Bert Verhaeghe
2007-Dec-18 17:15 UTC
[Samba] SAMBA ADS integration - windows user account rights
Hi all, first of all is it possible to join a Linux machine to AD using a windows user account that is not a member of the group Domain Admins? Cause when I do this I get the following error while executing `net ads join -d 3 -U syncuser`: #net ads join -d 3 -U syncuser [2007/12/11 13:47:12, 3] param/loadparm.c:lp_load(4953) lp_load: refreshing parameters [2007/12/11 13:47:12, 3] param/loadparm.c:init_globals(1418) Initialising global parameters [2007/12/11 13:47:12, 3] param/params.c:pm_process(572) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2007/12/11 13:47:12, 3] param/loadparm.c:do_section(3695) Processing section "[global]" [2007/12/11 13:47:12, 2] lib/interface.c:add_interface(81) added interface ip=10.0.0.3 bcast=10.0.0.255 nmask=255.255.255.0 octopussync's password: [2007/12/11 13:47:17, 3] libsmb/namequery.c:get_dc_list(1426) get_dc_list: preferred server list: ", DC" [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_lmhosts(939) resolve_lmhosts: Attempting lmhosts lookup for name DC<0x20> [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_wins(836) resolve_wins: Attempting wins lookup for name DC<0x20> [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_wins(839) resolve_wins: WINS server resolution selected and no WINS servers listed. [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_hosts(1002) resolve_hosts: Attempting host lookup for name DC<0x20> [2007/12/11 13:47:17, 3] libads/ldap.c:ads_connect(287) Connected to LDAP server 10.0.0.1 [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(219) ads_sasl_spnego_bind: got server principal name =dc$@DOMAIN.LOCAL [2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_krb5_mk_req(552) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) [2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Tue, 11 Dec 2007 23:47:05 UTC [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_start_connection(1426) Connecting to host= DC.domain.local [2007/12/11 13:47:17, 3] lib/util_sock.c:open_socket_out(874) Connecting to 10.0.0.1 at port 445 [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(721) Doing spnego session setup (blob length=107) [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 48018 1 2 2 [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 113554 1 2 2 [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 113554 1 2 2 3 [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 3 6 1 4 1 311 2 2 10 [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(754) got principal=dc $@DOMAIN.LOCAL [2007/12/11 13:47:17, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(546) Doing kerberos session setup [2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] expiration Tue, 11 Dec 2007 23:47:05 UTC [2007/12/11 13:47:17, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) rpc_pipe_bind: Remote machine DC.domain.local pipe \lsarpc fnum 0x400c bind request returned ok. [2007/12/11 13:47:17, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224) lsa_io_sec_qos: length c does not match size 8 [2007/12/11 13:47:17, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) rpc_pipe_bind: Remote machine DC.domain.local pipe \samr fnum 0x400a bind request returned ok. Failed to set password for machine account (NT_STATUS_ACCESS_DENIED) Failed to join domain! [2007/12/11 13:47:17, 2] utils/net.c:main(988) return code = -1 But when the user is added to the Domain Admins group, the join is successful. And if the latter is possible, which permissions should the windows user account have? Thx in advance bert
Aaron J. Zirbes
2007-Dec-18 17:50 UTC
[Samba] SAMBA ADS integration - windows user account rights
You may be running into this issue: http://support.microsoft.com/kb/251335 -- Aaron Bert Verhaeghe wrote:> Hi all, > > first of all is it possible to join a Linux machine to AD using a > windows user account that is not a member of the group Domain Admins? > Cause when I do this I get the following error while executing `net ads > join -d 3 -U syncuser`: > > > #net ads join -d 3 -U syncuser > [2007/12/11 13:47:12, 3] param/loadparm.c:lp_load(4953) lp_load: > refreshing parameters > [2007/12/11 13:47:12, 3] param/loadparm.c:init_globals(1418) > Initialising global parameters > [2007/12/11 13:47:12, 3] param/params.c:pm_process(572) > params.c:pm_process() - Processing configuration