samba - Jun 2015 - Can't join machine without full access

Sernet samba 4.2.2 in ubuntu 14.04.2 LTS, a fresh migration from samba 3
(I'm still in the testing phase).

I'm experimenting with task delegation.

Using the ADUC wizard, I select the "Join machine to domain" task to
add
to my userid (I also tried a group I'm a member of with the same
result), at the domain level (rough translation, this is on a localized
windows 7).

Adding a windows 7 machine to the domain fails with "access denied".

Trying to join a linux client I get

# net ads join -U luca
Enter luca's password:
Failed to join domain: failed to set machine spn: Insufficient access

(I tried a fresh migration and now the error message is "Failed to join
domain: Failed to set account flags for machine account
(NT_STATUS_ACCESS_DENIED)")


If I give myself full control over the domain (or just over "computer
accounts" objects) both joins work.

Unfortunately, I don't remember if I tested under the same conditions
with earlier samba versions.

Is this a problem with samba, the ADUC wizard or are things supposed
(not) to work this way?

FWIW, this is my smb.conf


# Global parameters
[global]
        workgroup = WETRON
        realm = SAMBA.WETRON.ES
        netbios name = DC1
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes

        tls enabled = yes
        tls keyfile /var/lib/samba/private/tls/samba.wetron.es.key.insecure
        tls certfile = /var/lib/samba/private/tls/samba.wetron.es.crt
        tls cafile = /var/lib/samba/private/tls/wetron.crt

        dns forwarder = 192.168.169.6

        template homedir = /net/netapp01/vol/Data/home/%U
        template shell = /bin/false

        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes

        #netapp, see
        # http://forge.univention.org/bugzilla/show_bug.cgi?id=37874
        allow nt4 crypto = yes


[netlogon]
        path = /var/lib/samba/sysvol/samba.wetron.es/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No


-- 
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004  Fax +34 935883007

El 02/06/15 a les 16:11, Luca Olivetti ha escrit:
> Sernet samba 4.2.2 in ubuntu 14.04.2 LTS, a fresh migration from samba 3
> (I'm still in the testing phase).
> 
> I'm experimenting with task delegation.
I'm also having the same problems with GPO delegation: In GPMC I granted
permission to a group I'm a member of, but I get "Access denied"
when I
try to create a GPO.
The funny thing is that I can add or remove items in the delegation tab
of GPMC.

> 
> Using the ADUC wizard, I select the "Join machine to domain" task
to add
> to my userid (I also tried a group I'm a member of with the same
> result), at the domain level (rough translation, this is on a localized
> windows 7).
> 
> Adding a windows 7 machine to the domain fails with "access
denied".
> 
> Trying to join a linux client I get
> 
> # net ads join -U luca
> Enter luca's password:
> Failed to join domain: failed to set machine spn: Insufficient access
> 
> (I tried a fresh migration and now the error message is "Failed to
join
> domain: Failed to set account flags for machine account
> (NT_STATUS_ACCESS_DENIED)")
> 
> 
> If I give myself full control over the domain (or just over "computer
> accounts" objects) both joins work.
> 
> Unfortunately, I don't remember if I tested under the same conditions
> with earlier samba versions.
> 
> Is this a problem with samba, the ADUC wizard or are things supposed
> (not) to work this way?
> 
> FWIW, this is my smb.conf
> 
> 
> # Global parameters
> [global]
>         workgroup = WETRON
>         realm = SAMBA.WETRON.ES
>         netbios name = DC1
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
> 
>         tls enabled = yes
>         tls keyfile >
/var/lib/samba/private/tls/samba.wetron.es.key.insecure
>         tls certfile = /var/lib/samba/private/tls/samba.wetron.es.crt
>         tls cafile = /var/lib/samba/private/tls/wetron.crt
> 
>         dns forwarder = 192.168.169.6
> 
>         template homedir = /net/netapp01/vol/Data/home/%U
>         template shell = /bin/false
> 
>         printing = bsd
>         printcap name = /dev/null
>         disable spoolss = yes
> 
>         #netapp, see
>         # http://forge.univention.org/bugzilla/show_bug.cgi?id=37874
>         allow nt4 crypto = yes
> 
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/samba.wetron.es/scripts
>         read only = No
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 
> 

-- 
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004  Fax +34 935883007

what i read is correct, yes. 
> Adding a windows 7 machine to the domain fails with "access
denied".
you forgot the followin, for what i read below. 

add the user to a "Domain\GROUP" 
add this group to the LOCAL_PC\Administrators group. 

and now your set to go.. 

even if you give a user or group the rights to join a domain.
This user or group MUST have Administrator access on the pc. 

and make user your loginname en pcnames are NOT the same. 

read this one:
http://windowsitpro.com/windows-server/jsi-tip-8144-how-can-i-allow-ordinary-user-add-computer-domain

first the GPO is created to set the LOCAL_COMPUTER User Rights Assignments. (
add workstations to domain )
i advice to use a group for this, and this can be a domain-group. 
reboot the pc or refresh you policies. ( 2 times, to make sure. ) 

and then Delegate rights using Active Directory Users and Computers. 


