Well, I know that the user I am using does not have rights to delete from LDAP, neither joining a windows box nor samba. So I am careful enough to delete the account from ADS first. Otherwise, it will fail at deleteing the computer account for both Win and samba.
Secondly, using -U or not with net ads join does not make a difference. I did debug through there to find that it is the ldap_add_s fails. However, I do not see how my kerberos user principal is being used for the LDAP connection, though different principal does make the difference. I guess it's the bind to LDAP call? But the ads.auth.user_name is always root, which is the Unix account I am working on, and ads.auth.password always "". On Friday 18 July 2003 01:29 pm, Antti Andreimann wrote: > �hel kenal p�eval (reede, 18. juuli 2003 03:12) kirjutas Chere Zhou: > > So my question is, is this supported, or broken, or am I using it wrong? > > Well it is supported, but not extensively tested with different users. > Therefore it is great that You are actually trying this feature out. > > > The failure happens during ldap_add_s called from ads_add_machine_acct(). > > The failure in ldap_add_s seems to indicate that AD is refusing to add the > machine account maybe due to insufficent rights, but maybe because there is > already an account for the machine. > Do You get any other error messages as well? Failure to delete the account > prior to adding for instance? > > > I do kinit before the "net ads join" command. However I haven't found > > where the kerberos ticket was used before the failure although the ticket > > does make a difference. > > The first thing that comes to my mind is that maybe You should try > net ads join -U username. > This way the net command will get a brand new ticket from AD. It should use > kerberos cache othervise and actually both ways should work, but maybe > there is some unknown bug. > Another thing that You could try is to remove the machine account from AD > by hand (if it exists) prior to joining it with samba. > I am looking forward to receiving Your feed-back if and how any of those > suggestions worked. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
