[Samba] Can't join machine without full access

L.P.H. van Belle belle at bazuin.nl
Tue Jun 2 09:00:59 MDT 2015 

what i read is correct, yes. 

> Adding a windows 7 machine to the domain fails with "access denied". 

you forgot the followin, for what i read below. 

add the user to a "Domain\GROUP" 
add this group to the LOCAL_PC\Administrators group. 

and now your set to go.. 

even if you give a user or group the rights to join a domain.
This user or group MUST have Administrator access on the pc. 

and make user your loginname en pcnames are NOT the same. 

read this one:
http://windowsitpro.com/windows-server/jsi-tip-8144-how-can-i-allow-ordinary-user-add-computer-domain 

first the GPO is created to set the LOCAL_COMPUTER User Rights Assignments. ( add workstations to domain ) 
i advice to use a group for this, and this can be a domain-group. 
reboot the pc or refresh you policies. ( 2 times, to make sure. ) 

and then Delegate rights using Active Directory Users and Computers. 


Greetz, 

Louis


>-----Oorspronkelijk bericht-----
>Van: luca at wetron.es [mailto:samba-bounces at lists.samba.org] 
>Namens Luca Olivetti
>Verzonden: dinsdag 2 juni 2015 16:11
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] Can't join machine without full access
>
>Sernet samba 4.2.2 in ubuntu 14.04.2 LTS, a fresh migration 
>from samba 3
>(I'm still in the testing phase).
>
>I'm experimenting with task delegation.
>
>Using the ADUC wizard, I select the "Join machine to domain" 
>task to add
>to my userid (I also tried a group I'm a member of with the same
>result), at the domain level (rough translation, this is on a localized
>windows 7).
>
>Adding a windows 7 machine to the domain fails with "access denied".
>
>Trying to join a linux client I get
>
># net ads join -U luca
>Enter luca's password:
>Failed to join domain: failed to set machine spn: Insufficient access
>
>(I tried a fresh migration and now the error message is "Failed to join
>domain: Failed to set account flags for machine account
>(NT_STATUS_ACCESS_DENIED)")
>
>
>If I give myself full control over the domain (or just over "computer
>accounts" objects) both joins work.
>
>Unfortunately, I don't remember if I tested under the same conditions
>with earlier samba versions.
>
>Is this a problem with samba, the ADUC wizard or are things supposed
>(not) to work this way?
>
>FWIW, this is my smb.conf
>
>
># Global parameters
>[global]
>        workgroup = WETRON
>        realm = SAMBA.WETRON.ES
>        netbios name = DC1
>        server role = active directory domain controller
>        idmap_ldb:use rfc2307 = yes
>
>        tls enabled = yes
>        tls keyfile =
>/var/lib/samba/private/tls/samba.wetron.es.key.insecure
>        tls certfile = /var/lib/samba/private/tls/samba.wetron.es.crt
>        tls cafile = /var/lib/samba/private/tls/wetron.crt
>
>        dns forwarder = 192.168.169.6
>
>        template homedir = /net/netapp01/vol/Data/home/%U
>        template shell = /bin/false
>
>        printing = bsd
>        printcap name = /dev/null
>        disable spoolss = yes
>
>        #netapp, see
>        # http://forge.univention.org/bugzilla/show_bug.cgi?id=37874
>        allow nt4 crypto = yes
>
>
>[netlogon]
>        path = /var/lib/samba/sysvol/samba.wetron.es/scripts
>        read only = No
>
>[sysvol]
>        path = /var/lib/samba/sysvol
>        read only = No
>
>
>-- 
>Luca Olivetti
>Wetron Automation Technology http://www.wetron.es
>Tel. +34 935883004  Fax +34 935883007
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list