Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Can't join machine without full access
158 views
Skip to first unread message
Luca Olivetti
Jun 2, 2015, 10:20:03 AM6/2/15
to
Sernet samba 4.2.2 in ubuntu 14.04.2 LTS, a fresh migration from samba 3
(I'm still in the testing phase).
I'm experimenting with task delegation.
Using the ADUC wizard, I select the "Join machine to domain" task to add
to my userid (I also tried a group I'm a member of with the same
result), at the domain level (rough translation, this is on a localized
windows 7).
Adding a windows 7 machine to the domain fails with "access denied".
Trying to join a linux client I get
# net ads join -U luca
Enter luca's password:
Failed to join domain: failed to set machine spn: Insufficient access
(I tried a fresh migration and now the error message is "Failed to join
domain: Failed to set account flags for machine account
(NT_STATUS_ACCESS_DENIED)")
If I give myself full control over the domain (or just over "computer
accounts" objects) both joins work.
Unfortunately, I don't remember if I tested under the same conditions
with earlier samba versions.
Is this a problem with samba, the ADUC wizard or are things supposed
(not) to work this way?
FWIW, this is my smb.conf
# Global parameters
[global]
workgroup = WETRON
realm = SAMBA.WETRON.ES
netbios name = DC1
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
tls enabled = yes
tls keyfile =
/var/lib/samba/private/tls/samba.wetron.es.key.insecure
tls certfile = /var/lib/samba/private/tls/samba.wetron.es.crt
tls cafile = /var/lib/samba/private/tls/wetron.crt
dns forwarder = 192.168.169.6
template homedir = /net/netapp01/vol/Data/home/%U
template shell = /bin/false
printing = bsd
printcap name = /dev/null
disable spoolss = yes
#netapp, see
# http://forge.univention.org/bugzilla/show_bug.cgi?id=37874
allow nt4 crypto = yes
[netlogon]
path = /var/lib/samba/sysvol/samba.wetron.es/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
(I'm still in the testing phase).
I'm experimenting with task delegation.
Using the ADUC wizard, I select the "Join machine to domain" task to add
to my userid (I also tried a group I'm a member of with the same
result), at the domain level (rough translation, this is on a localized
windows 7).
Adding a windows 7 machine to the domain fails with "access denied".
Trying to join a linux client I get
# net ads join -U luca
Enter luca's password:
Failed to join domain: failed to set machine spn: Insufficient access
(I tried a fresh migration and now the error message is "Failed to join
domain: Failed to set account flags for machine account
(NT_STATUS_ACCESS_DENIED)")
If I give myself full control over the domain (or just over "computer
accounts" objects) both joins work.
Unfortunately, I don't remember if I tested under the same conditions
with earlier samba versions.
Is this a problem with samba, the ADUC wizard or are things supposed
(not) to work this way?
FWIW, this is my smb.conf
# Global parameters
[global]
workgroup = WETRON
realm = SAMBA.WETRON.ES
netbios name = DC1
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
tls enabled = yes
tls keyfile =
/var/lib/samba/private/tls/samba.wetron.es.key.insecure
tls certfile = /var/lib/samba/private/tls/samba.wetron.es.crt
tls cafile = /var/lib/samba/private/tls/wetron.crt
dns forwarder = 192.168.169.6
template homedir = /net/netapp01/vol/Data/home/%U
template shell = /bin/false
printing = bsd
printcap name = /dev/null
disable spoolss = yes
#netapp, see
# http://forge.univention.org/bugzilla/show_bug.cgi?id=37874
allow nt4 crypto = yes
[netlogon]
path = /var/lib/samba/sysvol/samba.wetron.es/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Luca Olivetti
Jun 2, 2015, 10:50:03 AM6/2/15
to
El 02/06/15 a les 16:11, Luca Olivetti ha escrit:
> Sernet samba 4.2.2 in ubuntu 14.04.2 LTS, a fresh migration from samba 3
> (I'm still in the testing phase).
>
> I'm experimenting with task delegation.
I'm also having the same problems with GPO delegation: In GPMC I granted
permission to a group I'm a member of, but I get "Access denied" when I
try to create a GPO.
