I've been working on getting Samba 3.0.4-2 to join our test W2k3 Active Directory for most of the day. When I try to join with this command : net ads join -U w702a-palmadesso "w702\NonCatComputers" According to my official Samba HowTo Book this should join the domain specified in my smb.conf. Instead I get the following output : [root@w72l-tux samba]# net ads join -U w702a-palmadesso "w702\NonCatComputers" w702a-palmadesso's password: [2004/05/21 15:05:23, 0] libads/ldap.c:ads_join_realm(1336) ads_add_machine_acct: Insufficient access ads_join_realm: Insufficient access I can exchange Kerberos tickets from the output of klist : [root@w72l-tux samba]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: w702a-palmadesso@TWW007.SITEST.NET Valid starting Expires Service principal 05/21/04 13:20:11 05/21/04 23:20:13 krbtgt/TWW007.SITEST.NET@TWW007.SITEST.NET renew until 05/22/04 13:20:11 05/21/04 13:20:53 05/21/04 23:20:13 orla1h2a$@TWW007.SITEST.NET renew until 05/22/04 13:20:11 As far as I can tell this means kerberos 5 is working properly and exchanging tickets with our AD domain controller. KINIT works as well. I can confirm that I am at least talking with AD LDAP because when I try to join a bogus OU I get the following: [root@w72l-tux samba]# net ads join -U w702a-palmadesso "W702a\NonCatComputers" w702a-palmadesso's password: ads_join_realm: organizational unit W702a\NonCatComputers does not exist (dn:ou=NonCatComputers,ou=W702a,dc=TWW007,dc=SITEST,dc=NET) If you compare this to the first one you will notice that the difference is w702 vs w702a. The w702a OU does not exist and gives the proper response. So to me this is partially working but I still cannot join the domain. As an experiment I was added to the administrators group in our test domain and we added the computer account into the domain manually. When this object already exists in AD I get a similar error but still basically the same as follows : [root@w72l-tux samba]# net ads join -U w702a-palmadesso "W702\NonCatComputers" w702a-palmadesso's password: [2004/05/21 13:21:15, 0] libads/ldap.c:ads_add_machine_acct(1006) Host account for w72l-tux already exists - modifying old account [2004/05/21 13:21:15, 0] libads/ldap.c:ads_join_realm(1336) ads_add_machine_acct: Insufficient access ads_join_realm: Insufficient access Some other people on here seem to be experiencing the same problems. Thanks for any help. Jack