Top posting: In resolv.conf - remove any DNS servers other than the AD one. Is the AD server actually responding to DNS queries from the S4 box?
I have not followed this thread carefully, so my suggestion could easily be wrong - but DNS from the real AD controller is *really* important, and IMO, it shouldn't be getting answers from ANY other servers. [And you should be *sure* it really IS getting answers, rather than a refusal.] -Greg A> Rowland Penny schrieb: >> On 25/09/13 16:57, Axel wrote: >>> Rowland Penny schrieb: >>>> On 25/09/13 15:36, Axel wrote: >>>>> Rowland Penny schrieb: >>>>>> On 25/09/13 14:43, Axel wrote: >>>>>>> Yes, this works all the time: >>>>>>> >>>>>>> root@samba-dc1:~# kinit admin >>>>>>> ad...@intranet.domain.de's Password: >>>>>>> root@samba-dc1:~# klist >>>>>>> Credentials cache: FILE:/tmp/krb5cc_0 >>>>>>> Principal: ad...@intranet.domain.de >>>>>>> Issued Expires Principal >>>>>>> Sep 25 15:31:44 2013 Sep 26 01:31:42 2013 >>>>>>> krbtgt/intranet.domain...@intranet.domain.de >>>>>>> root@samba-dc1:~# >>>>>>> >>>>>>> The Security-Monitor on Windows 2003 DC told me (in german): >>>>>>> >>>>>>> Ereignistyp: Erfolgsüberw. >>>>>>> Ereignisquelle: Security >>>>>>> Ereigniskategorie: Verzeichnisdienstzugriff >>>>>>> Ereigniskennung: 566 >>>>>>> Datum: 25.09.2013 >>>>>>> Zeit: 15:35:28 >>>>>>> Benutzer: INTRANET\admin >>>>>>> Computer: WI-PAS01 >>>>>>> Beschreibung: >>>>>>> Objektvorgang: >>>>>>> Objektserver: DS >>>>>>> Vorgangstyp Object Access >>>>>>> Objekttyp: organizationalUnit >>>>>>> Objektname: OU=Domain >>>>>>> Controllers,DC=intranet,DC=domain,DC=de >>>>>>> Handlekennung: - >>>>>>> Primärer Benutzername: WI-PAS01$ >>>>>>> Primäre Domäne: INTRANET >>>>>>> Primäre Anmeldekennung: (0x0,0x3E7) >>>>>>> Clientbenutzername: admin >>>>>>> Clientdomäne: INTRANET >>>>>>> Clientanmeldekennung: (0x0,0x5B2D755F) >>>>>>> Zugriffe Untergeordnetes Objekt erzeugen >>>>>>> >>>>>>> Eigenschaften: >>>>>>> Untergeordnetes Objekt erzeugen >>>>>>> computer >>>>>>> >>>>>>> Weitere Info: CN=SAMBA-DC1,OU=Domain >>>>>>> Controllers,DC=intranet,DC=domain,DC=de >>>>>>> Weitere Info2: %{34f6dfb0-e508-4124-a996-d80843a31445} >>>>>>> Zugriffsmaske: 0x1 >>>>>>> >>>>>>> and: >>>>>>> >>>>>>> Ereignistyp: Erfolgsüberw. >>>>>>> Ereignisquelle: Security >>>>>>> Ereigniskategorie: An-/Abmeldung >>>>>>> Ereigniskennung: 540 >>>>>>> Datum: 25.09.2013 >>>>>>> Zeit: 15:35:28 >>>>>>> Benutzer: INTRANET\admin >>>>>>> Computer: WI-PAS01 >>>>>>> Beschreibung: >>>>>>> Erfolgreiche Netzwerkanmeldung: >>>>>>> Benutzername: admin >>>>>>> Domäne: INTRANET >>>>>>> Anmeldekennung: (0x0,0x5B2D755F) >>>>>>> Anmeldetyp: 3 >>>>>>> Anmeldevorgang: Kerberos >>>>>>> Authentifizierungspaket: Kerberos >>>>>>> Arbeitsstationsname: >>>>>>> Anmelde-GUID: {05cd8dd6-7c8b-c9ee-d237-3c482ca39c89} >>>>>>> Aufruferbenutzername: - >>>>>>> Aufruferdomäne: - >>>>>>> Aufruferanmeldekennung: - >>>>>>> Aufruferprozesskennung: - >>>>>>> Übertragene Dienste: - >>>>>>> Quellnetzwerkadresse: 192.168.200.210 >>>>>>> Quellport: 43028 >>>>>>> >>>>>>> Login from samba-dc1.intranet.domain.de and IP 192.168.200.210 >>>>>>> works. NO insufficient user rights! >>>>>>> >>>>>>> Another test - copying SYSVOL - works too: >>>>>>> smbclient -U admin //wi-pas01/SYSVOL -c 'prompt;recurse;mget >>>>>>> intranet.domain.de' >>>>>>> >>>>>>> That's all... >>>>>>> >>>>>>> >>>>>>> >>>>>>> Rowland Penny schrieb: >>>>>>>> On 25/09/13 13:18, Axel wrote: >>>>>>>>> Of course, >>>>>>>>> >>>>>>>>> Rowland Penny schrieb: >>>>>>>>>> On 25/09/13 12:37, Axel wrote: >>>>>>>>>>> Anyone? Join failed - cleaning up >>>>>>>>>>>> checking sAMAccountName >>>>>>>>>>>> ERROR(ldb): uncaught exception - LDAP error 50 >>>>>>>>>>>> LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00000522: SecErr: >>>>>>>>>>>> DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 >>>>>>>>>>>>> <> >>>>>>>>>>>> File >>>>>>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", >>>>>>>>>>>> >>>>>>>>>>>> line 175, in _run >>>>>>>>>>>> return self.run(*args, **kwargs) >>>>>>>>>>>> File >>>>>>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", >>>>>>>>>>>> >>>>>>>>>>>> line 552, in run >>>>>>>>>>>> machinepass=machinepass, use_ntvfs=use_ntvfs, >>>>>>>>>>>> dns_backend=dns_backend) >>>>>>>>>>>> File >>>>>>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line >>>>>>>>>>>> 1104, in join_DC >>>>>>>>>>>> ctx.do_join() >>>>>>>>>>>> File >>>>>>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line >>>>>>>>>>>> 1007, in do_join >>>>>>>>>>>> ctx.join_add_objects() >>>>>>>>>>>> File >>>>>>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line >>>>>>>>>>>> 499, in join_add_objects >>>>>>>>>>>> ctx.samdb.add(rec) >>>>>>>>>>>> </code> >>>>>>>>>>>> >>>>>>>>>>>> It seems to be, that all prerequisites fine. DNS, ACL etc., >>>>>>>>>>>> ping works fine... also resolutions of fqdn's >>>>>>>>>>>> >>>>>>>>>>>> Can someone help? >>>>>>>>>>>> >>>>>>>>>>>> Thanks & Cheers >>>>>>>>>>>> axel >>>>>>>>>>>> >>>>>>>>>> Well I think this: >>>>>>>>>> >>>>>>>>>> ERROR(ldb): uncaught exception - LDAP error 50 >>>>>>>>>> LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00000522: SecErr: >>>>>>>>>> DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 >>>>>>>>>> >>>>>>>>>> says it all. >>>>>>>>>> >>>>>>>>>> Does user intranet/admin exist and if so, do they have the >>>>>>>>>> right to add a machine to the domain, also have you tried >>>>>>>>>> replacing intranet/admin with Administrator? >>>>>>>>>> >>>>>>>>>> Rowland >>>>>>>>> as i said in my first mail, that is THE Domain Administrator >>>>>>>>> (renamed in my environment to admin). This "admin" has all >>>>>>>>> rights to this domain since 2005 :) >>>>>>>>> Same problem with another Domain-Administrator Account. >>>>>>>>> >>>>>>>>> I've also tried with "Administrator" like you suggested. Same >>>>>>>>> issue... >>>>>>>>> >>>>>>>>> Thanks to your reply, >>>>>>>>> axel >>>>>>>>> >>>>>>>> OK, I did this yesterday, but with a samba4 DC joining to >>>>>>>> another samba4 DC, try this: >>>>>>>> >>>>>>>> kinit admin >>>>>>>> >>>>>>>> /usr/local/samba/bin/samba-tool domain join intranet.domain.de >>>>>>>> DC -Uadmin --realm=intranet.domain.de >>>>>>>> >>>>>>>> Rowland >>>>>>>> >>>>>> Yes, admin can log into the servers, but does he have the right to >>>>>> add workstations to the domain? >>>>>> Also was Administrator renamed or was a new user called admin >>>>>> created? >>>>>> >>>>>> Rowland >>>>> Like i said, "admin" ist the main domain-administrator and has all >>>>> rights to this domain. He wasn't created new, just renamed. >>>>> >>>>> Axel >>>>> >>>> Well if admin has all the required rights, I wonder if it is a >>>> problem with access rights to sam.ldb, on my secondary DC this >>>> belongs to root:root and the root user has read + write access and >>>> getfacl shows: >>>> getfacl: Removing leading '/' from absolute path names >>>> # file: usr/local/samba/private/sam.ldb >>>> # owner: root >>>> # group: root >>>> user::rw- >>>> group::--- >>>> other::--- >>>> >>>> so you need to be root to alter it, should you be running the >>>> command with sudo? do you have root user enabled i.e. are you >>>> running as root? >>>> >>>> I take it that /etc/resolv.conf points to your windows server (or >>>> something that points to it) >>>> >>>> One other thing that I can think of is that samba-tool domain join >>>> is hardcoded to the Administrator but I do not really think this is >>>> likely. >>>> >>>> Lastly, because its debian, Apparmor, if this is on, try turning it >>>> off. >>>> >>>> Rowland >>>> >>> Look at my code. Im running with root. getfacls shows: >>> >>> root@samba-dc1:/# getfacl /var/lib/samba/private/sam.ldb >>> getfacl: Removing leading '/' from absolute path names >>> # file: var/lib/samba/private/sam.ldb >>> # owner: root >>> # group: root >>> user::rw- >>> group::--- >>> other::--- >>> >>> resolv.conf: >>> root@samba-dc1:/# cat /etc/resolv.conf >>> domain intranet.domain.de >>> search intranet.domain.de >>> nameserver 127.0.0.1 >>> nameserver 192.168.200.10 <-- Windows DC wi-pas01 >>> nameserver 192.168.200.254 >>> >>> Hmm, im wondering......... >>> >>> >> When I did my 'domain join' I had resolv.conf pointing to just the >> samba4 AD DC, so you could try that, but frankly after that I have run >> out of ideas. >> >> Rowland A> No chance... same issue, also when i renamed admin to administrator. A> I'm running out of ideas, too. A> It's a great pity... thanks for your support! A> Axel -- Gregory Sloop, Principal: Sloop Network & Computer Consulting Voice: 503.251.0452 x82 EMail: gr...@sloop.net http://www.sloop.net --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba