samba - Jul 2004 - Chasing the "ads_add_machine_acct: Insufficient access" problem

Okay, the jist  of this whole thing, I get this infamous (?) problem, I
have been trying to search though the archives of samba-general on gmane
and also in my archive of this list. I have only seen requests for the
magical answer.

Environment: W2K/W2K3 mixed ADS going Native ADS only soon. Samba 3.0.4
compiled from source on a RHEL AS30 machine. MIT Kerberos v1.3.4 also
compiled from source.

Kernel == 2.4.21-15.0.2.ELhugemem #1 SMP Wed Jun 16 22:36:51 EDT 2004
i686 athlon i386 GNU/Linux


Here is the problem in a nutshell:

        [root@roar root]# net ads join Computers -S mydc1.mynetwork.com
        [2004/07/20 15:06:09, 0] libads/ldap.c:ads_join_realm(1336)
          ads_add_machine_acct: Insufficient access
        ads_join_realm: Insufficient access

and the important pieces of smb.conf:

        [global]
                workgroup = MYNETWORK
                netbios name = ROAR
                server string = Lotsa Room
                security = ADS
                realm = MYNETWORK.COM
                auth methods = winbind
                password server = mydc1.mynetwork.com
                passwd program = /usr/bin/passwd %u
                passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
                lanman auth = No
                ntlm auth = No
                client NTLMv2 auth = Yes
                client lanman auth = No
                client plaintext auth = No
                syslog = 0
                log file = /var/log/samba/log.%m
                max log size = 10000
                smb ports = 445
                disable netbios = Yes
                max xmit = 65535
                name resolve order = host wins lmhosts bcast
        #tried both spnego Yes and No same diff.
                use spnego = Yes
        #       use spnego = No
                server signing = auto
                deadtime = 10080
                socket options = IPTOS_LOWDELAY TCP_NODELAY
                logon path                 logon home                 os level =
49
                preferred master = No
                local master = No
                domain master = No
                dns proxy = No
                ldap ssl = no
                idmap uid = 10000-40000
                idmap gid = 10000-40000
                winbind separator = +
                winbind nested groups = Yes
                winbind cache time = 20
                template homedir = /home/%D/%U
                invalid users = root
                ea support = Yes
                hide special files = Yes
                hide unreadable = Yes

And here is my klist:

        [root@mash root]# klist
        Ticket cache: FILE:/tmp/krb5cc_0
        Default principal: roarad@MYNETWORK.COM
        
        Valid starting     Expires            Service principal
        07/20/04 16:21:53  07/21/04 02:22:01  krbtgt/MYNETWORK.COM@MYNETWORK.COM
                renew until 07/21/04 16:21:53
        
        
        Kerberos 4 ticket cache: /tmp/tkt0
        klist: You have no tickets cached

Yes, roarad@MYNETWORK.COM has rights to create users and machines in the
AD Tree in "Computers"

So, now, given that this is an existing problem in v3.0.4, I have to
show the way I configured and compiled it. I also compiled MIT Kerberos
v1.3.4 the proper way (similar to this). Personally I like integrations.

Here is the configure for samba v3.0.4: 

        ./configure --program-prefix= --prefix=/usr --exec-prefix=/usr \
        --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc \
        --datadir=/usr/share --includedir=/usr/include \
        --libdir=/usr/lib --libexecdir=/usr/libexec \ 
        --localstatedir=/var --sharedstatedir=/usr/com \
        --mandir=/usr/share/man --infodir=/usr/share/info
        --with-acl-support --with-automount \
        --with-codepagedir=/usr/share/samba/codepages --with-fhs \
        --with-libsmbclient --with-lockdir=/var/cache/samba --with-pam \
        --with-pam_smbpass --with-piddir=/var/run \
        --with-privatedir=/etc/samba --with-quotas --with-smbmount \
        --with-swatdir=/usr/share/swat --with-syslog --with-utmp \
        --with-vfs --without-smbwrapper --with-ads --with-winbind \
        --with-krb5

Here is the configure for krb5-1.3.4:

