Lexi Wright
2014-Jun-09 22:30 UTC
[Samba] Samba 4.1.6 - Unable to domain join a Windows machine using default account (non-admin) to my samba domain - Access Denied Error
Hi,
I have been trying to domain join a Windows workstation to my samba domain
as a domain user. I have been getting an "Access Denied" error while
trying
to domain join a Windows machine to my samba domain. This happens only when
I use a non-admin account. I increased the log level to 10 and this is what
I was able see:
[2014/06/03 02:00:31.011163, 0, pid=3420, effective(0, 0), real(0, 0)]
../source4/dsdb/common/util_samr.c:185(dsdb_add_user)
Failed to create user record
CN=DOMJOINSYS,CN=Computers,DC=new,DC=testdomain,DC=org: dsdb_access: Access
check failed on CN=Computers,DC=new,DC=testdomain,DC=org
[2014/06/03 02:00:31.011303, 1, pid=3420, effective(0, 0), real(0, 0)]
../librpc/ndr/ndr.c:333(ndr_print_function_debug)
samr_CreateUser2: struct samr_CreateUser2
out: struct samr_CreateUser2
user_handle : *
user_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid :
00000000-0000-0000-0000-000000000000
access_granted : *
access_granted : 0x00000000 (0)
rid : *
rid : 0x00000000 (0)
result : NT_STATUS_ACCESS_DENIED
[2014/06/03 02:00:31.014276, 1, pid=3420, effective(0, 0), real(0, 0)]
../librpc/ndr/ndr.c:333(ndr_print_function_debug)
samr_Close: struct samr_Close
in: struct samr_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000001 (1)
uuid :
abaeda9a-63a2-4048-a9d6-e8b506125527
[2014/06/03 02:00:31.014513, 1, pid=3420, effective(0, 0), real(0, 0)]
../librpc/ndr/ndr.c:333(ndr_print_function_debug)
samr_Close: struct samr_Close
out: struct samr_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid :
00000000-0000-0000-0000-000000000000
result : NT_STATUS_OK
[2014/06/03 02:00:31.016620, 1, pid=3420, effective(0, 0), real(0, 0)]
../librpc/ndr/ndr.c:333(ndr_print_function_debug)
samr_Close: struct samr_Close
in: struct samr_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid :
e0c5f0bf-e8b2-46aa-b0cc-5588fc1f3f55
[2014/06/03 02:00:31.017046, 1, pid=3420, effective(0, 0), real(0, 0)]
../librpc/ndr/ndr.c:333(ndr_print_function_debug)
samr_Close: struct samr_Close
out: struct samr_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid :
00000000-0000-0000-0000-000000000000
result : NT_STATUS_OK
I was able to reproduce the issue using Windows Server 2003 machine also a
Windows Server 2008 machine.I was able to see that the
sec_access_check_ds() always returns an NT_STATUS_ACCESS_DENIED which in
turn results in an LDB_ERR_INSUFFICIENT_RIGHTS error being thrown from the
dsdb_check_access_on_dn_internal(). The field 'bits_remaining' in the
access check implementation, always ends up getting a value 1. Is there
anything that I am doing wrong here? Is this an expected behavior ? Any
help would be greatly appreciated.
Thanks and Regards,
Lexi
Reasonably Related Threads
- Debian Jessie joining AD as member fails with "The object name is not found."
- Debian Jessie joining AD as member fails with "The object name is not found."
- Debian Jessie joining AD as member fails with "The object name is not found."
- Can not set SPN errors (again)
- Debian Jessie joining AD as member fails with "The object name is not found."
Wisdom of the Ancients
