[Samba] Samba 4.1.6 - Unable to domain join a Windows machine using default account (non-admin) to my samba domain - Access Denied Error

Lexi Wright lexiwright1788 at gmail.com
Mon Jun 9 16:30:21 MDT 2014 

Hi,

I have been trying to domain join a Windows workstation to my samba domain
as a domain user. I have been getting an "Access Denied" error while trying
to domain join a Windows machine to my samba domain. This happens only when
I use a non-admin account. I increased the log level to 10 and this is what
I was able see:

[2014/06/03 02:00:31.011163,  0, pid=3420, effective(0, 0), real(0, 0)]
../source4/dsdb/common/util_samr.c:185(dsdb_add_user)
  Failed to create user record
CN=DOMJOINSYS,CN=Computers,DC=new,DC=testdomain,DC=org: dsdb_access: Access
check failed on CN=Computers,DC=new,DC=testdomain,DC=org
[2014/06/03 02:00:31.011303,  1, pid=3420, effective(0, 0), real(0, 0)]
../librpc/ndr/ndr.c:333(ndr_print_function_debug)
       samr_CreateUser2: struct samr_CreateUser2
          out: struct samr_CreateUser2
              user_handle              : *
                  user_handle: struct policy_handle
                      handle_type              : 0x00000000 (0)
                      uuid                     :
00000000-0000-0000-0000-000000000000
              access_granted           : *
                  access_granted           : 0x00000000 (0)
              rid                      : *
                  rid                      : 0x00000000 (0)
              result                   : NT_STATUS_ACCESS_DENIED
[2014/06/03 02:00:31.014276,  1, pid=3420, effective(0, 0), real(0, 0)]
../librpc/ndr/ndr.c:333(ndr_print_function_debug)
       samr_Close: struct samr_Close
          in: struct samr_Close
              handle                   : *
                  handle: struct policy_handle
                      handle_type              : 0x00000001 (1)
                      uuid                     :
abaeda9a-63a2-4048-a9d6-e8b506125527
[2014/06/03 02:00:31.014513,  1, pid=3420, effective(0, 0), real(0, 0)]
../librpc/ndr/ndr.c:333(ndr_print_function_debug)
       samr_Close: struct samr_Close
          out: struct samr_Close
              handle                   : *
                  handle: struct policy_handle
                      handle_type              : 0x00000000 (0)
                      uuid                     :
00000000-0000-0000-0000-000000000000
              result                   : NT_STATUS_OK
[2014/06/03 02:00:31.016620,  1, pid=3420, effective(0, 0), real(0, 0)]
../librpc/ndr/ndr.c:333(ndr_print_function_debug)
       samr_Close: struct samr_Close
          in: struct samr_Close
              handle                   : *
                  handle: struct policy_handle
                      handle_type              : 0x00000000 (0)
                      uuid                     :
e0c5f0bf-e8b2-46aa-b0cc-5588fc1f3f55
[2014/06/03 02:00:31.017046,  1, pid=3420, effective(0, 0), real(0, 0)]
../librpc/ndr/ndr.c:333(ndr_print_function_debug)
       samr_Close: struct samr_Close
          out: struct samr_Close
              handle                   : *
                  handle: struct policy_handle
                      handle_type              : 0x00000000 (0)
                      uuid                     :
00000000-0000-0000-0000-000000000000



result                   : NT_STATUS_OK

 I was able to reproduce the issue using Windows Server 2003 machine also a
Windows Server 2008 machine.I was able to see that the
sec_access_check_ds() always returns an NT_STATUS_ACCESS_DENIED which in
turn results in an LDB_ERR_INSUFFICIENT_RIGHTS error being thrown from the
dsdb_check_access_on_dn_internal(). The field 'bits_remaining' in the
access check implementation, always ends up getting a value 1. Is there
anything that I am doing wrong here? Is this an expected behavior ? Any
help would be greatly appreciated.

Thanks and Regards,
Lexi

More information about the samba mailing list