Thanks Jerry for your response as well as the useful link to the reference article.
Once I delegated the following Permissions' for the specific 'Domain User' on the 'Computer Objects' on my AD server, I was able to join the Samba system to the domain. Permissions Delegated via the 'Delegation Control Wizard': 1> Allow 'Write DNS Host Name Attributes' property 2> Allow 'Write Service Principal Name' property I am sharing the steps I performed on my Windows 2003 AD server for benefit of others: * Invoke the 'Delegate Control Wizard' for the 'Computers' * Add the specific 'Domain User' to the 'Selected users and groups'. * Create a custom task to delegate. * Select the 'Computer Objects' * Select the 'Property-Specific'. Then select the 'Write dNSHostName' and the 'Write servicePrincipalName' * Finish your task If there are any known side-effects of delegating these permissions, please let me know. Thanks Raj Pagaku > -----Original Message----- > From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] > Sent: Friday, November 10, 2006 11:16 AM > To: Raj Pagaku > Cc: Jean-Vincent BAYARRI; [email protected] > Subject: Re: [Samba] Samba v3.0.23c + FreeBSD 6.1 - Failed to set > servicePrincipalNames > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Raj Pagaku wrote: > > Thanks Jerry for your response. It is case (b). The fqdn of the local > > machine is set to a domain outside the AD domain name and the user > > credentials being used is 'Domain User' and not a 'Domain Admin'. > > > > Do we need 'Domain Admin' if the local machine domain is outside the AD > > domain name? Is this a restriction that will be addressed in the near > > future? > > This is an AD restriction on the default security assigned > to a computer object. When a non-admin is given the right > to join a specific machine to the domain, that user is only > granted validated write access to thye DnsHostName and > servicePrincipalName attributes. A Windows XP box would fail > to join the domain in the same way. > > This doc explains it: > http://msdn.microsoft.com/library/default.asp?url=/library/en- > us/ad/ad/control_access_rights.asp > > > > > > > cheers, jerry > ===================================================================== > Samba ------- http://www.samba.org > Centeris ----------- http://www.centeris.com > "What man is a man who does not make the world better?" --Balian > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (GNU/Linux) > Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org > > iD8DBQFFVM/aIR7qMdg1EfYRAhswAKDYOM4LWTHDgsQGKv195kwT9Quo5wCg6xfA > NhDch9dN3aADNwSpQ70fxAE= > =VrII > -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
