Error Setting Trust Account Password Nt_status_access_denied
Contents |
[ date ] [ thread ] [ subject ] [ author ] On Mon, 17 Mar 2003, Olaf Grewe wrote: > Hi, > error setting trust account password nt_status_unsuccessful > I recently joined a Samba server to a Samba PDC'd domain. It
Error Setting Trust Account Password Nt_status_not_supported
worked rather > smoothly after I figured out that I had to create a root account with > smbpasswd
Nt Status Access Denied Opening Remote File Samba
on the Samba PDC. Without it, I was stuck with the following > error: > > smbpasswd -j WHATEVER -r WHOCARES -Uname%password > error setting trust account password: NT_STATUS_ACCESS_DENIED > Unable to join domain WHATEVER > > I'd rather prefer to use my domain_adm account for this kind of tasks but > it's obviously lacking sufficient rights (whether on directories and/or > files, I don't know). The domain_adm account is obviously mentioned in the > domain admin group parameter of smb.conf and the machine account was added > to the smbpasswd of WHOCARES beforehand. > > My question is: Which rights does an admin account need to be able to join > other machines into a domain? Joining Samba to a Samba PDC'd domain > appears to be faily uncommon, as I didn't find much by searching the > respective lists and groups. When you want to make a MS Windows NT/2K/XP client a member of a MS Windwos network Domain, you must provide the name of an account and password for a user who has full "Domain Administrator" ability. That user is usually 'Administrator' on the domain controllers. The user 'root' is the equivalent of the MS Windows NT 'Administrator'. Obviously, every domain needs an 'Administrator' account. It is thus logical that 'root' needs to have an smbpasswd account. You can map this to administrator by setting in smb.conf [globals]: username map = /etc/samba/smbusers And in /etc/samba/smbusers: root = Administrator Att he end of the day, just like with MS Windows NT/2K only Adminsitrator (by default) has the right to add users/machines to the Domain. - John T. -- John H Terpstra Email: jht at samba.org Previous m
= ads. Both allow Samba to leverage the central authentication service provided by domain controllers. Both modes support the NTLM and NTLMv2 authentication protocols. The ads mode, however, also provides support for Kerberos authentication, but domain does not. A good rule of thumb is to select the ads method if you are joined to an AD domain, regardless of whether the domain runs in mixed or native mode. If you plan to configure Samba for security = ads, remember to https://lists.samba.org/archive/samba/2003-March/063813.html follow the instructions given in Chapter 2 to verify that your Samba installation does in fact possess support for Kerberos, LDAP, and Active Directory. There are no such external software dependencies for enabling domain security; this mode is always provided. security = domain Joining a Samba host using security = domain involves two steps: Define the domain and member server http://codeidol.com/community/security/domain-and-ads-security-modes/22903/ settings for your environment in smb.conf.Establish the machine account credentials by joining the domain. The first parameter to set is the security option. Start by defining domain mode security in the [global] section of smb.conf: [global] security = domain Supporting password encryption is a requirement for member servers, so you should set it explicitly, even though it is enabled by default: encrypt password = yes Finally, specify the name of the domain to which your server will belong. Samba, like Windows, reuses the workgroup parameter for this setting. Here, we are joining the GLASS Windows NT 4.0 domain: workgroup = GLASS Once smb.conf has been configured, use the net command to establish the server's credentials in the domain. You need a user account that is properly authorized to join your server to the domain.[*] When in doubt, an account that is a member of the Domain Admins group will always work. Next, run the net join command from a root shell to join the domain, using the -U option to define the connecting user name:[*] Domain Administrators can
Re: Problems adding Win clients to domain [SOLVED] From: Lars-Gunnar Persson