Hello, We recently upgraded to the latest Samba3 version v3.0.23c. If the Samba system and the AD belong to the same domain, I am able to perform a 'net ads join' by supplying either a 'Domain Admins' or a 'Domain Users' credential.
However if the Samba system and the AD belong to different domain, I can perform the 'net ads join' by supplying a 'Domain Admins' credential but not a user belonging to 'Domain Users'. If the user belongs only to the 'Domain Users', I get the 'Failed to set servicePrincipalNames' error. Samba System domain = WGA AD Server domain = CHILD1.AD.WGA wsa29:] winbindd -V Version 3.0.23c wsa29:] hostname wsa29.wga wsa29:] klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: [EMAIL PROTECTED] Issued Expires Principal Nov 7 14:31:19 Nov 8 00:31:19 krbtgt/[EMAIL PROTECTED] Nov 7 14:32:07 Nov 8 00:31:19 [EMAIL PROTECTED] wsa29:] cat smb.conf [global] workgroup = CHILD1 server string = Samba Server load printers = yes log file = /var/log/samba.log.%m lock directory = /var/run/locks pid directory = /var/run/locks max log size = 100 security = ads password server = child1-server.child1.ad.wga realm = CHILD1.AD.WGA encrypt passwords = yes smb passwd file = /usr/local/samba/lib/smbpasswd socket options = TCP_NODELAY dns proxy = no winbind uid = 10000-20000 winbind gid = 10000-20000 winbind enum users = yes winbind enum groups = yes wsa29:] net ads join -s /etc/samba/smb.conf -Uadministrator administrator's password: Using short domain name -- CHILD1 Joined 'WSA29' to realm 'CHILD1.AD.WGA' wsa29:] net ads join -s /etc/samba/smb.conf -Uolympus olympus's password: Using short domain name -- CHILD1 Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. Disabled account for 'WSA29' in realm 'CHILD1.AD.WGA' Here the user 'administrator' belongs to 'Domain Admins' and the user 'olympus' belongs to 'Domain Users'. Shouldn't I be able to use a 'Domain Users' account to perform the 'net ads join' operation in 3.0.23c? Or is this restricted to both Samba system and AD server being on the same domain? Thanks in advance -Raj -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba