Re: [Samba] Joining a domain with a non-administrator account
OK so I tried updating the privileges on the BDC's with the following command: net -Uadminstrator rpc rights grant 'STROZLLC\Domain Admins' SeMachineAccountPrivilege and I get the following error Failed to grant privileges for STROZLLC\Domain Admins (NT_STATUS_NO_SUCH_PRIVILEGE) I am sure that all machines are running 3.0.11 becuase in the log.nmbd in shows the version during elections. Any ideas? Paul Gienger wrote: I just upgraded to 3.0.11. I read the Samba Rights Howto, and this looks like a nice addition to Samba. My question is this... I have 1 samba LDAP/PDC, and 2 samba slave LDAP/BDC's. The changes I make with the 'net rpc rights' command don't propagate to my BDC's. Is there something special I have to do in this setup? This is stored in a local file on each machine. You need to run the command on each xDC for it to propigate. Seems a little odd to me, but that's the way Jerry laid it out in a previous post. -- David Sonenberg Systems / Network Administrator Stroz Friedberg, LLC 15 Maiden Lane 15th Floor New York, NY 10038 212.981.6527 (o) | 917.495.4918 (c) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Joining a domain with a non-administrator account
I just upgraded to 3.0.11. I read the Samba Rights Howto, and this looks like a nice addition to Samba. My question is this... I have 1 samba LDAP/PDC, and 2 samba slave LDAP/BDC's. The changes I make with the 'net rpc rights' command don't propagate to my BDC's. Is there something special I have to do in this setup? This is stored in a local file on each machine. You need to run the command on each xDC for it to propigate. Seems a little odd to me, but that's the way Jerry laid it out in a previous post. -- -- Paul GiengerOffice: 701-281-1884 Applied Engineering Inc. Systems Architect Fax:701-281-1322 URL: www.ae-solutions.com mailto: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Joining a domain with a non-administrator account
Yes, and Jerry Carter already wrote back to you with a list of relevant questions. _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | | Ryan Novosielski - User Support Spec. III |$| |__| | | |__/ | \| _| | [EMAIL PROTECTED] - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent. | IST/ACS - NJMS Medical Science Bldg - C630 On Thu, 10 Feb 2005, David Sonenberg wrote: Does anyone know? David Sonenberg wrote: I guess I wasn't clear. My PDC is samba box. It's not Active Directory. Wayne Rasmussen wrote: In Active Directory, make sure the console is view-Advance Features. In the OU there should be a computer account for this machine. Open it and go to the security tab. Click on the add button, then add the user you are using with kinit. Go to the permissions section for this user, make sure he has the following permissions or checked to allow: Read, Write, Reset Password, Validate Write to DNS Hostname, Validate Write to Service Principal Name. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of David Sonenberg Sent: Tuesday, February 08, 2005 8:14 AM To: samba@lists.samba.org Subject: [Samba] Joining a domain with a non-administrator account I'm trying to set it up so I can join the domain with a regular user that is part of the domain admin group. I have a user dsonenberg that is in the domain admin group(512), but I can't join the domain with that account. For the record I can login with that account and Administrator can join the domain. The PDC has an LDAP backend. Here's the log. 2005/02/08 10:26:25, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2005/02/08 10:26:25, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2005/02/08 10:26:25, 2] passdb/pdb_ldap.c:init_sam_from_ldap(511) init_sam_from_ldap: Entry found for user: dsonenberg [2005/02/08 10:26:25, 2] passdb/pdb_ldap.c:init_group_from_ldap(2011) init_group_from_ldap: Entry found for group: 512 [2005/02/08 10:26:25, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [dsonenberg] - [dsonenberg] - [dsonenberg] succeeded [2005/02/08 10:26:25, 2] smbd/server.c:exit_server(571) Closing connections [2005/02/08 10:26:26, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2005/02/08 10:26:26, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2005/02/08 10:26:26, 2] passdb/pdb_ldap.c:init_sam_from_ldap(511) init_sam_from_ldap: Entry found for user: dsonenberg [2005/02/08 10:26:26, 2] passdb/pdb_ldap.c:init_group_from_ldap(2011) init_group_from_ldap: Entry found for group: 512 [2005/02/08 10:26:26, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [dsonenberg] - [dsonenberg] - [dsonenberg] succeeded [2005/02/08 10:26:26, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain STROZLLC - S-1-5-21-1001378032-4272845324-1772824492 [2005/02/08 10:26:26, 2] rpc_server/srv_samr_nt.c:access_check_samr_object(93) _samr_open_domain: ACCESS DENIED (requested: 0x0211) [2005/02/08 10:26:26, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain STROZLLC - S-1-5-21-1001378032-4272845324-1772824492 [2005/02/08 10:26:26, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(115) _samr_create_user: ACCESS DENIED (granted: 0x0201; required: 0x0010) [2005/02/08 10:26:26, 2] smbd/server.c:exit_server(571) Closing connections -- David Sonenberg Systems / Network Administrator Stroz Friedberg, LLC 15 Maiden Lane 15th Floor New York, NY 10038 212.981.6527 (o) | 917.495.4918 (c) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- David Sonenberg Systems / Network Administrator Stroz Friedberg, LLC 15 Maiden Lane 15th Floor New York, NY 10038 212.981.6527 (o) | 917.495.4918 (c) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Joining a domain with a non-administrator account
I am running 3.0.10. Do I need to upgrade to 3.0.11 to get this to work? Gerald (Jerry) Carter wrote: Are you running 3.0.11 ? Did you set 'enable privileges = yes' ? Did you grant the SeMachineAccountPrivilege to the 'DOMAIN\Domain Admins' group ? - David Sonenberg Systems / Network Administrator Stroz Friedberg, LLC 15 Maiden Lane 15th Floor New York, NY 10038 212.981.6527 (o) | 917.495.4918 (c) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Joining a domain with a non-administrator account
I am running 3.0.10. Do I need to upgrade to 3.0.11 to get this to work? Yep, that's a new feature for this version, as stated in the release notes for 3.0.11. Gerald (Jerry) Carter wrote: Are you running 3.0.11 ? Did you set 'enable privileges = yes' ? Did you grant the SeMachineAccountPrivilege to the 'DOMAIN\Domain Admins' group ? - David Sonenberg Systems / Network Administrator Stroz Friedberg, LLC 15 Maiden Lane 15th Floor New York, NY 10038 212.981.6527 (o) | 917.495.4918 (c) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Joining a domain with a non-administrator account
I just upgraded to 3.0.11. I read the Samba Rights Howto, and this looks like a nice addition to Samba. My question is this... I have 1 samba LDAP/PDC, and 2 samba slave LDAP/BDC's. The changes I make with the 'net rpc rights' command don't propagate to my BDC's. Is there something special I have to do in this setup? Paul Gienger wrote: I am running 3.0.10. Do I need to upgrade to 3.0.11 to get this to work? Yep, that's a new feature for this version, as stated in the release notes for 3.0.11. Gerald (Jerry) Carter wrote: Are you running 3.0.11 ? Did you set 'enable privileges = yes' ? Did you grant the SeMachineAccountPrivilege to the 'DOMAIN\Domain Admins' group ? - David Sonenberg Systems / Network Administrator Stroz Friedberg, LLC 15 Maiden Lane 15th Floor New York, NY 10038 212.981.6527 (o) | 917.495.4918 (c) -- David Sonenberg Systems / Network Administrator Stroz Friedberg, LLC 15 Maiden Lane 15th Floor New York, NY 10038 212.981.6527 (o) | 917.495.4918 (c) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Joining a domain with a non-administrator account
Does anyone know? David Sonenberg wrote: I guess I wasn't clear. My PDC is samba box. It's not Active Directory. Wayne Rasmussen wrote: In Active Directory, make sure the console is view-Advance Features. In the OU there should be a computer account for this machine. Open it and go to the security tab. Click on the add button, then add the user you are using with kinit. Go to the permissions section for this user, make sure he has the following permissions or checked to allow: Read, Write, Reset Password, Validate Write to DNS Hostname, Validate Write to Service Principal Name. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of David Sonenberg Sent: Tuesday, February 08, 2005 8:14 AM To: samba@lists.samba.org Subject: [Samba] Joining a domain with a non-administrator account I'm trying to set it up so I can join the domain with a regular user that is part of the domain admin group. I have a user dsonenberg that is in the domain admin group(512), but I can't join the domain with that account. For the record I can login with that account and Administrator can join the domain. The PDC has an LDAP backend. Here's the log. 2005/02/08 10:26:25, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2005/02/08 10:26:25, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2005/02/08 10:26:25, 2] passdb/pdb_ldap.c:init_sam_from_ldap(511) init_sam_from_ldap: Entry found for user: dsonenberg [2005/02/08 10:26:25, 2] passdb/pdb_ldap.c:init_group_from_ldap(2011) init_group_from_ldap: Entry found for group: 512 [2005/02/08 10:26:25, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [dsonenberg] - [dsonenberg] - [dsonenberg] succeeded [2005/02/08 10:26:25, 2] smbd/server.c:exit_server(571) Closing connections [2005/02/08 10:26:26, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2005/02/08 10:26:26, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2005/02/08 10:26:26, 2] passdb/pdb_ldap.c:init_sam_from_ldap(511) init_sam_from_ldap: Entry found for user: dsonenberg [2005/02/08 10:26:26, 2] passdb/pdb_ldap.c:init_group_from_ldap(2011) init_group_from_ldap: Entry found for group: 512 [2005/02/08 10:26:26, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [dsonenberg] - [dsonenberg] - [dsonenberg] succeeded [2005/02/08 10:26:26, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain STROZLLC - S-1-5-21-1001378032-4272845324-1772824492 [2005/02/08 10:26:26, 2] rpc_server/srv_samr_nt.c:access_check_samr_object(93) _samr_open_domain: ACCESS DENIED (requested: 0x0211) [2005/02/08 10:26:26, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain STROZLLC - S-1-5-21-1001378032-4272845324-1772824492 [2005/02/08 10:26:26, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(115) _samr_create_user: ACCESS DENIED (granted: 0x0201; required: 0x0010) [2005/02/08 10:26:26, 2] smbd/server.c:exit_server(571) Closing connections -- David Sonenberg Systems / Network Administrator Stroz Friedberg, LLC 15 Maiden Lane 15th Floor New York, NY 10038 212.981.6527 (o) | 917.495.4918 (c) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- David Sonenberg Systems / Network Administrator Stroz Friedberg, LLC 15 Maiden Lane 15th Floor New York, NY 10038 212.981.6527 (o) | 917.495.4918 (c) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Joining a domain with a non-administrator account
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Sonenberg wrote: | I'm trying to set it up so I can join the domain with | a regular user that is part of the domain admin group. I | have a user dsonenberg that is in the domain admin | group(512), but I can't join the domain with that | account. For the record I can login with that | account and Administrator can join the domain. The | PDC has an LDAP backend. Here's the log. Are you running 3.0.11 ? Did you set 'enable privileges = yes' ? Did you grant the SeMachineAccountPrivilege to the 'DOMAIN\Domain Admins' group ? cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc I never saved anything for the swim back. Ethan Hawk in Gattaca -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCCTG7IR7qMdg1EfYRAuUiAJ4zAZ+zEE7WyTCeSDey+SIZ1cwrcQCg465K 8pGYu43aSucE+A05hZb4pVM= =alRe -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Joining a domain with a non-administrator account
In Active Directory, make sure the console is view-Advance Features. In the OU there should be a computer account for this machine. Open it and go to the security tab. Click on the add button, then add the user you are using with kinit. Go to the permissions section for this user, make sure he has the following permissions or checked to allow: Read, Write, Reset Password, Validate Write to DNS Hostname, Validate Write to Service Principal Name. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of David Sonenberg Sent: Tuesday, February 08, 2005 8:14 AM To: samba@lists.samba.org Subject: [Samba] Joining a domain with a non-administrator account I'm trying to set it up so I can join the domain with a regular user that is part of the domain admin group. I have a user dsonenberg that is in the domain admin group(512), but I can't join the domain with that account. For the record I can login with that account and Administrator can join the domain. The PDC has an LDAP backend. Here's the log. 2005/02/08 10:26:25, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2005/02/08 10:26:25, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2005/02/08 10:26:25, 2] passdb/pdb_ldap.c:init_sam_from_ldap(511) init_sam_from_ldap: Entry found for user: dsonenberg [2005/02/08 10:26:25, 2] passdb/pdb_ldap.c:init_group_from_ldap(2011) init_group_from_ldap: Entry found for group: 512 [2005/02/08 10:26:25, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [dsonenberg] - [dsonenberg] - [dsonenberg] succeeded [2005/02/08 10:26:25, 2] smbd/server.c:exit_server(571) Closing connections [2005/02/08 