We are able to join with any account in "Domain Admins" Here is what I use:
net -S MyServerName rpc rights grant "MyDomain\Domain Admins" SeMachineAccountPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SePrintOperatorPrivilege SeRemoteShutdownPrivilege Scot On Oct 20, 2011, at 7:24 PM, Lachlan Musicman <[email protected]> wrote: > Hi all, > > FWIW, I've solved this problem. > > I saw here: lists.samba.org/archive/samba/2003-April/065870.html > > that 'only root can add a machine to a domain'. > > I thought this was odd and incorrect, and the post was from 2003, so I > didn't hold out hope, but at this stage, I'd try anything. > > I "changed" the root passwd via smbldap-passwd and tried adding the > machine to the domain using the root user and viola, problem solved. > > Out of interest though - is it still the case that only root can add a > machine to the domain? > > cheers > L. > > > On Fri, Oct 21, 2011 at 05:37, Preston Hagar <[email protected]> wrote: >> On Wed, Oct 19, 2011 at 11:15 PM, Lachlan Musicman <[email protected]> wrote: >>> Hi >>> >>> I'm on ubuntu 10.04 LTS fully up to date. >>> >>> Am running a samba-ldap server but for some reason I can't connect a >>> new fully updated XP machine to the domain. >>> >>> I've added other machines (6 months ago now, none since) successfully. >>> >>> I see a file /var/log/samba/log.machinename, but >>> /var/log/samba/log.nmbd and /var/log/samba/log.smbd don't have >>> anything of note. >>> >>> Using 'net rpc rights list' I have confirmed that my user can add >>> users/machines to the domain. >>> >>> There is no firewall problem - there is no firewall between these >>> machines, as they are on a local LAN together and the XP's firewall is >>> disabled. >>> >>> I can successfully map a shared drive on the XP machine using the same >>> credentials. (and, in fact, if I don't disconnect that share, I get a >>> different error about not being able to have more than one connection >>> at the same time) >>> >>> Samba conf is here: http://paste.ubuntu.com/713761/ >>> >>> I've tried changing security from user to domain and back, without success. >>> >>> The error I get after entering the same credentials as above is >>> "Access is denied". >>> >>> Any ideas? Even any pointers on how I might trace the network traffic >>> to see where the issues are, since there's no data in the logs of >>> note? >>> >>> I'm not excellent at the smb/ldap, and while I did set this server up, >>> I didn't configure the smbldap part of the set up, so I'm not 100% >>> sure or certain about what is happening there - am I doing something >>> wrong in that regard? >>> >>> Other machines and users are happily connected to the server over >>> smb/ldap, and when I look at their computer->properties, it says they >>> are on the domain SBLS, which is what I expected and what I am trying >>> to connect the current machine to. >>> >>> Any help appreciated. >>> >>> cheers >>> L. >>> >> >> This may no longer be official Samba policy, so someone please correct >> me if I am wrong, but have you tried setting the registry/gpedit fixes >> before joining? >> >> Here is what I do on our XP machines: >> >> Start->Run, run gpedit.msc >> >> Change the following: >> >> Computer Configuration\Windows Settings\Security Settings\Local >> Policies\Security Options branch. >> >> Make sure to disable the following policies: >> >> Domain Member: Digitally encrypt or sign secure channel data (always) >> >> Domain Member: Digitally sign secure channel data (when possible) >> >> Computer Configuration\Administrative Templates\System\User Profiles >> >> Make sure to enable the following policy: >> >> Do not check for user ownership of Roaming Profile Folders >> >> >> After you make the changes, reboot (not sure if it is required, but >> always a good policy with Windows), then try to join the domain again. >> Join the domain first before mapping any drives or anything like >> that. >> >> Anyway, just a thought. Hope it helps. >> >> Preston >> > > > > -- > The politician’s syllogism, also known as the politician’s logic or > the politician’s fallacy, is a logical fallacy of the form: > - We must do something > - This is something > - Therefore, we must do this. > (via http://bestofwikipedia.tumblr.com/ ) > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba This message may contain confidential and/or proprietary information, and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
