[Samba] Can't join machine without full access

Luca Olivetti luca at wetron.es
Tue Jun 2 08:11:14 MDT 2015


Sernet samba 4.2.2 in ubuntu 14.04.2 LTS, a fresh migration from samba 3
(I'm still in the testing phase).

I'm experimenting with task delegation.

Using the ADUC wizard, I select the "Join machine to domain" task to add
to my userid (I also tried a group I'm a member of with the same
result), at the domain level (rough translation, this is on a localized
windows 7).

Adding a windows 7 machine to the domain fails with "access denied".

Trying to join a linux client I get

# net ads join -U luca
Enter luca's password:
Failed to join domain: failed to set machine spn: Insufficient access

(I tried a fresh migration and now the error message is "Failed to join
domain: Failed to set account flags for machine account
(NT_STATUS_ACCESS_DENIED)")


If I give myself full control over the domain (or just over "computer
accounts" objects) both joins work.

Unfortunately, I don't remember if I tested under the same conditions
with earlier samba versions.

Is this a problem with samba, the ADUC wizard or are things supposed
(not) to work this way?

FWIW, this is my smb.conf


# Global parameters
[global]
        workgroup = WETRON
        realm = SAMBA.WETRON.ES
        netbios name = DC1
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes

        tls enabled = yes
        tls keyfile =
/var/lib/samba/private/tls/samba.wetron.es.key.insecure
        tls certfile = /var/lib/samba/private/tls/samba.wetron.es.crt
        tls cafile = /var/lib/samba/private/tls/wetron.crt

        dns forwarder = 192.168.169.6

        template homedir = /net/netapp01/vol/Data/home/%U
        template shell = /bin/false

        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes

        #netapp, see
        # http://forge.univention.org/bugzilla/show_bug.cgi?id=37874
        allow nt4 crypto = yes


[netlogon]
        path = /var/lib/samba/sysvol/samba.wetron.es/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No


-- 
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004  Fax +34 935883007


More information about the samba mailing list