10:26:26, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2005/02/08 10:26:26, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2005/02/08 10:26:26, 2] passdb/pdb_ldap.c:init_sam_from_ldap(511) init_sam_from_ldap: Entry found for user: dsonenberg [2005/02/08 10:26:26, 2] passdb/pdb_ldap.c:init_group_from_ldap(2011) init_group_from_ldap: Entry found for group: 512 [2005/02/08 10:26:26, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [dsonenberg] - [dsonenberg] - [dsonenberg] succeeded [2005/02/08 10:26:26, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain STROZLLC - S-1-5-21-1001378032-4272845324-1772824492 [2005/02/08 10:26:26, 2] rpc_server/srv_samr_nt.c:access_check_samr_object(93) _samr_open_domain: ACCESS DENIED (requested: 0x0211) [2005/02/08 10:26:26, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain STROZLLC - S-1-5-21-1001378032-4272845324-1772824492 [2005/02/08 10:26:26, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(115) _samr_create_user: ACCESS DENIED (granted: 0x0201; required: 0x0010) [2005/02/08 10:26:26, 2] smbd/server.c:exit_server(571) Closing connections -- David Sonenberg Systems / Network Administrator Stroz Friedberg, LLC 15 Maiden Lane 15th Floor New York, NY 10038 212.981.6527 (o) | 917.495.4918 (c) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Joining a domain with a non-administrator account
I guess I wasn't clear. My PDC is samba box. It's not Active Directory. Wayne Rasmussen wrote: In Active Directory, make sure the console is view-Advance Features. In the OU there should be a computer account for this machine. Open it and go to the security tab. Click on the add button, then add the user you are using with kinit. Go to the permissions section for this user, make sure he has the following permissions or checked to allow: Read, Write, Reset Password, Validate Write to DNS Hostname, Validate Write to Service Principal Name. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of David Sonenberg Sent: Tuesday, February 08, 2005 8:14 AM To: samba@lists.samba.org Subject: [Samba] Joining a domain with a non-administrator account I'm trying to set it up so I can join the domain with a regular user that is part of the domain admin group. I have a user dsonenberg that is in the domain admin group(512), but I can't join the domain with that account. For the record I can login with that account and Administrator can join the domain. The PDC has an LDAP backend. Here's the log. 2005/02/08 10:26:25, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2005/02/08 10:26:25, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2005/02/08 10:26:25, 2] passdb/pdb_ldap.c:init_sam_from_ldap(511) init_sam_from_ldap: Entry found for user: dsonenberg [2005/02/08 10:26:25, 2] passdb/pdb_ldap.c:init_group_from_ldap(2011) init_group_from_ldap: Entry found for group: 512 [2005/02/08 10:26:25, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [dsonenberg] - [dsonenberg] - [dsonenberg] succeeded [2005/02/08 10:26:25, 2] smbd/server.c:exit_server(571) Closing connections [2005/02/08 10:26:26, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2005/02/08 10:26:26, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2005/02/08 10:26:26, 2] passdb/pdb_ldap.c:init_sam_from_ldap(511) init_sam_from_ldap: Entry found for user: dsonenberg [2005/02/08 10:26:26, 2] passdb/pdb_ldap.c:init_group_from_ldap(2011) init_group_from_ldap: Entry found for group: 512 [2005/02/08 10:26:26, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [dsonenberg] - [dsonenberg] - [dsonenberg] succeeded [2005/02/08 10:26:26, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain STROZLLC - S-1-5-21-1001378032-4272845324-1772824492 [2005/02/08 10:26:26, 2] rpc_server/srv_samr_nt.c:access_check_samr_object(93) _samr_open_domain: ACCESS DENIED (requested: 0x0211) [2005/02/08 10:26:26, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain STROZLLC - S-1-5-21-1001378032-4272845324-1772824492 [2005/02/08 10:26:26, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(115) _samr_create_user: ACCESS DENIED (granted: 0x0201; required: 0x0010) [2005/02/08 10:26:26, 2] smbd/server.c:exit_server(571) Closing connections -- David Sonenberg Systems / Network Administrator Stroz Friedberg, LLC 15 Maiden Lane 15th Floor New York, NY 10038 212.981.6527 (o) | 917.495.4918 (c) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- David Sonenberg Systems / Network Administrator Stroz Friedberg, LLC 15 Maiden Lane 15th Floor New York, NY 10038 212.981.6527 (o) | 917.495.4918 (c) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba