thr3ads.net - samba - [Samba] net ads join requires full domain admin account? [Feb 2005]

If this information is useful, please help other people find it:
Share via:

Sean.Dougherty@TTUHSC.EDU

2005-Feb-10 20:36 UTC

[Samba] net ads join requires full domain admin account?

Problem:  I have an account that allows me to join an AD domain, this works
fine from any win box.  However it fails with "ads_add_machine_acct
(client_name): Insufficient access" when I do a net ads join from a linux
box.  To get samba to join the domain, I have to use an account with full
domain admin privs. (ie net ads join -Ufull_domain_admin)  

 

Is this expected behavior?  

 

The linux box is running Fedora Core 3, samba 3.0.10-1, krb 1.3.6-2

Marc Schiffbauer

2005-Feb-11 14:55 UTC

head link

[Samba] net ads join requires full domain admin account?

* Sean.Dougherty@TTUHSC.EDU schrieb am 10.02.05 um 21:35
Uhr:> Problem:  I have an account that allows me to join an AD domain, this works
> fine from any win box.  However it fails with "ads_add_machine_acct
> (client_name): Insufficient access" when I do a net ads join from a
linux
> box.  To get samba to join the domain, I have to use an account with full
> domain admin privs. (ie net ads join -Ufull_domain_admin)  
> 
>  
> 
> Is this expected behavior?  

I just wanted to confirm that. I saw the same while I was trying to
add my Samba machine to an AD.

-Marc
-- 
?    <M3rlin-> what is the legal age to buy alcoholic in england ? ?
?  <p5Ds13a06> you cant buy alcoholics                             ?
?  <p5Ds13a06> but if you wink the right way,                      ?
?              some of them will follow you home for free          ?

Gerald (Jerry) Carter

2005-Feb-11 16:14 UTC

head link

[Samba] net ads join requires full domain admin account?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Marc Schiffbauer wrote:

|> Problem:  I have an account that allows me to join
|> an AD domain, this works fine from any win box.  However
|> it fails with "ads_add_machine_acct (client_name):
|> Insufficient access" when I do a net ads join from a linux
|> box.  To get samba to join the domain, I have to use
|> an account with full domain admin privs. (ie net
|> ads join -Ufull_domain_admin)
|>
|> Is this expected behavior?
|
| I just wanted to confirm that. I saw the same while
| I was trying to add my Samba machine to an AD.

The acls on you machine object or parent OU in AD
are wrong then.  I can successfully join Samba boxes
to an AD domain without being a domain admin.





cheers, jerry
====================================================================Alleviating
the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"I never saved anything for the swim back."     Ethan Hawk in Gattaca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCDNnSIR7qMdg1EfYRAm+NAJ4tTHU1ULsnf6VCIBUlUBRFNRFaNACfWDlj
IXmrB82nkQ6LYqFxAW9w0IA=oT/C
-----END PGP SIGNATURE-----

Possibly Parallel Threads

Search for more possibly parallel threads

samba - Feb 2005 - net ads join requires full domain admin account?

[Samba] net ads join requires full domain admin account?

[Samba] net ads join requires full domain admin account?

[Samba] net ads join requires full domain admin account?

Possibly Parallel Threads