[Samba] Samba 4.1.6 - Unable to domain join a Windows machine using default account (non-admin) to my samba domain - Access Denied Error

[Lexi Wright]

Hello Marc,

Thank you for your suggestion. I retried the whole setup with Samba-4.1.8
and I still saw the "Access Denied" error. So, looks like it is a bug in
Samba. And as I mentioned earlier, there's either something wrong with the
access check algorithm implementation or an incorrect access_mask might be
getting passed to the function.

Regards,
Lekshmi


On 10 June 2014 11:37, Marc Muehlfeld <mmuehlfeld at samba.org> wrote:

> Hello Lexi,
>
> Am 10.06.2014 18:33, schrieb Lexi Wright:
> > I verified that the feature has not been turned off here and I haven't
> > exceeded the limit for the account. So, the following are the steps I
> > followed:
> >
> > 1. Provisioned a Samba domain on a linux machine.
> > 2. Domain joined a Windows machine to the above domain using the Domain
> > admin account.
> > 3. Launched ADUC and created a few users they belong to the group Domain
> > User)
> > 4. Tried to domain join another Windows machine using one of the accounts
> > created in (3)
> >
> > At step 4, encountered an "access denied" error. I also verified that
> this
> > wasn't happening in MS AD.
> >
> > I increased the log level to 10 and tried debugging and figured out the
> > access check algorithm was returning an NT_STATUS_ACCESS_DENIED.
> >
> > Do you think this can be possible a bug in Samba ? Looks like there was a
> > fix a few months ago for incorrectly handling of privileges in the method
> > sec_access_check_ds():
> >
> > http://marc.info/?l=samba-technical&m=138235540825109&w=2
>
> Can you retry it with 4.1.8? If it doesn't work in that version either
> but does against a Windows AD DC, then I seems to be a bug. Then please
> file a bug report and attach your steps and a level 10 debug log.
>
> But as workaround the delegation way I described in the Wiki should
> work. This is how I do that at work.
>
>
> Regards,
> Marc
>
>
>