I need help to resolve this issue. I saw that Andrew put a patch by Antti to enable users without full admin access to join samba into an AD domain. I am playing with it and always get "Insufficient access". Using the same user, I can join a Windows box into the domain just fine. The user is a member of "domain users", but not "domain admins". I can use a user in "domain admins" to join the AD domain fine too. I tried with beta3, and it's the same as alpha24 and alpha21 (a21 did not have Antti's patch). So my question is, is this supported, or broken, or am I using it wrong? The failure happens during ldap_add_s called from ads_add_machine_acct(). I do kinit before the "net ads join" command. However I haven't found where the kerberos ticket was used before the failure although the ticket does make a difference. Thanks, Chere
Antti Andreimann
2003-Jul-18 20:29 UTC
[Samba] Re: Joining samba to AD domain with a non-admin user
?hel kenal p?eval (reede, 18. juuli 2003 03:12) kirjutas Chere Zhou:> So my question is, is this supported, or broken, or am I using it wrong?Well it is supported, but not extensively tested with different users. Therefore it is great that You are actually trying this feature out.> The failure happens during ldap_add_s called from ads_add_machine_acct().The failure in ldap_add_s seems to indicate that AD is refusing to add the machine account maybe due to insufficent rights, but maybe because there is already an account for the machine. Do You get any other error messages as well? Failure to delete the account prior to adding for instance?> I do kinit before the "net ads join" command. However I haven't found > where the kerberos ticket was used before the failure although the ticket > does make a difference.The first thing that comes to my mind is that maybe You should try net ads join -U username. This way the net command will get a brand new ticket from AD. It should use kerberos cache othervise and actually both ways should work, but maybe there is some unknown bug. Another thing that You could try is to remove the machine account from AD by hand (if it exists) prior to joining it with samba. I am looking forward to receiving Your feed-back if and how any of those suggestions worked. -- Antti Andreimann Using Linux since 1993 Member of ELUG since 29.01.2000