On 25/09/13 12:37, Axel wrote:
Anyone?

This is from log-level 10:

<code>
root@samba-dc1:/# samba-tool domain join intranet.DOMAIN.de DC -Uintranet/admin --realm=intranet.DOMAIN.de
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'sasl-DIGEST-MD5' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
added interface eth0 ip=192.168.200.210 bcast=192.168.200.255 netmask=255.255.255.0 added interface eth0 ip=192.168.200.210 bcast=192.168.200.255 netmask=255.255.255.0 added interface eth0 ip=192.168.200.210 bcast=192.168.200.255 netmask=255.255.255.0 added interface eth0 ip=192.168.200.210 bcast=192.168.200.255 netmask=255.255.255.0
Finding a writeable DC for domain 'intranet.DOMAIN.de'
added interface eth0 ip=192.168.200.210 bcast=192.168.200.255 netmask=255.255.255.0 added interface eth0 ip=192.168.200.210 bcast=192.168.200.255 netmask=255.255.255.0
finddcs: searching for a DC by DNS domain intranet.DOMAIN.de
finddcs: looking for SRV records for _ldap._tcp.intranet.DOMAIN.de
ads_dns_lookup_srv: 2 records returned in the answer section.
ads_dns_parse_rr_srv: Parsed wi-pas04.intranet.DOMAIN.de [0, 100, 389]
ads_dns_parse_rr_srv: Parsed wi-pas01.intranet.DOMAIN.de [0, 100, 389]
finddcs: DNS SRV response 0 at '192.168.200.14'
finddcs: DNS SRV response 1 at '10.8.0.1'
finddcs: DNS SRV response 2 at '192.168.200.10'
finddcs: performing CLDAP query on 192.168.200.14
&response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
        command                  : LOGON_SAM_LOGON_RESPONSE_EX (23)
        sbz                      : 0x0000 (0)
        server_type              : 0x000001fc (508)
               0: NBT_SERVER_PDC
               1: NBT_SERVER_GC
               1: NBT_SERVER_LDAP
               1: NBT_SERVER_DS
               1: NBT_SERVER_KDC
               1: NBT_SERVER_TIMESERV
               1: NBT_SERVER_CLOSEST
               1: NBT_SERVER_WRITABLE
               0: NBT_SERVER_GOOD_TIMESERV
               0: NBT_SERVER_NDNC
               0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
               0: NBT_SERVER_FULL_SECRET_DOMAIN_6
               0: NBT_SERVER_ADS_WEB_SERVICE
               0: NBT_SERVER_HAS_DNS_NAME
               0: NBT_SERVER_IS_DEFAULT_NC
               0: NBT_SERVER_FOREST_ROOT
        domain_uuid              : d4836b14-2bf0-4c30-812a-aa7113035d1e
        forest                   : 'intranet.DOMAIN.de'
        dns_domain               : 'intranet.DOMAIN.de'
        pdc_dns_name             : 'wi-pas04.intranet.DOMAIN.de'
        domain_name              : 'INTRANET'
        pdc_name                 : 'WI-PAS04'
        user_name                : ''
        server_site              : 'Standardname-des-ersten-Standorts'
        client_site              : 'Standardname-des-ersten-Standorts'
        sockaddr_size            : 0x00 (0)
        sockaddr: struct nbt_sockaddr
            sockaddr_family          : 0x00000000 (0)
            pdc_ip                   : (null)
            remaining                : DATA_BLOB length=0
        next_closest_site        : NULL
        nt_version               : 0x00000005 (5)
               1: NETLOGON_NT_VERSION_1
               0: NETLOGON_NT_VERSION_5
               1: NETLOGON_NT_VERSION_5EX
               0: NETLOGON_NT_VERSION_5EX_WITH_IP
               0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
               0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
               0: NETLOGON_NT_VERSION_PDC
               0: NETLOGON_NT_VERSION_IP
               0: NETLOGON_NT_VERSION_LOCAL
               0: NETLOGON_NT_VERSION_GC
        lmnt_token               : 0xffff (65535)
        lm20_token               : 0xffff (65535)
finddcs: Found matching DC 192.168.200.14 with server_type=0x000001fc
Found DC wi-pas04.intranet.DOMAIN.de
Security token SIDs (1):
  SID[  0]: S-1-5-18
 Privileges (0xFFFFFFFFFFFFFFFF):
  Privilege[  0]: SeMachineAccountPrivilege
  Privilege[  1]: SeTakeOwnershipPrivilege
  Privilege[  2]: SeBackupPrivilege
  Privilege[  3]: SeRestorePrivilege
  Privilege[  4]: SeRemoteShutdownPrivilege
  Privilege[  5]: SePrintOperatorPrivilege
  Privilege[  6]: SeAddUsersPrivilege
  Privilege[  7]: SeDiskOperatorPrivilege
  Privilege[  8]: SeSecurityPrivilege
  Privilege[  9]: SeSystemtimePrivilege
  Privilege[ 10]: SeShutdownPrivilege
  Privilege[ 11]: SeDebugPrivilege
  Privilege[ 12]: SeSystemEnvironmentPrivilege
  Privilege[ 13]: SeSystemProfilePrivilege
  Privilege[ 14]: SeProfileSingleProcessPrivilege
  Privilege[ 15]: SeIncreaseBasePriorityPrivilege
  Privilege[ 16]: SeLoadDriverPrivilege
  Privilege[ 17]: SeCreatePagefilePrivilege
  Privilege[ 18]: SeIncreaseQuotaPrivilege
  Privilege[ 19]: SeChangeNotifyPrivilege
  Privilege[ 20]: SeUndockPrivilege
  Privilege[ 21]: SeManageVolumePrivilege
  Privilege[ 22]: SeImpersonatePrivilege
  Privilege[ 23]: SeCreateGlobalPrivilege
  Privilege[ 24]: SeEnableDelegationPrivilege
 Rights (0x               0):
lpcfg_servicenumber: couldn't find ldb
added interface eth0 ip=192.168.200.210 bcast=192.168.200.255 netmask=255.255.255.0 added interface eth0 ip=192.168.200.210 bcast=192.168.200.255 netmask=255.255.255.0
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Password for [INTRANET\admin]:
Received smb_krb5 packet of length 164
Received smb_krb5 packet of length 1326
Received smb_krb5 packet of length 117
Received smb_krb5 packet of length 1300
gensec_gssapi: credentials were delegated
GSSAPI Connection will be cryptographically sealed
workgroup is INTRANET
realm is intranet.DOMAIN.de
checking sAMAccountName
Adding CN=SAMBA-DC1,OU=Domain Controllers,DC=intranet,DC=DOMAIN,DC=de
Join failed - cleaning up
checking sAMAccountName
ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00000522: SecErr: DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
 <>
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 552, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1104, in join_DC
    ctx.do_join()
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1007, in do_join
    ctx.join_add_objects()
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 499, in join_add_objects
    ctx.samdb.add(rec)
root@samba-dc1:/#

</code>


Axel schrieb:
Hi folks,

big problem with my testint environment... my windows 2003-domain exists since 2004 and the credentials are correct, guaranteed.
This problem is actually same on Ubuntu 12.04.3 and Debian 7...

<code>
root@pa-lnxd-04:~# /usr/local/samba/bin/samba-tool domain join INTRANET.DOMAIN.DE DC -Uintranet/admin --realm=intranet.DOMAIN.de

Finding a writeable DC for domain 'INTRANET.DOMAIN.DE'
Found DC wi-pas01.intranet.DOMAIN.de
Password for [INTRANET\admin]:
workgroup is INTRANET
realm is intranet.DOMAIN.de
checking sAMAccountName
Adding CN=PA-LNXD-04,OU=Domain Controllers,DC=intranet,DC=DOMAIN,DC=de
Join failed - cleaning up
checking sAMAccountName
ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00000522: SecErr: DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
<>
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line 552, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line 1104, in join_DC
    ctx.do_join()
File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line 1007, in do_join
    ctx.join_add_objects()
File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line 499, in join_add_objects
    ctx.samdb.add(rec)
</code>

It seems to be, that all prerequisites fine. DNS, ACL etc., ping works fine... also resolutions of fqdn's

Can someone help?

Thanks & Cheers
 axel

Well I think this:

ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00000522: SecErr: DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

says it all.

Does user intranet/admin exist and if so, do they have the right to add a machine to the domain, also have you tried replacing intranet/admin with Administrator?

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply via email to