file > "/etc/samba/smb.conf" > [2007/12/11 13:47:12, 3] param/loadparm.c:do_section(3695) Processing > section "[global]" > [2007/12/11 13:47:12, 2] lib/interface.c:add_interface(81) added > interface ip=10.0.0.3 bcast=10.0.0.255 nmask=255.255.255.0 > octopussync's password: > [2007/12/11 13:47:17, 3] libsmb/namequery.c:get_dc_list(1426) > get_dc_list: preferred server list: ", DC" > [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_lmhosts(939) > resolve_lmhosts: Attempting lmhosts lookup for name DC<0x20> > [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_wins(836) > resolve_wins: Attempting wins lookup for name DC<0x20> > [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_wins(839) > resolve_wins: WINS server resolution selected and no WINS servers > listed. > [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_hosts(1002) > resolve_hosts: Attempting host lookup for name DC<0x20> > [2007/12/11 13:47:17, 3] libads/ldap.c:ads_connect(287) Connected to > LDAP server 10.0.0.1 > [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210) > ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 > [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210) > ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 > [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210) > ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 > [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210) > ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 > [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(219) > ads_sasl_spnego_bind: got server principal name =dc$@DOMAIN.LOCAL > [2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_krb5_mk_req(552) > ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache > found) > [2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488) > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration > Tue, 11 Dec 2007 23:47:05 UTC > [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_start_connection(1426) > Connecting to host= DC.domain.local > [2007/12/11 13:47:17, 3] lib/util_sock.c:open_socket_out(874) Connecting > to 10.0.0.1 at port 445 > [2007/12/11 13:47:17, 3] > libsmb/cliconnect.c:cli_session_setup_spnego(721) Doing spnego session > setup (blob length=107) > [2007/12/11 13:47:17, 3] > libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 48018 > 1 2 2 > [2007/12/11 13:47:17, 3] > libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 113554 > 1 2 2 > [2007/12/11 13:47:17, 3] > libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 113554 > 1 2 2 3 > [2007/12/11 13:47:17, 3] > libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 3 6 1 4 1 > 311 2 2 10 > [2007/12/11 13:47:17, 3] > libsmb/cliconnect.c:cli_session_setup_spnego(754) got principal=dc > $@DOMAIN.LOCAL > [2007/12/11 13:47:17, 2] > libsmb/cliconnect.c:cli_session_setup_kerberos(546) Doing kerberos > session setup > [2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488) > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] > expiration Tue, 11 Dec 2007 23:47:05 UTC > [2007/12/11 13:47:17, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) > rpc_pipe_bind: Remote machine DC.domain.local pipe \lsarpc fnum 0x400c > bind request returned ok. > [2007/12/11 13:47:17, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224) > lsa_io_sec_qos: length c does not match size 8 > [2007/12/11 13:47:17, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) > rpc_pipe_bind: Remote machine DC.domain.local pipe \samr fnum 0x400a > bind request returned ok. > Failed to set password for machine account (NT_STATUS_ACCESS_DENIED) > Failed to join domain! > [2007/12/11 13:47:17, 2] utils/net.c:main(988) return code = -1 > > > But when the user is added to the Domain Admins group, the join is > successful. > > And if the latter is possible, which permissions should the windows user > account have? > > Thx in advance > > bert > >
Eric Roseme
2007-Dec-19 17:13 UTC
[Samba] SAMBA ADS integration - windows user account rights