The funny thing is that I can add or remove items in the delegation tab
of GPMC.
> Sernet samba 4.2.2 in ubuntu 14.04.2 LTS, a fresh migration from samba 3
> (I'm still in the testing phase).
>
> I'm experimenting with task delegation.
permission to a group I'm a member of, but I get "Access denied" when I
try to create a GPO.
The funny thing is that I can add or remove items in the delegation tab
of GPMC.
L.P.H. van Belle
Jun 2, 2015, 11:10:03 AM6/2/15
to
what i read is correct, yes.
> Adding a windows 7 machine to the domain fails with "access denied".
you forgot the followin, for what i read below.
add the user to a "Domain\GROUP"
add this group to the LOCAL_PC\Administrators group.
and now your set to go..
even if you give a user or group the rights to join a domain.
This user or group MUST have Administrator access on the pc.
and make user your loginname en pcnames are NOT the same.
read this one:
http://windowsitpro.com/windows-server/jsi-tip-8144-how-can-i-allow-ordinary-user-add-computer-domain
first the GPO is created to set the LOCAL_COMPUTER User Rights Assignments. ( add workstations to domain )
i advice to use a group for this, and this can be a domain-group.
reboot the pc or refresh you policies. ( 2 times, to make sure. )
and then Delegate rights using Active Directory Users and Computers.
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: lu...@wetron.es [mailto:samba-...@lists.samba.org]
>Namens Luca Olivetti
>Verzonden: dinsdag 2 juni 2015 16:11
>Aan: sa...@lists.samba.org
>Onderwerp: [Samba] Can't join machine without full access
> Adding a windows 7 machine to the domain fails with "access denied".
add the user to a "Domain\GROUP"
add this group to the LOCAL_PC\Administrators group.
and now your set to go..
even if you give a user or group the rights to join a domain.
This user or group MUST have Administrator access on the pc.
and make user your loginname en pcnames are NOT the same.
read this one:
http://windowsitpro.com/windows-server/jsi-tip-8144-how-can-i-allow-ordinary-user-add-computer-domain
first the GPO is created to set the LOCAL_COMPUTER User Rights Assignments. ( add workstations to domain )
i advice to use a group for this, and this can be a domain-group.
reboot the pc or refresh you policies. ( 2 times, to make sure. )
and then Delegate rights using Active Directory Users and Computers.
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: lu...@wetron.es [mailto:samba-...@lists.samba.org]
>Namens Luca Olivetti
>Verzonden: dinsdag 2 juni 2015 16:11
>Aan: sa...@lists.samba.org
>Onderwerp: [Samba] Can't join machine without full access
Luca Olivetti
Jun 2, 2015, 11:20:03 AM6/2/15
to
El 02/06/15 a les 16:40, Luca Olivetti ha escrit:
>
> I'm also having the same problems with GPO delegation: In GPMC I granted
> permission to a group I'm a member of, but I get "Access denied" when I
> try to create a GPO.
> The funny thing is that I can add or remove items in the delegation tab
> of GPMC.
False alarm regarding GPOs: I had to add the group in various places.
Bye
>
> I'm also having the same problems with GPO delegation: In GPMC I granted
> permission to a group I'm a member of, but I get "Access denied" when I
> try to create a GPO.
> The funny thing is that I can add or remove items in the delegation tab
> of GPMC.
Bye
Luca Olivetti
Jun 2, 2015, 11:20:03 AM6/2/15
to
El 02/06/15 a les 17:00, L.P.H. van Belle ha escrit:
>
> read this one:
> http://windowsitpro.com/windows-server/jsi-tip-8144-how-can-i-allow-ordinary-user-add-computer-domain
Yes, option 2 there ("delegate rights using active directory users and
computers") works, I wonder then what the "Add machine to domain" in the
common tasks list in the wizard[*] actually does (since it doesn't work).
Since option 1 involves GPOs, I suppose it would only work for windows
machines, not Linux ones?
[*]did I tell you that I hate wizards, especially when they don't work? ;-)
Bye
>
> read this one:
> http://windowsitpro.com/windows-server/jsi-tip-8144-how-can-i-allow-ordinary-user-add-computer-domain
computers") works, I wonder then what the "Add machine to domain" in the
common tasks list in the wizard[*] actually does (since it doesn't work).
