Rowland Penny schrieb:
On 25/09/13 15:36, Axel wrote:
Rowland Penny schrieb:
On 25/09/13 14:43, Axel wrote:
Yes, this works all the time:
root@samba-dc1:~# kinit admin
ad...@intranet.domain.de's Password:
root@samba-dc1:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: ad...@intranet.domain.de
Issued Expires Principal
Sep 25 15:31:44 2013 Sep 26 01:31:42 2013
krbtgt/intranet.domain...@intranet.domain.de
root@samba-dc1:~#
The Security-Monitor on Windows 2003 DC told me (in german):
Ereignistyp: Erfolgsüberw.
Ereignisquelle: Security
Ereigniskategorie: Verzeichnisdienstzugriff
Ereigniskennung: 566
Datum: 25.09.2013
Zeit: 15:35:28
Benutzer: INTRANET\admin
Computer: WI-PAS01
Beschreibung:
Objektvorgang:
Objektserver: DS
Vorgangstyp Object Access
Objekttyp: organizationalUnit
Objektname: OU=Domain Controllers,DC=intranet,DC=domain,DC=de
Handlekennung: -
Primärer Benutzername: WI-PAS01$
Primäre Domäne: INTRANET
Primäre Anmeldekennung: (0x0,0x3E7)
Clientbenutzername: admin
Clientdomäne: INTRANET
Clientanmeldekennung: (0x0,0x5B2D755F)
Zugriffe Untergeordnetes Objekt erzeugen
Eigenschaften:
Untergeordnetes Objekt erzeugen
computer
Weitere Info: CN=SAMBA-DC1,OU=Domain
Controllers,DC=intranet,DC=domain,DC=de
Weitere Info2: %{34f6dfb0-e508-4124-a996-d80843a31445}
Zugriffsmaske: 0x1
and:
Ereignistyp: Erfolgsüberw.
Ereignisquelle: Security
Ereigniskategorie: An-/Abmeldung
Ereigniskennung: 540
Datum: 25.09.2013
Zeit: 15:35:28
Benutzer: INTRANET\admin
Computer: WI-PAS01
Beschreibung:
Erfolgreiche Netzwerkanmeldung:
Benutzername: admin
Domäne: INTRANET
Anmeldekennung: (0x0,0x5B2D755F)
Anmeldetyp: 3
Anmeldevorgang: Kerberos
Authentifizierungspaket: Kerberos
Arbeitsstationsname:
Anmelde-GUID: {05cd8dd6-7c8b-c9ee-d237-3c482ca39c89}
Aufruferbenutzername: -
Aufruferdomäne: -
Aufruferanmeldekennung: -
Aufruferprozesskennung: -
Übertragene Dienste: -
Quellnetzwerkadresse: 192.168.200.210
Quellport: 43028
Login from samba-dc1.intranet.domain.de and IP 192.168.200.210
works. NO insufficient user rights!
Another test - copying SYSVOL - works too:
smbclient -U admin //wi-pas01/SYSVOL -c 'prompt;recurse;mget
intranet.domain.de'
That's all...
Rowland Penny schrieb:
On 25/09/13 13:18, Axel wrote:
Of course,
Rowland Penny schrieb:
On 25/09/13 12:37, Axel wrote:
Anyone? Join failed - cleaning up
checking sAMAccountName
ERROR(ldb): uncaught exception - LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00000522: SecErr:
DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
<>
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
line 552, in run
machinepass=machinepass, use_ntvfs=use_ntvfs,
dns_backend=dns_backend)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
line 1104, in join_DC
ctx.do_join()
File
"/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
line 1007, in do_join
ctx.join_add_objects()
File
"/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
line 499, in join_add_objects
ctx.samdb.add(rec)
</code>
It seems to be, that all prerequisites fine. DNS, ACL etc.,
ping works fine... also resolutions of fqdn's
Can someone help?
Thanks & Cheers
axel
Well I think this:
ERROR(ldb): uncaught exception - LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00000522: SecErr:
DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
says it all.
Does user intranet/admin exist and if so, do they have the right
to add a machine to the domain, also have you tried replacing
intranet/admin with Administrator?
Rowland
as i said in my first mail, that is THE Domain Administrator
(renamed in my environment to admin). This "admin" has all rights
to this domain since 2005 :)
Same problem with another Domain-Administrator Account.
I've also tried with "Administrator" like you suggested. Same
issue...
Thanks to your reply,
axel
OK, I did this yesterday, but with a samba4 DC joining to another
samba4 DC, try this:
kinit admin
/usr/local/samba/bin/samba-tool domain join intranet.domain.de DC
-Uadmin --realm=intranet.domain.de
Rowland
Yes, admin can log into the servers, but does he have the right to
add workstations to the domain?
Also was Administrator renamed or was a new user called admin created?
Rowland
Like i said, "admin" ist the main domain-administrator and has all
rights to this domain. He wasn't created new, just renamed.
Axel
Well if admin has all the required rights, I wonder if it is a problem
with access rights to sam.ldb, on my secondary DC this belongs to
root:root and the root user has read + write access and getfacl shows:
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/private/sam.ldb
# owner: root
# group: root
user::rw-
group::---
other::---
so you need to be root to alter it, should you be running the command
with sudo? do you have root user enabled i.e. are you running as root?
I take it that /etc/resolv.conf points to your windows server (or
something that points to it)
One other thing that I can think of is that samba-tool domain join is
hardcoded to the Administrator but I do not really think this is likely.
Lastly, because its debian, Apparmor, if this is on, try turning it off.
Rowland
Look at my code. Im running with root. getfacls shows:
root@samba-dc1:/# getfacl /var/lib/samba/private/sam.ldb
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/private/sam.ldb
# owner: root
# group: root
user::rw-
group::---
other::---
resolv.conf:
root@samba-dc1:/# cat /etc/resolv.conf
domain intranet.domain.de
search intranet.domain.de
nameserver 127.0.0.1
nameserver 192.168.200.10 <-- Windows DC wi-pas01
nameserver 192.168.200.254
Hmm, im wondering.........
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba