samba - Aug 2006 - Non-root accounts cannot join the Samba PDC:s domain

I have a Samba PDC with LDAP as its back end. It works perfectly
except for one major detail: Non-root users cannot join the Samba PDC.
I change the domain on Windows XP clients like this:

1. Log in as administrator on an Windows XP client
2. Change domain with Control Panel -> System -> Computer name ->
"Change..." and in the Domain field, I enter the name of the Samba
Domain "foo.comany.com"

Then, when I press OK, a dialog pops up that asks for a user name +
password for a user that can join the new domain. If I enter the root
account for the Samba PDC, the Windows client can join the Samba PDC
no problems. However, only the root account seem to have permissions
to join the Samba PDC.

Since I need to migrate *lots* of clients to the Samba PDC, I need to
setup a method so that each user can change to the new domain on its
computer. And giving out the root password of course is not an option.
I think there is a setting in one of Samba's config files that makes
it so non-root users can join the domain, right?

-- 
mvh Bj?rn

> Since I need to migrate *lots* of clients to the Samba PDC, I need to
> setup a method so that each user can change to the new domain on its
> computer. And giving out the root password of course is not an option.
> I think there is a setting in one of Samba's config files that makes
> it so non-root users can join the domain, right?
> 
If your Samba version is pretty recent (privilege support was started
in 3.0.11 and has been improved since then) you can assign the
SeMachineAccountPrivilege to arbitrary accounts.
You can set this either from Windows in User Manager
(Menu Policies->User Rights)
or from the comman line on your samba server:
   net rpc rights grant some_account_name SeMachineAccountPrivilege

Regards,
Wolfgang Ratzka
-- 
Wolfgang Ratzka  Phone: +49 6421 2823531  FAX: +49 6421 2826994
Uni Marburg,  HRZ, Hans-Meerwein-Str., D-35032 Marburg, Germany