Since option 1 involves GPOs, I suppose it would only work for windows
machines, not Linux ones?
[*]did I tell you that I hate wizards, especially when they don't work? ;-)
Bye
Marc Muehlfeld
Jun 2, 2015, 1:10:03 PM6/2/15
to
Hello,
Am 02.06.2015 um 16:11 schrieb Luca Olivetti:
> Using the ADUC wizard, I select the "Join machine to domain" task to add
> to my userid (I also tried a group I'm a member of with the same
> result), at the domain level (rough translation, this is on a localized
> windows 7).
>
> Adding a windows 7 machine to the domain fails with "access denied".
This works:
https://wiki.samba.org/index.php/Delegating_Administration_Permissions#Delegating_.27Joining_Computers_to_the_domain.27-permissions
Regards,
Marc
Am 02.06.2015 um 16:11 schrieb Luca Olivetti:
> Using the ADUC wizard, I select the "Join machine to domain" task to add
> to my userid (I also tried a group I'm a member of with the same
> result), at the domain level (rough translation, this is on a localized
> windows 7).
>
> Adding a windows 7 machine to the domain fails with "access denied".
https://wiki.samba.org/index.php/Delegating_Administration_Permissions#Delegating_.27Joining_Computers_to_the_domain.27-permissions
Regards,
Marc
Luca Olivetti
Jun 2, 2015, 1:10:03 PM6/2/15
to
El 02/06/15 a les 19:01, Marc Muehlfeld ha escrit:
http://windowsitpro.com/windows-server/jsi-tip-8144-how-can-i-allow-ordinary-user-add-computer-domain
(though I didn't think of looking in the samba wiki, duh) and sure, it
works.
I'm puzzled by the fact that the ADUC wizard has an "Add machine to
domain" task that should do the same in just one step but it doesn't.
Actually, I'm *not* puzzled, this is windows after all....
Bye
> Hello,
>
> Am 02.06.2015 um 16:11 schrieb Luca Olivetti:
>> Using the ADUC wizard, I select the "Join machine to domain" task to add
>> to my userid (I also tried a group I'm a member of with the same
>> result), at the domain level (rough translation, this is on a localized
>> windows 7).
>>
>> Adding a windows 7 machine to the domain fails with "access denied".
>
>
> This works:
> https://wiki.samba.org/index.php/Delegating_Administration_Permissions#Delegating_.27Joining_Computers_to_the_domain.27-permissions
This is the same as option 2 here, as suggested by Louis
>
> Am 02.06.2015 um 16:11 schrieb Luca Olivetti:
>> Using the ADUC wizard, I select the "Join machine to domain" task to add
>> to my userid (I also tried a group I'm a member of with the same
>> result), at the domain level (rough translation, this is on a localized
>> windows 7).
>>
>> Adding a windows 7 machine to the domain fails with "access denied".
>
>
> This works:
> https://wiki.samba.org/index.php/Delegating_Administration_Permissions#Delegating_.27Joining_Computers_to_the_domain.27-permissions
http://windowsitpro.com/windows-server/jsi-tip-8144-how-can-i-allow-ordinary-user-add-computer-domain
(though I didn't think of looking in the samba wiki, duh) and sure, it
works.
I'm puzzled by the fact that the ADUC wizard has an "Add machine to
domain" task that should do the same in just one step but it doesn't.
Actually, I'm *not* puzzled, this is windows after all....
Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007
sandy....@eccmg.cupet.cu
Jun 2, 2015, 6:00:02 PM6/2/15
to
I have in my smb.conf this line
log file = /usr/local/samba/var/LOGS/%U.%m.log
But when I see this log sometime do not show the username example
jonh.10.10.1.53.log
PC38.10.10.1.38.log
Why PC38 log do not show the username
log file = /usr/local/samba/var/LOGS/%U.%m.log
But when I see this log sometime do not show the username example
jonh.10.10.1.53.log
PC38.10.10.1.38.log
Why PC38 log do not show the username
0 new messages