samba - Feb 2005 - Joining a domain with a non-administrator account

I'm trying to set it up so I can join the domain with a regular user 
that is part of the domain admin group.  I have a user dsonenberg that 
is in the domain admin group(512), but I can't join the domain with that 
account.  For the record I can login with that account and Administrator 
can join the domain.  The PDC has an LDAP backend.  Here's the log.

2005/02/08 10:26:25, 2] smbd/sesssetup.c:setup_new_vc_session(608)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close 
all old resources.
[2005/02/08 10:26:25, 2] smbd/sesssetup.c:setup_new_vc_session(608)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close 
all old resources.
[2005/02/08 10:26:25, 2] passdb/pdb_ldap.c:init_sam_from_ldap(511)
  init_sam_from_ldap: Entry found for user: dsonenberg
[2005/02/08 10:26:25, 2] passdb/pdb_ldap.c:init_group_from_ldap(2011)
  init_group_from_ldap: Entry found for group: 512
[2005/02/08 10:26:25, 2] auth/auth.c:check_ntlm_password(305)
  check_ntlm_password:  authentication for user [dsonenberg] -> 
[dsonenberg] -> [dsonenberg] succeeded
[2005/02/08 10:26:25, 2] smbd/server.c:exit_server(571)
  Closing connections
[2005/02/08 10:26:26, 2] smbd/sesssetup.c:setup_new_vc_session(608)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close 
all old resources.
[2005/02/08 10:26:26, 2] smbd/sesssetup.c:setup_new_vc_session(608)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close 
all old resources.
[2005/02/08 10:26:26, 2] passdb/pdb_ldap.c:init_sam_from_ldap(511)
  init_sam_from_ldap: Entry found for user: dsonenberg
[2005/02/08 10:26:26, 2] passdb/pdb_ldap.c:init_group_from_ldap(2011)
  init_group_from_ldap: Entry found for group: 512
[2005/02/08 10:26:26, 2] auth/auth.c:check_ntlm_password(305)
  check_ntlm_password:  authentication for user [dsonenberg] -> 
[dsonenberg] -> [dsonenberg] succeeded
[2005/02/08 10:26:26, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482)
  Returning domain sid for domain STROZLLC -> 
S-1-5-21-1001378032-4272845324-1772824492
[2005/02/08 10:26:26, 2] 
rpc_server/srv_samr_nt.c:access_check_samr_object(93)
  _samr_open_domain: ACCESS DENIED  (requested: 0x00000211)
[2005/02/08 10:26:26, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482)
  Returning domain sid for domain STROZLLC -> 
S-1-5-21-1001378032-4272845324-1772824492
[2005/02/08 10:26:26, 2] 
rpc_server/srv_samr_nt.c:access_check_samr_function(115)
  _samr_create_user: ACCESS DENIED (granted: 0x00000201;  required: 
0x00000010)
[2005/02/08 10:26:26, 2] smbd/server.c:exit_server(571)
  Closing connections

-- 
David Sonenberg
Systems / Network Administrator
Stroz Friedberg, LLC
15 Maiden Lane
15th Floor
New York, NY 10038
212.981.6527 (o) | 917.495.4918 (c)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Sonenberg wrote:

| I'm trying to set it up so I can join the domain with
| a regular user  that is part of the domain admin group.  I
| have a user dsonenberg that  is in the domain admin
| group(512), but I can't join the domain with that
| account.  For the record I can login with that
| account and Administrator can join the domain.  The
| PDC has an LDAP backend.  Here's the log.

Are you running 3.0.11 ?  Did you set 'enable privileges = yes' ?
Did you grant the SeMachineAccountPrivilege to the
'DOMAIN\Domain Admins' group ?







cheers, jerry
====================================================================Alleviating
the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"I never saved anything for the swim back."     Ethan Hawk in Gattaca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCCTG7IR7qMdg1EfYRAuUiAJ4zAZ+zEE7WyTCeSDey+SIZ1cwrcQCg465K
8pGYu43aSucE+A05hZb4pVM=alRe
-----END PGP SIGNATURE-----

In Active Directory, make sure the console is view->Advance Features.  In
the OU there should be a computer account for this machine.  Open it and go
to the security tab.  Click on the add button, then add the user you are
using with kinit.  Go to the permissions section for this user, make sure he
has the following permissions  or checked to allow: Read, Write, Reset
Password, Validate Write to DNS Hostname, Validate Write to Service
Principal Name.
> -----Original Message-----
> From: samba-bounces+wayne=gomonarch.com@lists.samba.org
> [mailto:samba-bounces+wayne=gomonarch.com@lists.samba.org]On Behalf Of
> David Sonenberg
> Sent: Tuesday, February 08, 2005 8:14 AM
> To: samba@lists.samba.org
> Subject: [Samba] Joining a domain with a non-administrator account
>
>
> I'm trying to set it up so I can join the domain with a regular user
> that is part of the domain admin group.  I have a user
> dsonenberg that
> is in the domain admin group(512), but I can't join the
> domain with that
> account.  For the record I can login with that account and
> Administrator
> can join the domain.  The PDC has an LDAP backend.  Here's the log.
>
> 2005/02/08 10:26:25, 2] smbd/sesssetup.c:setup_new_vc_session(608)
>   setup_new_vc_session: New VC == 0, if NT4.x compatible we
> would close
> all old resources.
> [2005/02/08 10:26:25, 2] smbd/sesssetup.c:setup_new_vc_session(608)
>   setup_new_vc_session: New VC == 0, if NT4.x compatible we
> would close
> all old resources.
> [2005/02/08 10:26:25, 2] passdb/pdb_ldap.c:init_sam_from_ldap(511)
>   init_sam_from_ldap: Entry found for user: dsonenberg
> [2005/02/08 10:26:25, 2] passdb/pdb_ldap.c:init_group_from_ldap(2011)
>   init_group_from_ldap: Entry found for group: 512
> [2005/02/08 10:26:25, 2] auth/auth.c:check_ntlm_password(305)
>   check_ntlm_password:  authentication for user [dsonenberg] ->
> [dsonenberg] -> [dsonenberg] succeeded
> [2005/02/08 10:26:25, 2] smbd/server.c:exit_server(571)
>   Closing connections
> [2005/02/08 10:26:26, 2] smbd/sesssetup.c:setup_new_vc_session(608)
>   setup_new_vc_session: New VC == 0, if NT4.x compatible we
> would close
> all old resources.
> [2005/02/08 10:26:26, 2] smbd/sesssetup.c:setup_new_vc_session(608)
>   setup_new_vc_session: New VC == 0, if NT4.x compatible we
> would close
> all old resources.
> [2005/02/08 10:26:26, 2] passdb/pdb_ldap.c:init_sam_from_ldap(511)
>   init_sam_from_ldap: Entry found for user: dsonenberg
> [2005/02/08 10:26:26, 2] passdb/pdb_ldap.c:init_group_from_ldap(2011)
>   init_group_from_ldap: Entry found for group: 512
> [2005/02/08 10:26:26, 2] auth/auth.c:check_ntlm_password(305)
>   check_ntlm_password:  authentication for user [dsonenberg] ->
> [dsonenberg] -> [dsonenberg] succeeded
> [2005/02/08 10:26:26, 2]
> rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482)
>   Returning domain sid for domain STROZLLC ->
> S-1-5-21-1001378032-4272845324-1772824492
> [2005/02/08 10:26:26, 2]
> rpc_server/srv_samr_nt.c:access_check_samr_object(93)
>   _samr_open_domain: ACCESS DENIED  (requested: 0x00000211)
> [2005/02/08 10:26:26, 2]
> rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482)
>   Returning domain sid for domain STROZLLC ->
> S-1-5-21-1001378032-4272845324-1772824492
> [2005/02/08 10:26:26, 2]
> rpc_server/srv_samr_nt.c:access_check_samr_function(115)
>   _samr_create_user: ACCESS DENIED (granted: 0x00000201;  required:
> 0x00000010)
> [2005/02/08 10:26:26, 2] smbd/server.c:exit_server(571)
>   Closing connections
>
> --
> David Sonenberg
> Systems / Network Administrator
> Stroz Friedberg, LLC
> 15 Maiden Lane
> 15th Floor
> New York, NY 10038
> 212.981.6527 (o) | 917.495.4918 (c)
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

I am running 3.0.10.  Do I need to upgrade to 3.0.11 to get this to work?

Gerald (Jerry) Carter wrote:

Are you running 3.0.11 ? Did you set 'enable privileges = yes' ?
Did you grant the SeMachineAccountPrivilege to the
'DOMAIN\Domain Admins' group ?
-
David Sonenberg
Systems / Network Administrator
Stroz Friedberg, LLC
15 Maiden Lane
15th Floor
New York, NY 10038
212.981.6527 (o) | 917.495.4918 (c)