[Samba] Samba 4.1.6 - Unable to domain join a Windows machine using default account (non-admin) to my samba domain - Access Denied Error

Marc Muehlfeld mmuehlfeld at samba.org
Tue Jun 10 12:37:33 MDT 2014

Hello Lexi,

Am 10.06.2014 18:33, schrieb Lexi Wright:
> I verified that the feature has not been turned off here and I haven't
> exceeded the limit for the account. So, the following are the steps I
> followed:
> 1. Provisioned a Samba domain on a linux machine.
> 2. Domain joined a Windows machine to the above domain using the Domain
> admin account.
> 3. Launched ADUC and created a few users they belong to the group Domain
> User)
> 4. Tried to domain join another Windows machine using one of the accounts
> created in (3)
> At step 4, encountered an "access denied" error. I also verified that this
> wasn't happening in MS AD.
> I increased the log level to 10 and tried debugging and figured out the
> access check algorithm was returning an NT_STATUS_ACCESS_DENIED.
> Do you think this can be possible a bug in Samba ? Looks like there was a
> fix a few months ago for incorrectly handling of privileges in the method
> sec_access_check_ds():
> http://marc.info/?l=samba-technical&m=138235540825109&w=2

Can you retry it with 4.1.8? If it doesn't work in that version either
but does against a Windows AD DC, then I seems to be a bug. Then please
file a bug report and attach your steps and a level 10 debug log.

But as workaround the delegation way I described in the Wiki should
work. This is how I do that at work.


More information about the samba mailing list