[Samba] Can't join machine without full access
L.P.H. van Belle
belle at bazuin.nl
Tue Jun 2 09:00:59 MDT 2015
what i read is correct, yes.
> Adding a windows 7 machine to the domain fails with "access denied".
you forgot the followin, for what i read below.
add the user to a "Domain\GROUP"
add this group to the LOCAL_PC\Administrators group.
and now your set to go..
even if you give a user or group the rights to join a domain.
This user or group MUST have Administrator access on the pc.
and make user your loginname en pcnames are NOT the same.
read this one:
http://windowsitpro.com/windows-server/jsi-tip-8144-how-can-i-allow-ordinary-user-add-computer-domain
first the GPO is created to set the LOCAL_COMPUTER User Rights Assignments. ( add workstations to domain )
i advice to use a group for this, and this can be a domain-group.
reboot the pc or refresh you policies. ( 2 times, to make sure. )
and then Delegate rights using Active Directory Users and Computers.
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: luca at wetron.es [mailto:samba-bounces at lists.samba.org]
>Namens Luca Olivetti
>Verzonden: dinsdag 2 juni 2015 16:11
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] Can't join machine without full access
>
>Sernet samba 4.2.2 in ubuntu 14.04.2 LTS, a fresh migration
>from samba 3
>(I'm still in the testing phase).
>
>I'm experimenting with task delegation.
>
>Using the ADUC wizard, I select the "Join machine to domain"
>task to add
>to my userid (I also tried a group I'm a member of with the same
>result), at the domain level (rough translation, this is on a localized
>windows 7).
>
>Adding a windows 7 machine to the domain fails with "access denied".
>
>Trying to join a linux client I get
>
># net ads join -U luca
>Enter luca's password:
>Failed to join domain: failed to set machine spn: Insufficient access
>
>(I tried a fresh migration and now the error message is "Failed to join
>domain: Failed to set account flags for machine account
>(NT_STATUS_ACCESS_DENIED)")
>
>
>If I give myself full control over the domain (or just over "computer
>accounts" objects) both joins work.
>
>Unfortunately, I don't remember if I tested under the same conditions
>with earlier samba versions.
>
>Is this a problem with samba, the ADUC wizard or are things supposed
>(not) to work this way?
>
>FWIW, this is my smb.conf
>
>
># Global parameters
>[global]
> workgroup = WETRON
> realm = SAMBA.WETRON.ES
> netbios name = DC1
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
>
> tls enabled = yes
> tls keyfile =
>/var/lib/samba/private/tls/samba.wetron.es.key.insecure
> tls certfile = /var/lib/samba/private/tls/samba.wetron.es.crt
> tls cafile = /var/lib/samba/private/tls/wetron.crt
>
> dns forwarder = 192.168.169.6
>
> template homedir = /net/netapp01/vol/Data/home/%U
> template shell = /bin/false
>
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> #netapp, see
> # http://forge.univention.org/bugzilla/show_bug.cgi?id=37874
> allow nt4 crypto = yes
>
>
>[netlogon]
> path = /var/lib/samba/sysvol/samba.wetron.es/scripts
> read only = No
>
>[sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
>
>--
>Luca Olivetti
>Wetron Automation Technology http://www.wetron.es
>Tel. +34 935883004 Fax +34 935883007
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list