[Samba] Can't join machine without full access

Luca Olivetti luca at wetron.es
Tue Jun 2 08:40:11 MDT 2015


El 02/06/15 a les 16:11, Luca Olivetti ha escrit:

> Sernet samba 4.2.2 in ubuntu 14.04.2 LTS, a fresh migration from samba 3
> (I'm still in the testing phase).
> 
> I'm experimenting with task delegation.

I'm also having the same problems with GPO delegation: In GPMC I granted
permission to a group I'm a member of, but I get "Access denied" when I
try to create a GPO.
The funny thing is that I can add or remove items in the delegation tab
of GPMC.


> 
> Using the ADUC wizard, I select the "Join machine to domain" task to add
> to my userid (I also tried a group I'm a member of with the same
> result), at the domain level (rough translation, this is on a localized
> windows 7).
> 
> Adding a windows 7 machine to the domain fails with "access denied".
> 
> Trying to join a linux client I get
> 
> # net ads join -U luca
> Enter luca's password:
> Failed to join domain: failed to set machine spn: Insufficient access
> 
> (I tried a fresh migration and now the error message is "Failed to join
> domain: Failed to set account flags for machine account
> (NT_STATUS_ACCESS_DENIED)")
> 
> 
> If I give myself full control over the domain (or just over "computer
> accounts" objects) both joins work.
> 
> Unfortunately, I don't remember if I tested under the same conditions
> with earlier samba versions.
> 
> Is this a problem with samba, the ADUC wizard or are things supposed
> (not) to work this way?
> 
> FWIW, this is my smb.conf
> 
> 
> # Global parameters
> [global]
>         workgroup = WETRON
>         realm = SAMBA.WETRON.ES
>         netbios name = DC1
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
> 
>         tls enabled = yes
>         tls keyfile =
> /var/lib/samba/private/tls/samba.wetron.es.key.insecure
>         tls certfile = /var/lib/samba/private/tls/samba.wetron.es.crt
>         tls cafile = /var/lib/samba/private/tls/wetron.crt
> 
>         dns forwarder = 192.168.169.6
> 
>         template homedir = /net/netapp01/vol/Data/home/%U
>         template shell = /bin/false
> 
>         printing = bsd
>         printcap name = /dev/null
>         disable spoolss = yes
> 
>         #netapp, see
>         # http://forge.univention.org/bugzilla/show_bug.cgi?id=37874
>         allow nt4 crypto = yes
> 
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/samba.wetron.es/scripts
>         read only = No
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 
> 


-- 
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004  Fax +34 935883007


More information about the samba mailing list