samba - Dec 2007 - SAMBA ADS integration - windows user account rights

Hi all,

first of all is it possible to join a Linux machine to AD using a
windows user account that is not a member of the group Domain Admins?
Cause when I do this I get the following error while executing `net ads
join -d 3 -U syncuser`: 


#net ads join -d 3 -U  syncuser
[2007/12/11 13:47:12, 3] param/loadparm.c:lp_load(4953)  lp_load:
refreshing parameters
[2007/12/11 13:47:12, 3] param/loadparm.c:init_globals(1418)
Initialising global parameters 
[2007/12/11 13:47:12, 3] param/params.c:pm_process(572)
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
[2007/12/11 13:47:12, 3] param/loadparm.c:do_section(3695) Processing
section "[global]" 
[2007/12/11 13:47:12, 2] lib/interface.c:add_interface(81) added
interface ip=10.0.0.3 bcast=10.0.0.255 nmask=255.255.255.0 
octopussync's password: 
[2007/12/11 13:47:17, 3] libsmb/namequery.c:get_dc_list(1426)
get_dc_list: preferred server list: ", DC"
[2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_lmhosts(939)
resolve_lmhosts: Attempting lmhosts lookup for name DC<0x20> 
[2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_wins(836)
resolve_wins: Attempting wins lookup for name DC<0x20>
[2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_wins(839)
resolve_wins: WINS server resolution selected and no WINS servers
listed. 
[2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_hosts(1002)
resolve_hosts: Attempting host lookup for name DC<0x20>
[2007/12/11 13:47:17, 3] libads/ldap.c:ads_connect(287) Connected to
LDAP server 10.0.0.1
[2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 
[2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 
[2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(219)
ads_sasl_spnego_bind: got server principal name =dc$@DOMAIN.LOCAL
[2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_krb5_mk_req(552)
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache
found) 
[2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration
Tue, 11 Dec 2007 23:47:05 UTC
[2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_start_connection(1426)
Connecting to host= DC.domain.local
[2007/12/11 13:47:17, 3] lib/util_sock.c:open_socket_out(874) Connecting
to 10.0.0.1 at port 445
[2007/12/11 13:47:17, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(721) Doing spnego session
setup (blob length=107) 
[2007/12/11 13:47:17, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 48018
1 2 2
[2007/12/11 13:47:17, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 113554
1 2 2
[2007/12/11 13:47:17, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 113554
1 2 2 3 
[2007/12/11 13:47:17, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 3 6 1 4 1
311 2 2 10
[2007/12/11 13:47:17, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(754) got principal=dc
$@DOMAIN.LOCAL
[2007/12/11 13:47:17, 2]
libsmb/cliconnect.c:cli_session_setup_kerberos(546) Doing kerberos
session setup
[2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect]
expiration Tue, 11 Dec 2007 23:47:05 UTC 
[2007/12/11 13:47:17, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
rpc_pipe_bind: Remote machine DC.domain.local pipe \lsarpc fnum 0x400c
bind request returned ok.
[2007/12/11 13:47:17, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224)
lsa_io_sec_qos: length c does not match size 8 
[2007/12/11 13:47:17, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
rpc_pipe_bind: Remote machine DC.domain.local pipe \samr fnum 0x400a
bind request returned ok.
Failed to set password for machine account (NT_STATUS_ACCESS_DENIED) 
Failed to join domain!
[2007/12/11 13:47:17, 2] utils/net.c:main(988) return code = -1


But when the user is added to the Domain Admins group, the join is
successful.

And if the latter is possible, which permissions should the windows user
account have? 

Thx in advance

bert

You may be running into this issue:

http://support.microsoft.com/kb/251335

--
Aaron


Bert Verhaeghe wrote:
> Hi all,
> 
> first of all is it possible to join a Linux machine to AD using a
> windows user account that is not a member of the group Domain Admins?
> Cause when I do this I get the following error while executing `net ads
> join -d 3 -U syncuser`: 
> 
> 
> #net ads join -d 3 -U  syncuser
> [2007/12/11 13:47:12, 3] param/loadparm.c:lp_load(4953)  lp_load:
> refreshing parameters
> [2007/12/11 13:47:12, 3] param/loadparm.c:init_globals(1418)
> Initialising global parameters 
> [2007/12/11 13:47:12, 3] param/params.c:pm_process(572)
> params.c:pm_process() - Processing configuration file
> "/etc/samba/smb.conf"
> [2007/12/11 13:47:12, 3] param/loadparm.c:do_section(3695) Processing
> section "[global]" 
> [2007/12/11 13:47:12, 2] lib/interface.c:add_interface(81) added
> interface ip=10.0.0.3 bcast=10.0.0.255 nmask=255.255.255.0 
> octopussync's password: 
> [2007/12/11 13:47:17, 3] libsmb/namequery.c:get_dc_list(1426)
> get_dc_list: preferred server list: ", DC"
> [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_lmhosts(939)
> resolve_lmhosts: Attempting lmhosts lookup for name DC<0x20> 
> [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_wins(836)
> resolve_wins: Attempting wins lookup for name DC<0x20>
> [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_wins(839)
> resolve_wins: WINS server resolution selected and no WINS servers
> listed. 
> [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_hosts(1002)
> resolve_hosts: Attempting host lookup for name DC<0x20>
> [2007/12/11 13:47:17, 3] libads/ldap.c:ads_connect(287) Connected to
> LDAP server 10.0.0.1
> [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
> ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
> [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 
> [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
> [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
> ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 
> [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(219)
> ads_sasl_spnego_bind: got server principal name =dc$@DOMAIN.LOCAL
> [2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_krb5_mk_req(552)
> ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache
> found) 
> [2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488)
> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration
> Tue, 11 Dec 2007 23:47:05 UTC
> [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_start_connection(1426)
> Connecting to host= DC.domain.local
> [2007/12/11 13:47:17, 3] lib/util_sock.c:open_socket_out(874) Connecting
> to 10.0.0.1 at port 445
> [2007/12/11 13:47:17, 3]
> libsmb/cliconnect.c:cli_session_setup_spnego(721) Doing spnego session
> setup (blob length=107) 
> [2007/12/11 13:47:17, 3]
> libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 48018
> 1 2 2
> [2007/12/11 13:47:17, 3]
> libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 113554
> 1 2 2
> [2007/12/11 13:47:17, 3]
> libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 113554
> 1 2 2 3 
> [2007/12/11 13:47:17, 3]
> libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 3 6 1 4 1
> 311 2 2 10
> [2007/12/11 13:47:17, 3]
> libsmb/cliconnect.c:cli_session_setup_spnego(754) got principal=dc
> $@DOMAIN.LOCAL
> [2007/12/11 13:47:17, 2]
> libsmb/cliconnect.c:cli_session_setup_kerberos(546) Doing kerberos
> session setup
> [2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488)
> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect]
> expiration Tue, 11 Dec 2007 23:47:05 UTC 
> [2007/12/11 13:47:17, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
> rpc_pipe_bind: Remote machine DC.domain.local pipe \lsarpc fnum 0x400c
> bind request returned ok.
> [2007/12/11 13:47:17, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224)
> lsa_io_sec_qos: length c does not match size 8 
> [2007/12/11 13:47:17, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
> rpc_pipe_bind: Remote machine DC.domain.local pipe \samr fnum 0x400a
> bind request returned ok.
> Failed to set password for machine account (NT_STATUS_ACCESS_DENIED) 
> Failed to join domain!
> [2007/12/11 13:47:17, 2] utils/net.c:main(988) return code = -1
> 
> 
> But when the user is added to the Domain Admins group, the join is
> successful.
> 
> And if the latter is possible, which permissions should the windows user
> account have? 
> 
> Thx in advance
> 
> bert
> 
>

Bert Verhaeghe wrote:
> Hi all,
> 
> first of all is it possible to join a Linux machine to AD using a
> windows user account that is not a member of the group Domain Admins?
> Cause when I do this I get the following error while executing `net ads
> join -d 3 -U syncuser`: 
> 
> 
> #net ads join -d 3 -U  syncuser
> [2007/12/11 13:47:12, 3] param/loadparm.c:lp_load(4953)  lp_load:
> refreshing parameters
> [2007/12/11 13:47:12, 3] param/loadparm.c:init_globals(1418)
> Initialising global parameters 
> [2007/12/11 13:47:12, 3] param/params.c:pm_process(572)
> params.c:pm_process() - Processing configuration file
> "/etc/samba/smb.conf"
> [2007/12/11 13:47:12, 3] param/loadparm.c:do_section(3695) Processing
> section "[global]" 
> [2007/12/11 13:47:12, 2] lib/interface.c:add_interface(81) added
> interface ip=10.0.0.3 bcast=10.0.0.255 nmask=255.255.255.0 
> octopussync's password: 
> [2007/12/11 13:47:17, 3] libsmb/namequery.c:get_dc_list(1426)
> get_dc_list: preferred server list: ", DC"
> [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_lmhosts(939)
> resolve_lmhosts: Attempting lmhosts lookup for name DC<0x20> 
> [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_wins(836)
> resolve_wins: Attempting wins lookup for name DC<0x20>
> [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_wins(839)
> resolve_wins: WINS server resolution selected and no WINS servers
> listed. 
> [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_hosts(1002)
> resolve_hosts: Attempting host lookup for name DC<0x20>
> [2007/12/11 13:47:17, 3] libads/ldap.c:ads_connect(287) Connected to
> LDAP server 10.0.0.1
> [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
> ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
> [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 
> [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
> [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
> ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 
> [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(219)
> ads_sasl_spnego_bind: got server principal name =dc$@DOMAIN.LOCAL
> [2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_krb5_mk_req(552)
> ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache
> found) 
> [2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488)
> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration
> Tue, 11 Dec 2007 23:47:05 UTC
> [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_start_connection(1426)
> Connecting to host= DC.domain.local
> [2007/12/11 13:47:17, 3] lib/util_sock.c:open_socket_out(874) Connecting
> to 10.0.0.1 at port 445
> [2007/12/11 13:47:17, 3]
> libsmb/cliconnect.c:cli_session_setup_spnego(721) Doing spnego session
> setup (blob length=107) 
> [2007/12/11 13:47:17, 3]
> libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 48018
> 1 2 2
> [2007/12/11 13:47:17, 3]
> libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 113554
> 1 2 2
> [2007/12/11 13:47:17, 3]
> libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 113554
> 1 2 2 3 
> [2007/12/11 13:47:17, 3]
> libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 3 6 1 4 1
> 311 2 2 10
> [2007/12/11 13:47:17, 3]
> libsmb/cliconnect.c:cli_session_setup_spnego(754) got principal=dc
> $@DOMAIN.LOCAL
> [2007/12/11 13:47:17, 2]
> libsmb/cliconnect.c:cli_session_setup_kerberos(546) Doing kerberos
> session setup
> [2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488)
> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect]
> expiration Tue, 11 Dec 2007 23:47:05 UTC 
> [2007/12/11 13:47:17, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
> rpc_pipe_bind: Remote machine DC.domain.local pipe \lsarpc fnum 0x400c
> bind request returned ok.
> [2007/12/11 13:47:17, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224)
> lsa_io_sec_qos: length c does not match size 8 
> [2007/12/11 13:47:17, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
> rpc_pipe_bind: Remote machine DC.domain.local pipe \samr fnum 0x400a
> bind request returned ok.
> Failed to set password for machine account (NT_STATUS_ACCESS_DENIED) 
> Failed to join domain!
> [2007/12/11 13:47:17, 2] utils/net.c:main(988) return code = -1
> 
> 
> But when the user is added to the Domain Admins group, the join is
> successful.
> 
> And if the latter is possible, which permissions should the windows user
> account have? 
> 
> Thx in advance
> 
> bert
> 
>
Hi Bert,

I do not know about the Domain Admins group angle, but if you want to 
know what the minimal user rights necessary for a "net ads join" are, 
then this whitepaper explains it.  It says "HP CIFS Server", but holds
true for Opensource Samba as well.

http://www.docs.hp.com/en/7212/ADSJoinMinimumPerms.pdf

Eric Roseme
Hewlett-Packard