[cifs-discuss] smbd AD join for non-root level

Fri Apr 18 08:57:53 PDT 2008

Erast,

In the future please use the cifs-dicuss at opensolaris.org alias for 
Solaris CIFS related questions.  It helps with load-balancing and any 
information posted could be beneficial to other people.
Please see inline comments!

Erast Benson wrote:

>Hi Natalie,
>
>We are trying to enable CIFS server in Active Directory forest and
>seeing the problem which is described below:
>
>On the surface, here's the error we're getting in /var/adm/messages:
> 
>Apr 11 01:41:03 umms-nas1 smbd[334]: [ID 333139 daemon.error] ads_add_computer: Insufficient access 
>Apr 11 01:41:03 umms-nas1 smbd[334]: [ID 871254 daemon.error] smbd: failed joining adsroot.itcs.umich.edu (UNSUCCESSFUL)
>
>process traces revealed that, when the AD join procedure occurs, smbd
>asks the UMROOT domain to create the following object:
>
>"cn=UMMS-NAS1,cn=Computers,dc=adsroot,dc=itcs,dc=umich,dc=edu"
>
>To which the domain replies:
>
>"SecErr: DSID-03151E04, problem 4003 (INSUFF_ACCESS_RIGHTS)" 
>
>Samba wants to create the object inside of
>"cn=Computers,dc=adsroot,dc=itcs,dc=umich,dc=edu", the root-level
>"Computers" container, which is absolutely isn't allowed to do. It is
>completely unaware of the UMMS container and doesn't try to use it, so
>the domain refuses to take action. After that, the join process
>immediately stops and reports the "Insufficient access" error in the
>log.
>
>Another words, OpenSolaris smbd only knows how to look for it in one
>place: the root-level Computers container (cn=Computers). If it doesn't
>find "cn=UMMS-NAS1" there, it tries to create it inside "cn=Computers".
>  
>
Yes, it does only a LDAP_SCOPE_BASE search at the Computers container, 
which is the default container for computer objects. I guess, it can be 
enhanced to search the entire Active Directory if the above search failed.

>So, basically, it only seems to know how to join at the root level of an
>Active Directory domain.
>
I believe Solaris CIFS server behaves exactly like Windows in this 
regard.  I don't recall you can configure where to store the computer 
objects on a Windows system.  Please correct me if I'm wrong.

> At least, that's what the trace behavior
>indicates.
>
>I'm hoping that you might be familiar with the issue or similar and may
>point us in the right direction which will help us to workaround the
>issue, at least temporarily?
>
Solaris CIFS server project is open source.  We welcome the community to 
contribute to the work.

> For instance, I could include fix into
>NexentaOS if it is already available somewhere.
>
No, not yet for the search problem.
To allow configuration for AD computer object storage of the Solaris 
CIFS server seems to deviate from Windows.

> Also, if you know the
>bug number for this issue (if it is a known issue),
>
I could certainly open a CR for the search issue.

Regards,

Natalie

> it would help me to
>keep track of the problem too.
>
>Thank you in advance.
>
>  
>