Bert Verhaeghe wrote:> Hi all, > > first of all is it possible to join a Linux machine to AD using a > windows user account that is not a member of the group Domain Admins? > Cause when I do this I get the following error while executing `net ads > join -d 3 -U syncuser`: > > > #net ads join -d 3 -U syncuser > [2007/12/11 13:47:12, 3] param/loadparm.c:lp_load(4953) lp_load: > refreshing parameters > [2007/12/11 13:47:12, 3] param/loadparm.c:init_globals(1418) > Initialising global parameters > [2007/12/11 13:47:12, 3] param/params.c:pm_process(572) > params.c:pm_process() - Processing configuration file > "/etc/samba/smb.conf" > [2007/12/11 13:47:12, 3] param/loadparm.c:do_section(3695) Processing > section "[global]" > [2007/12/11 13:47:12, 2] lib/interface.c:add_interface(81) added > interface ip=10.0.0.3 bcast=10.0.0.255 nmask=255.255.255.0 > octopussync's password: > [2007/12/11 13:47:17, 3] libsmb/namequery.c:get_dc_list(1426) > get_dc_list: preferred server list: ", DC" > [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_lmhosts(939) > resolve_lmhosts: Attempting lmhosts lookup for name DC<0x20> > [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_wins(836) > resolve_wins: Attempting wins lookup for name DC<0x20> > [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_wins(839) > resolve_wins: WINS server resolution selected and no WINS servers > listed. > [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_hosts(1002) > resolve_hosts: Attempting host lookup for name DC<0x20> > [2007/12/11 13:47:17, 3] libads/ldap.c:ads_connect(287) Connected to > LDAP server 10.0.0.1 > [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210) > ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 > [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210) > ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 > [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210) > ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 > [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210) > ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 > [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(219) > ads_sasl_spnego_bind: got server principal name =dc$@DOMAIN.LOCAL > [2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_krb5_mk_req(552) > ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache > found) > [2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488) > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration > Tue, 11 Dec 2007 23:47:05 UTC > [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_start_connection(1426) > Connecting to host= DC.domain.local > [2007/12/11 13:47:17, 3] lib/util_sock.c:open_socket_out(874) Connecting > to 10.0.0.1 at port 445 > [2007/12/11 13:47:17, 3] > libsmb/cliconnect.c:cli_session_setup_spnego(721) Doing spnego session > setup (blob length=107) > [2007/12/11 13:47:17, 3] > libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 48018 > 1 2 2 > [2007/12/11 13:47:17, 3] > libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 113554 > 1 2 2 > [2007/12/11 13:47:17, 3] > libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 113554 > 1 2 2 3 > [2007/12/11 13:47:17, 3] > libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 3 6 1 4 1 > 311 2 2 10 > [2007/12/11 13:47:17, 3] > libsmb/cliconnect.c:cli_session_setup_spnego(754) got principal=dc > $@DOMAIN.LOCAL > [2007/12/11 13:47:17, 2] > libsmb/cliconnect.c:cli_session_setup_kerberos(546) Doing kerberos > session setup > [2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488) > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] > expiration Tue, 11 Dec 2007 23:47:05 UTC > [2007/12/11 13:47:17, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) > rpc_pipe_bind: Remote machine DC.domain.local pipe \lsarpc fnum 0x400c > bind request returned ok. > [2007/12/11 13:47:17, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224) > lsa_io_sec_qos: length c does not match size 8 > [2007/12/11 13:47:17, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) > rpc_pipe_bind: Remote machine DC.domain.local pipe \samr fnum 0x400a > bind request returned ok. > Failed to set password for machine account (NT_STATUS_ACCESS_DENIED) > Failed to join domain! > [2007/12/11 13:47:17, 2] utils/net.c:main(988) return code = -1 > > > But when the user is added to the Domain Admins group, the join is > successful. > > And if the latter is possible, which permissions should the windows user > account have? > > Thx in advance > > bert > >Hi Bert, I do not know about the Domain Admins group angle, but if you want to know what the minimal user rights necessary for a "net ads join" are, then this whitepaper explains it. It says "HP CIFS Server", but holds true for Opensource Samba as well. http://www.docs.hp.com/en/7212/ADSJoinMinimumPerms.pdf Eric Roseme Hewlett-Packard