On 25/09/13 16:57, Axel wrote:
Rowland Penny schrieb:
On 25/09/13 15:36, Axel wrote:
Rowland Penny schrieb:
On 25/09/13 14:43, Axel wrote:
Yes, this works all the time:

root@samba-dc1:~# kinit admin
ad...@intranet.domain.de's Password:
root@samba-dc1:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: ad...@intranet.domain.de
  Issued                Expires               Principal
Sep 25 15:31:44 2013 Sep 26 01:31:42 2013 krbtgt/intranet.domain...@intranet.domain.de

The Security-Monitor on Windows 2003 DC told me (in german):

Ereignistyp:    Erfolgsüberw.
Ereignisquelle:    Security
Ereigniskategorie:    Verzeichnisdienstzugriff
Ereigniskennung:    566
Datum:        25.09.2013
Zeit:        15:35:28
Benutzer:        INTRANET\admin
Computer:    WI-PAS01
     Objektserver:    DS
     Vorgangstyp    Object Access
     Objekttyp:    organizationalUnit
     Objektname:    OU=Domain Controllers,DC=intranet,DC=domain,DC=de
     Handlekennung:    -
     Primärer Benutzername:    WI-PAS01$
     Primäre Domäne:    INTRANET
     Primäre Anmeldekennung:    (0x0,0x3E7)
     Clientbenutzername:    admin
     Clientdomäne:    INTRANET
     Clientanmeldekennung:    (0x0,0x5B2D755F)
     Zugriffe    Untergeordnetes Objekt erzeugen

    Untergeordnetes Objekt erzeugen

Weitere Info: CN=SAMBA-DC1,OU=Domain Controllers,DC=intranet,DC=domain,DC=de
     Weitere Info2: %{34f6dfb0-e508-4124-a996-d80843a31445}
     Zugriffsmaske:    0x1


Ereignistyp:    Erfolgsüberw.
Ereignisquelle:    Security
Ereigniskategorie:    An-/Abmeldung
Ereigniskennung:    540
Datum:        25.09.2013
Zeit:        15:35:28
Benutzer:        INTRANET\admin
Computer:    WI-PAS01
Erfolgreiche Netzwerkanmeldung:
     Benutzername:    admin
     Domäne:        INTRANET
     Anmeldekennung:        (0x0,0x5B2D755F)
     Anmeldetyp:    3
     Anmeldevorgang:    Kerberos
     Authentifizierungspaket:    Kerberos
     Anmelde-GUID: {05cd8dd6-7c8b-c9ee-d237-3c482ca39c89}
     Aufruferbenutzername:    -
     Aufruferdomäne:    -
     Aufruferanmeldekennung:    -
     Aufruferprozesskennung: -
     Übertragene Dienste: -
     Quellport:    43028

Login from samba-dc1.intranet.domain.de and IP works. NO insufficient user rights!

Another test - copying SYSVOL - works too:
smbclient -U admin //wi-pas01/SYSVOL -c 'prompt;recurse;mget intranet.domain.de'

That's all...

Rowland Penny schrieb:
On 25/09/13 13:18, Axel wrote:
Of course,

Rowland Penny schrieb:
On 25/09/13 12:37, Axel wrote:
Anyone? Join failed - cleaning up
checking sAMAccountName
ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00000522: SecErr: DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line 552, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line 1104, in join_DC
File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line 1007, in do_join
File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line 499, in join_add_objects

It seems to be, that all prerequisites fine. DNS, ACL etc., ping works fine... also resolutions of fqdn's

Can someone help?

Thanks & Cheers

Well I think this:

ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00000522: SecErr: DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

says it all.

Does user intranet/admin exist and if so, do they have the right to add a machine to the domain, also have you tried replacing intranet/admin with Administrator?

as i said in my first mail, that is THE Domain Administrator (renamed in my environment to admin). This "admin" has all rights to this domain since 2005 :)
Same problem with another Domain-Administrator Account.

I've also tried with "Administrator" like you suggested. Same issue...

Thanks to your reply,

OK, I did this yesterday, but with a samba4 DC joining to another samba4 DC, try this:

kinit admin

/usr/local/samba/bin/samba-tool domain join intranet.domain.de DC -Uadmin --realm=intranet.domain.de


Yes, admin can log into the servers, but does he have the right to add workstations to the domain?
Also was Administrator renamed or was a new user called admin created?

Like i said, "admin" ist the main domain-administrator and has all rights to this domain. He wasn't created new, just renamed.


Well if admin has all the required rights, I wonder if it is a problem with access rights to sam.ldb, on my secondary DC this belongs to root:root and the root user has read + write access and getfacl shows:
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/private/sam.ldb
# owner: root
# group: root

so you need to be root to alter it, should you be running the command with sudo? do you have root user enabled i.e. are you running as root?

I take it that /etc/resolv.conf points to your windows server (or something that points to it)

One other thing that I can think of is that samba-tool domain join is hardcoded to the Administrator but I do not really think this is likely.

Lastly, because its debian, Apparmor, if this is on, try turning it off.


Look at my code. Im running with root. getfacls shows:

root@samba-dc1:/# getfacl /var/lib/samba/private/sam.ldb
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/private/sam.ldb
# owner: root
# group: root

root@samba-dc1:/# cat /etc/resolv.conf
domain intranet.domain.de
search intranet.domain.de
nameserver <-- Windows DC wi-pas01

Hmm, im wondering.........

When I did my 'domain join' I had resolv.conf pointing to just the samba4 AD DC, so you could try that, but frankly after that I have run out of ideas.

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply via email to