Today I’ve had to deal with this issue joining a Windows 7 machine on my Samba PDC server :
“The join operation was not successful. This could be because an
existing computer account having the name “MACHINENAME” was previously
created using a different set of credentials. Use a different computer
name, or contact your administrator to remove any stale conflicting
account. The error was:
Access is denied.”
Well, googling 2 hours brought me finally to a solution!
Let me explain …
I will assume you’ve already an account mapped both in the server (/etc/passwd) and in the samba
user database, this account has to be allowed to issue ‘adduser’ command in order to add machines
accounts to the server.
First of all you need to enable samba service’s full logging, fortunately it’s not necessary to
restart the service, you have to simply issue this command :
# smbcontrol smbd debug 10
Then try to join the Windows machine.
Now, looking in the log file (the right log file depend by your samba configuration), I’ve found the problem
affecting my samba installation :
[2013/03/06 10:00:38, 5, pid=18705, effective(1000, 112), real(0, 0),] rpc_server/srv_samr_nt.c:3820(_samr_CreateUser2)
_samr_CreateUser2: [your admin account name] can add this account : False
Finally I realized that the “admin account”, despite it can add users accounts to the system, cannot add machine accounts
in the samba database. The solution is very simple, you’ve to grant “SeMachineAccountPrivilege” to “admin account” by
issuing the following command :
# net sam rights grant [your admin account name] SeMachineAccountPrivilege
An explanation how privileges works in Samba can be found here.