Re: [Samba] SAMBA ADS integration - windows user account rights

Wed, 19 Dec 2007 09:15:28 -0800 


Bert Verhaeghe wrote:

Hi all,

first of all is it possible to join a Linux machine to AD using a
windows user account that is not a member of the group Domain Admins?
Cause when I do this I get the following error while executing `net ads

join -d 3 -U syncuser`: 



#net ads join -d 3 -U  syncuser
[2007/12/11 13:47:12, 3] param/loadparm.c:lp_load(4953)  lp_load:
refreshing parameters
[2007/12/11 13:47:12, 3] param/loadparm.c:init_globals(1418)

Initialising global parameters 
[2007/12/11 13:47:12, 3] param/params.c:pm_process(572)

params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
[2007/12/11 13:47:12, 3] param/loadparm.c:do_section(3695) Processing

section "[global]" 
[2007/12/11 13:47:12, 2] lib/interface.c:add_interface(81) added
interface ip=10.0.0.3 bcast=10.0.0.255 nmask=255.255.255.0 
octopussync's password: 
[2007/12/11 13:47:17, 3] libsmb/namequery.c:get_dc_list(1426)

get_dc_list: preferred server list: ", DC"
[2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_lmhosts(939)

resolve_lmhosts: Attempting lmhosts lookup for name DC<0x20> 
[2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_wins(836)

resolve_wins: Attempting wins lookup for name DC<0x20>
[2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_wins(839)
resolve_wins: WINS server resolution selected and no WINS servers

listed. 
[2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_hosts(1002)

resolve_hosts: Attempting host lookup for name DC<0x20>
[2007/12/11 13:47:17, 3] libads/ldap.c:ads_connect(287) Connected to
LDAP server 10.0.0.1
[2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210)

ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 
[2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210)

ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210)

ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 
[2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(219)

ads_sasl_spnego_bind: got server principal name [EMAIL PROTECTED]
[2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_krb5_mk_req(552)
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache

found) 
[2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488)

ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration
Tue, 11 Dec 2007 23:47:05 UTC
[2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_start_connection(1426)
Connecting to host= DC.domain.local
[2007/12/11 13:47:17, 3] lib/util_sock.c:open_socket_out(874) Connecting
to 10.0.0.1 at port 445
[2007/12/11 13:47:17, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(721) Doing spnego session

setup (blob length=107) 
[2007/12/11 13:47:17, 3]

libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 48018
1 2 2
[2007/12/11 13:47:17, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 113554
1 2 2
[2007/12/11 13:47:17, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 113554

1 2 2 3 
[2007/12/11 13:47:17, 3]

libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 3 6 1 4 1
311 2 2 10
[2007/12/11 13:47:17, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(754) got principal=dc
[EMAIL PROTECTED]
[2007/12/11 13:47:17, 2]
libsmb/cliconnect.c:cli_session_setup_kerberos(546) Doing kerberos
session setup
[2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect]

expiration Tue, 11 Dec 2007 23:47:05 UTC 
[2007/12/11 13:47:17, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)

rpc_pipe_bind: Remote machine DC.domain.local pipe \lsarpc fnum 0x400c
bind request returned ok.
[2007/12/11 13:47:17, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224)

lsa_io_sec_qos: length c does not match size 8 
[2007/12/11 13:47:17, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)

rpc_pipe_bind: Remote machine DC.domain.local pipe \samr fnum 0x400a
bind request returned ok.

Failed to set password for machine account (NT_STATUS_ACCESS_DENIED) 
Failed to join domain!

[2007/12/11 13:47:17, 2] utils/net.c:main(988) return code = -1


But when the user is added to the Domain Admins group, the join is
successful.

And if the latter is possible, which permissions should the windows user

account have? 


Thx in advance

bert



Hi Bert,


I do not know about the Domain Admins group angle, but if you want to 
know what the minimal user rights necessary for a "net ads join" are, 
then this whitepaper explains it.  It says "HP CIFS Server", but holds 
true for Opensource Samba as well.


http://www.docs.hp.com/en/7212/ADSJoinMinimumPerms.pdf

Eric Roseme
Hewlett-Packard


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba






















					Reply via email to