samba - Nov 2005 - Join ADS domain - Insufficient Access

SLES 9 SP2
samba-3.0.14a-0.4
heimdal-lib-0.6.1rc3-55.15
samba-winbind-3.0.14a-0.4
pam-modules-9-18.10
pam_krb5-1.3-201.7

I've been searching for days for a concrete answer to this question:

Is it possible to join an ADS domain from a Linux Samba server without 
having Administrator privileges? Yes or No.

If so exactly what are the minimal requirements for joining the Linux 
box to the domain.

I can get a Kerberos ticket, no problem

However when I try to join the domain I get:

app1:~ # net ads join -S servername -d 3 -w domain -U tester%password
[2005/11/01 07:44:58, 3] param/loadparm.c:lp_load(3907)
   lp_load: refreshing parameters
[2005/11/01 07:44:58, 3] param/loadparm.c:init_globals(1321)
   Initialising global parameters
[2005/11/01 07:44:58, 3] param/params.c:pm_process(573)
   params.c:pm_process() - Processing configuration file 
"/etc/samba/smb.conf"
[2005/11/01 07:44:58, 3] param/loadparm.c:do_section(3409)
   Processing section "[global]"
[2005/11/01 07:44:58, 2] lib/interface.c:add_interface(81)
   added interface ip=IPADDRESS bcast=IPADDRESS nmask=255.255.255.0
[2005/11/01 07:44:58, 3] libads/ldap.c:ads_connect(285)
   Connected to LDAP server LDAPIPADDRESS
[2005/11/01 07:44:58, 3] libads/ldap.c:ads_server_info(2469)
   got ldap server name SERVERNAME@FQDN, using bind path: 
dc=SERVER,dc=DOMAIN,dc=GOV
[2005/11/01 07:44:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
   ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2005/11/01 07:44:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
   ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2005/11/01 07:44:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
   ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2005/11/01 07:44:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
   ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2005/11/01 07:44:58, 3] libads/sasl.c:ads_sasl_spnego_bind(211)
   ads_sasl_spnego_bind: got server principal name =SERVERNAME1$@FQDN
[2005/11/01 07:44:58, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381)
   ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
[2005/11/01 07:44:58, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(318)
   Ticket in ccache[MEMORY:net_ads] expiration Tue, 01 Nov 2005 17:46:24 GMT
[2005/11/01 07:44:58, 0] libads/ldap.c:ads_add_machine_acct(1405)
   ads_add_machine_acct: Host account for app1 already exists - 
modifying old account
[2005/11/01 07:44:58, 0] libads/ldap.c:ads_join_realm(1763)
   ads_join_realm: ads_add_machine_acct failed (app1): Insufficient access
ads_join_realm: Insufficient access
[2005/11/01 07:44:58, 2] utils/net.c:main(902)
   return code = -1

---------------
I have no access to the domain but the Domain admin has assured me he 
has set it up exactly as he would to allow a Windows client to join.  Is 
this correct?

Thanks,
-Mark

http://marc.theaimsgroup.com/?l=samba&m=112681698521084&w=2

Eric Roseme

Mark F wrote:
> SLES 9 SP2
> samba-3.0.14a-0.4
> heimdal-lib-0.6.1rc3-55.15
> samba-winbind-3.0.14a-0.4
> pam-modules-9-18.10
> pam_krb5-1.3-201.7
> 
> I've been searching for days for a concrete answer to this question:
> 
> Is it possible to join an ADS domain from a Linux Samba server without 
> having Administrator privileges? Yes or No.
> 
> If so exactly what are the minimal requirements for joining the Linux 
> box to the domain.
> 
> I can get a Kerberos ticket, no problem
> 
> However when I try to join the domain I get:
> 
> app1:~ # net ads join -S servername -d 3 -w domain -U tester%password
> [2005/11/01 07:44:58, 3] param/loadparm.c:lp_load(3907)
>   lp_load: refreshing parameters
> [2005/11/01 07:44:58, 3] param/loadparm.c:init_globals(1321)
>   Initialising global parameters
> [2005/11/01 07:44:58, 3] param/params.c:pm_process(573)
>   params.c:pm_process() - Processing configuration file 
> "/etc/samba/smb.conf"
> [2005/11/01 07:44:58, 3] param/loadparm.c:do_section(3409)
>   Processing section "[global]"
> [2005/11/01 07:44:58, 2] lib/interface.c:add_interface(81)
>   added interface ip=IPADDRESS bcast=IPADDRESS nmask=255.255.255.0
> [2005/11/01 07:44:58, 3] libads/ldap.c:ads_connect(285)
>   Connected to LDAP server LDAPIPADDRESS
> [2005/11/01 07:44:58, 3] libads/ldap.c:ads_server_info(2469)
>   got ldap server name SERVERNAME@FQDN, using bind path: 
> dc=SERVER,dc=DOMAIN,dc=GOV
> [2005/11/01 07:44:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
>   ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
> [2005/11/01 07:44:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
>   ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
> [2005/11/01 07:44:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
>   ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
> [2005/11/01 07:44:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
>   ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
> [2005/11/01 07:44:58, 3] libads/sasl.c:ads_sasl_spnego_bind(211)
>   ads_sasl_spnego_bind: got server principal name =SERVERNAME1$@FQDN
> [2005/11/01 07:44:58, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381)
>   ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
> [2005/11/01 07:44:58, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(318)
>   Ticket in ccache[MEMORY:net_ads] expiration Tue, 01 Nov 2005 17:46:24 GMT
> [2005/11/01 07:44:58, 0] libads/ldap.c:ads_add_machine_acct(1405)
>   ads_add_machine_acct: Host account for app1 already exists - modifying 
> old account
> [2005/11/01 07:44:58, 0] libads/ldap.c:ads_join_realm(1763)
>   ads_join_realm: ads_add_machine_acct failed (app1): Insufficient access
> ads_join_realm: Insufficient access
> [2005/11/01 07:44:58, 2] utils/net.c:main(902)
>   return code = -1
> 
> ---------------
> I have no access to the domain but the Domain admin has assured me he 
> has set it up exactly as he would to allow a Windows client to join.  Is 
> this correct?
> 
> Thanks,
> -Mark
>