[Samba] Can't join machine without full access
Luca Olivetti
luca at wetron.es
Tue Jun 2 08:11:14 MDT 2015
Sernet samba 4.2.2 in ubuntu 14.04.2 LTS, a fresh migration from samba 3
(I'm still in the testing phase).
I'm experimenting with task delegation.
Using the ADUC wizard, I select the "Join machine to domain" task to add
to my userid (I also tried a group I'm a member of with the same
result), at the domain level (rough translation, this is on a localized
windows 7).
Adding a windows 7 machine to the domain fails with "access denied".
Trying to join a linux client I get
# net ads join -U luca
Enter luca's password:
Failed to join domain: failed to set machine spn: Insufficient access
(I tried a fresh migration and now the error message is "Failed to join
domain: Failed to set account flags for machine account
(NT_STATUS_ACCESS_DENIED)")
If I give myself full control over the domain (or just over "computer
accounts" objects) both joins work.
Unfortunately, I don't remember if I tested under the same conditions
with earlier samba versions.
Is this a problem with samba, the ADUC wizard or are things supposed
(not) to work this way?
FWIW, this is my smb.conf
# Global parameters
[global]
workgroup = WETRON
realm = SAMBA.WETRON.ES
netbios name = DC1
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
tls enabled = yes
tls keyfile =
/var/lib/samba/private/tls/samba.wetron.es.key.insecure
tls certfile = /var/lib/samba/private/tls/samba.wetron.es.crt
tls cafile = /var/lib/samba/private/tls/wetron.crt
dns forwarder = 192.168.169.6
template homedir = /net/netapp01/vol/Data/home/%U
template shell = /bin/false
printing = bsd
printcap name = /dev/null
disable spoolss = yes
#netapp, see
# http://forge.univention.org/bugzilla/show_bug.cgi?id=37874
allow nt4 crypto = yes
[netlogon]
path = /var/lib/samba/sysvol/samba.wetron.es/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007
More information about the samba
mailing list