        ./configure --program-prefix= --prefix=/usr --exec-prefix=/usr \
        --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc \
        --datadir=/usr/share --includedir=/usr/include \
        --libdir=/usr/lib --libexecdir=/usr/libexec \
        --localstatedir=/var --sharedstatedir=/usr/com \
        --mandir=/usr/share/man --infodir=/usr/share/info CC=gcc \
        CFLAGS="-O2 -g -pipe -march=i386 -mcpu=i686 -I/usr/include/et \
        -fPIC" LDFLAGS= CPPFLAGS="-I/usr/include/et"
--enable-shared \
        --enable-static --bindir=/usr/kerberos/bin \
        --mandir=/usr/kerberos/man --sbindir=/usr/kerberos/sbin \
        --datadir=/usr/kerberos/share --localstatedir=/var/kerberos \
        --with-krb4 --with-system-et --with-system-ss --without-tcl \
        --enable-dns

Now, maybe this could be one of those problems where some one has had a
chance to fix this. Or maybe someone used a workaround, or knows WHY.

All I know, W2K/W2K3 AD driven Kerberos is heavily undocumented. And
provides little in the way of useful logs... telling me what might be
the problem on that end.

Much thanks to anyone that has a good fix or knows where to look or
*SOMETHING*

-- 
greg, greg@gregfolkert.net

The technology that is
Stronger, better, faster:  Linux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20040720/76e67a40/attachment.bin