Greetz, 

Louis

>-----Oorspronkelijk bericht-----
>Van: luca at wetron.es [mailto:samba-bounces at lists.samba.org] 
>Namens Luca Olivetti
>Verzonden: dinsdag 2 juni 2015 16:11
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] Can't join machine without full access
>
>Sernet samba 4.2.2 in ubuntu 14.04.2 LTS, a fresh migration 
>from samba 3
>(I'm still in the testing phase).
>
>I'm experimenting with task delegation.
>
>Using the ADUC wizard, I select the "Join machine to domain" 
>task to add
>to my userid (I also tried a group I'm a member of with the same
>result), at the domain level (rough translation, this is on a localized
>windows 7).
>
>Adding a windows 7 machine to the domain fails with "access
denied".
>
>Trying to join a linux client I get
>
># net ads join -U luca
>Enter luca's password:
>Failed to join domain: failed to set machine spn: Insufficient access
>
>(I tried a fresh migration and now the error message is "Failed to join
>domain: Failed to set account flags for machine account
>(NT_STATUS_ACCESS_DENIED)")
>
>
>If I give myself full control over the domain (or just over "computer
>accounts" objects) both joins work.
>
>Unfortunately, I don't remember if I tested under the same conditions
>with earlier samba versions.
>
>Is this a problem with samba, the ADUC wizard or are things supposed
>(not) to work this way?
>
>FWIW, this is my smb.conf
>
>
># Global parameters
>[global]
>        workgroup = WETRON
>        realm = SAMBA.WETRON.ES
>        netbios name = DC1
>        server role = active directory domain controller
>        idmap_ldb:use rfc2307 = yes
>
>        tls enabled = yes
>        tls keyfile
>/var/lib/samba/private/tls/samba.wetron.es.key.insecure
>        tls certfile = /var/lib/samba/private/tls/samba.wetron.es.crt
>        tls cafile = /var/lib/samba/private/tls/wetron.crt
>
>        dns forwarder = 192.168.169.6
>
>        template homedir = /net/netapp01/vol/Data/home/%U
>        template shell = /bin/false
>
>        printing = bsd
>        printcap name = /dev/null
>        disable spoolss = yes
>
>        #netapp, see
>        # http://forge.univention.org/bugzilla/show_bug.cgi?id=37874
>        allow nt4 crypto = yes
>
>
>[netlogon]
>        path = /var/lib/samba/sysvol/samba.wetron.es/scripts
>        read only = No
>
>[sysvol]
>        path = /var/lib/samba/sysvol
>        read only = No
>
>
>-- 
>Luca Olivetti
>Wetron Automation Technology http://www.wetron.es
>Tel. +34 935883004  Fax +34 935883007
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

El 02/06/15 a les 16:40, Luca Olivetti ha escrit:
> 
> I'm also having the same problems with GPO delegation: In GPMC I
granted
> permission to a group I'm a member of, but I get "Access
denied" when I
> try to create a GPO.
> The funny thing is that I can add or remove items in the delegation tab
> of GPMC.
False alarm regarding GPOs: I had to add the group in various places.

Bye

-- 
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004  Fax +34 935883007

El 02/06/15 a les 17:00, L.P.H. van Belle ha escrit:
> 
> read this one:
>
http://windowsitpro.com/windows-server/jsi-tip-8144-how-can-i-allow-ordinary-user-add-computer-domain

Yes, option 2 there ("delegate rights using active directory users and
computers") works, I wonder then what the "Add machine to domain"
in the
common tasks list in the wizard[*] actually does (since it doesn't work).
Since option 1 involves GPOs, I suppose it would only work for windows
machines, not Linux ones?


[*]did I tell you that I hate wizards, especially when they don't work? ;-)

Bye
-- 
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004  Fax +34 935883007

Hello,

Am 02.06.2015 um 16:11 schrieb Luca Olivetti:
> Using the ADUC wizard, I select the "Join machine to domain" task
to add
> to my userid (I also tried a group I'm a member of with the same
> result), at the domain level (rough translation, this is on a localized
> windows 7).
> 
> Adding a windows 7 machine to the domain fails with "access
denied".

This works:
https://wiki.samba.org/index.php/Delegating_Administration_Permissions#Delegating_.27Joining_Computers_to_the_domain.27-permissions


Regards,
Marc

El 02/06/15 a les 19:01, Marc Muehlfeld ha escrit:
> Hello,
> 
> Am 02.06.2015 um 16:11 schrieb Luca Olivetti:
>> Using the ADUC wizard, I select the "Join machine to domain"
task to add
>> to my userid (I also tried a group I'm a member of with the same
>> result), at the domain level (rough translation, this is on a localized
>> windows 7).
>>
>> Adding a windows 7 machine to the domain fails with "access
denied".
> 
> 
> This works:
>
https://wiki.samba.org/index.php/Delegating_Administration_Permissions#Delegating_.27Joining_Computers_to_the_domain.27-permissions
This is the same as option 2 here, as suggested by Louis

http://windowsitpro.com/windows-server/jsi-tip-8144-how-can-i-allow-ordinary-user-add-computer-domain

(though I didn't think of looking in the samba wiki, duh) and sure, it
works.

I'm puzzled by the fact that the ADUC wizard has an "Add machine to
domain" task that should do the same in just one step but it doesn't.
Actually, I'm *not* puzzled, this is windows after all....

Bye
-- 
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004  Fax +34 935883007

I have in my smb.conf this line
 log file = /usr/local/samba/var/LOGS/%U.%m.log

 But when I see this log sometime do not show the username example

 jonh.10.10.1.53.log
 PC38.10.10.1.38.log

 Why PC38 log do not show the username