[Samba] Can't join machine without full access
Luca Olivetti
luca at wetron.es
Tue Jun 2 08:40:11 MDT 2015
El 02/06/15 a les 16:11, Luca Olivetti ha escrit:
> Sernet samba 4.2.2 in ubuntu 14.04.2 LTS, a fresh migration from samba 3
> (I'm still in the testing phase).
>
> I'm experimenting with task delegation.
I'm also having the same problems with GPO delegation: In GPMC I granted
permission to a group I'm a member of, but I get "Access denied" when I
try to create a GPO.
The funny thing is that I can add or remove items in the delegation tab
of GPMC.
>
> Using the ADUC wizard, I select the "Join machine to domain" task to add
> to my userid (I also tried a group I'm a member of with the same
> result), at the domain level (rough translation, this is on a localized
> windows 7).
>
> Adding a windows 7 machine to the domain fails with "access denied".
>
> Trying to join a linux client I get
>
> # net ads join -U luca
> Enter luca's password:
> Failed to join domain: failed to set machine spn: Insufficient access
>
> (I tried a fresh migration and now the error message is "Failed to join
> domain: Failed to set account flags for machine account
> (NT_STATUS_ACCESS_DENIED)")
>
>
> If I give myself full control over the domain (or just over "computer
> accounts" objects) both joins work.
>
> Unfortunately, I don't remember if I tested under the same conditions
> with earlier samba versions.
>
> Is this a problem with samba, the ADUC wizard or are things supposed
> (not) to work this way?
>
> FWIW, this is my smb.conf
>
>
> # Global parameters
> [global]
> workgroup = WETRON
> realm = SAMBA.WETRON.ES
> netbios name = DC1
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
>
> tls enabled = yes
> tls keyfile =
> /var/lib/samba/private/tls/samba.wetron.es.key.insecure
> tls certfile = /var/lib/samba/private/tls/samba.wetron.es.crt
> tls cafile = /var/lib/samba/private/tls/wetron.crt
>
> dns forwarder = 192.168.169.6
>
> template homedir = /net/netapp01/vol/Data/home/%U
> template shell = /bin/false
>
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> #netapp, see
> # http://forge.univention.org/bugzilla/show_bug.cgi?id=37874
> allow nt4 crypto = yes
>
>
> [netlogon]
> path = /var/lib/samba/sysvol/samba.wetron.es/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
>
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007
More information about the samba
mailing list