and a bug report should be opened). But I have
> never checked this against Samba AD, because this is always one of the
> first things I turn off. :-)
>
> Is it disabled at your site or have you exceeded this limit for that
> account?
>
> This is how I allow technicans to join machines without that limit and
> without telling them the domain admin password:
>
>
> https://wiki.samba.org/index.php/Delegating_Administration_Permissions#Delegating_.27Joining_Computers_to_the_domain.27-permissions
>
>
> Regards,
> Marc
>

More information about the samba mailing list