Fix provided below.
On Tue, 2004-07-20 at 18:06, Greg Folkert wrote:
> Okay, the jist  of this whole thing, I get this infamous (?) problem, I
> have been trying to search though the archives of samba-general on gmane
> and also in my archive of this list. I have only seen requests for the
> magical answer.
> 
> Environment: W2K/W2K3 mixed ADS going Native ADS only soon. Samba 3.0.4
> compiled from source on a RHEL AS30 machine. MIT Kerberos v1.3.4 also
> compiled from source.
> 
> Kernel == 2.4.21-15.0.2.ELhugemem #1 SMP Wed Jun 16 22:36:51 EDT 2004
> i686 athlon i386 GNU/Linux
> 
> 
> Here is the problem in a nutshell:
> 
>         [root@roar root]# net ads join Computers -S mydc1.mynetwork.com
>         [2004/07/20 15:06:09, 0] libads/ldap.c:ads_join_realm(1336)
>           ads_add_machine_acct: Insufficient access
>         ads_join_realm: Insufficient access
> 
> and the important pieces of smb.conf:
> 
>         [global]
>                 workgroup = MYNETWORK
>                 netbios name = ROAR
>                 server string = Lotsa Room
>                 security = ADS
>                 realm = MYNETWORK.COM
>                 auth methods = winbind
>                 password server = mydc1.mynetwork.com
>                 passwd program = /usr/bin/passwd %u
>                 passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
>                 lanman auth = No
>                 ntlm auth = No
>                 client NTLMv2 auth = Yes
>                 client lanman auth = No
>                 client plaintext auth = No
>                 syslog = 0
>                 log file = /var/log/samba/log.%m
>                 max log size = 10000
>                 smb ports = 445
>                 disable netbios = Yes
>                 max xmit = 65535
>                 name resolve order = host wins lmhosts bcast
>         #tried both spnego Yes and No same diff.
>                 use spnego = Yes
>         #       use spnego = No
>                 server signing = auto
>                 deadtime = 10080
>                 socket options = IPTOS_LOWDELAY TCP_NODELAY
>                 logon path >                 logon home >            
os level = 49
>                 preferred master = No
>                 local master = No
>                 domain master = No
>                 dns proxy = No
>                 ldap ssl = no
>                 idmap uid = 10000-40000
>                 idmap gid = 10000-40000
>                 winbind separator = +
>                 winbind nested groups = Yes
>                 winbind cache time = 20
>                 template homedir = /home/%D/%U
>                 invalid users = root
>                 ea support = Yes
>                 hide special files = Yes
>                 hide unreadable = Yes
> 
> And here is my klist:
> 
>         [root@mash root]# klist
>         Ticket cache: FILE:/tmp/krb5cc_0
>         Default principal: roarad@MYNETWORK.COM
>         
>         Valid starting     Expires            Service principal
>         07/20/04 16:21:53  07/21/04 02:22:01 
krbtgt/MYNETWORK.COM@MYNETWORK.COM
>                 renew until 07/21/04 16:21:53
>         
>         
>         Kerberos 4 ticket cache: /tmp/tkt0
>         klist: You have no tickets cached
> 
> Yes, roarad@MYNETWORK.COM has rights to create users and machines in the
> AD Tree in "Computers"
> 
> So, now, given that this is an existing problem in v3.0.4, I have to
> show the way I configured and compiled it. I also compiled MIT Kerberos
> v1.3.4 the proper way (similar to this). Personally I like integrations.
> 
> Here is the configure for samba v3.0.4: 
> 
>         ./configure --program-prefix= --prefix=/usr --exec-prefix=/usr \
>         --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc \
>         --datadir=/usr/share --includedir=/usr/include \
>         --libdir=/usr/lib --libexecdir=/usr/libexec \ 
>         --localstatedir=/var --sharedstatedir=/usr/com \
>         --mandir=/usr/share/man --infodir=/usr/share/info
>         --with-acl-support --with-automount \
>         --with-codepagedir=/usr/share/samba/codepages --with-fhs \
>         --with-libsmbclient --with-lockdir=/var/cache/samba --with-pam \
>         --with-pam_smbpass --with-piddir=/var/run \
>         --with-privatedir=/etc/samba --with-quotas --with-smbmount \
>         --with-swatdir=/usr/share/swat --with-syslog --with-utmp \
>         --with-vfs --without-smbwrapper --with-ads --with-winbind \
>         --with-krb5
> 
> Here is the configure for krb5-1.3.4:
> 
>         ./configure --program-prefix= --prefix=/usr --exec-prefix=/usr \
>         --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc \
>         --datadir=/usr/share --includedir=/usr/include \
>         --libdir=/usr/lib --libexecdir=/usr/libexec \
>         --localstatedir=/var --sharedstatedir=/usr/com \
>         --mandir=/usr/share/man --infodir=/usr/share/info CC=gcc \
>         CFLAGS="-O2 -g -pipe -march=i386 -mcpu=i686 -I/usr/include/et
\
>         -fPIC" LDFLAGS= CPPFLAGS="-I/usr/include/et"
--enable-shared \
>         --enable-static --bindir=/usr/kerberos/bin \
>         --mandir=/usr/kerberos/man --sbindir=/usr/kerberos/sbin \
>         --datadir=/usr/kerberos/share --localstatedir=/var/kerberos \
>         --with-krb4 --with-system-et --with-system-ss --without-tcl \
>         --enable-dns
> 
> Now, maybe this could be one of those problems where some one has had a
> chance to fix this. Or maybe someone used a workaround, or knows WHY.
> 
> All I know, W2K/W2K3 AD driven Kerberos is heavily undocumented. And
> provides little in the way of useful logs... telling me what might be
> the problem on that end.
> 
> Much thanks to anyone that has a good fix or knows where to look or
> *SOMETHING*
Much thanks to ME!

I went home after asking this.

I ate dinner, did some online gaming... did the family thing.

I decided to start over with a fresh smb.conf.

I logged into the machine, check my kerberos ticket, being still valid,
and having changed nothing for 2+ hours, I thought what the heck. I
tried again:

        [root@roar root]# net ads join Computers -S mydc1.mynetwork.com
        [2004/07/20 19:36:12, 0] libads/ldap.c:ads_add_machine_acct(1086)
          Warning: ads_set_machine_sd: Unexpected information received
        Using short domain name -- MYNETWORK
        Joined 'ROAR' to realm 'MYNETWORK.COM'

I have to say, this baffles me. But is understandable, given I have
worked with Novell Netware and eDIR (or NDS as it was previously known)
for 9+ years. Time was nearly always the fix for these kinds of things.
Replication issues, Synchronization issue, massive changes and overall
performance.

Patience is a virtue even these days. I just wish some companies did
have this virtue as well.
-- 
greg, greg@gregfolkert.net

The technology that is
Stronger, better, faster:  Linux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20040720/6603fe0a/attachment.bin