[Samba] Failed to join domain: failed to join domain 'XXX.YYY' over rpc: Access denied
Rowland Penny
rowlandpenny at googlemail.com
Tue Aug 26 06:24:05 MDT 2014
On 26/08/14 13:08, Cyril Feraudet wrote:
> Le 2014-08-26 12:30, Rowland Penny a écrit :
>> On 26/08/14 11:02, Cyril Feraudet wrote:
>>> Hi all,
>>>
>>> I get an error when I try to join domain from CentOS 6.5. Have you
>>> an idea ?
>>>
>>>
>>> /etc/samba/smb.conf :
>>> ---------------------
>>> [global]
>>> workgroup = XXX
>>> server string = Samba Server Version %v
>>> log file = /var/log/samba/log.%m
>>> max log size = 50
>>> realm = XXX.YYY
>>> security = ads
>>> idmap uid = 10000-20000
>>> idmap gid = 10000-20000
>>> password server = dcserver.xxx.yyy
>>> winbind separator = \
>>>
>>>
>>
>> What version of samba are you using ?
>
> # smbd -V
> Version 3.6.9-169.el6_5
OK, you are using a fairly recent version of samba, so you need to use
different lines in smb.conf, this is based on my WORKING laptop:
[global]
workgroup = XXX
security = ADS
realm = XXX.YYY
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server string = Samba 3 Client %h
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind expand groups = 4
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind normalize names = Yes
idmap config * : backend = tdb
idmap config * : range = 2000-9999
idmap config XXX : backend = ad
idmap config XXX : range = 10000-999999
idmap config XXX : schema_mode = rfc2307
This will rely on the users having uidNumber's in the range
10000-999999, if your users do not have uidNumber's, change 'idmap
config XXX : backend = ad' to 'idmap config XXX : backend = rid'
If /etc/krb5.keytab exists, delete it. Change /etc/krb5.conf to match
the one I posted earlier, now stop all samba deamons and then join the
domain again:
net ads join -U Administrator at EXAMPLE.COM
restart smbd, nmbd and winbind
ensure that the passwd & group lines in /etc/nsswitch.conf have
'winbind' added to them
at this point 'getent passwd' should return all users, local & domain.
Rowland
>
>>
>>> /etc/krb5.conf :
>>> ----------------
>>> [logging]
>>> default = FILE:/var/log/krb5libs.log
>>> kdc = FILE:/var/log/krb5kdc.log
>>> admin_server = FILE:/var/log/kadmind.log
>>>
>>> [libdefaults]
>>> default_realm = XXX.YYY
>>> dns_lookup_realm = false
>>> dns_lookup_kdc = false
>>> ticket_lifetime = 24h
>>> renew_lifetime = 7d
>>> forwardable = true
>>>
>>> [realms]
>>> XXX.YYY = {
>>> kdc = dcserver.xxx.yyy:88
>>> admin_server = dcserver.xxx.yyy:749
>>> }
>>>
>>> [domain_realm]
>>> .xxx.yyy = XXX.YYY
>>> xxx.yyy = XXX.YYY
>>>
>>> /var/kerberos/krb5kdc/kdc.conf :
>>> --------------------------------
>>> [kdcdefaults]
>>> kdc_ports = 88
>>> kdc_tcp_ports = 88
>>>
>>> [realms]
>>> XXX.YYY= {
>>> #master_key_type = aes256-cts
>>> acl_file = /var/kerberos/krb5kdc/kadm5.acl
>>> dict_file = /usr/share/dict/words
>>> admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
>>> supported_enctypes = aes256-cts:normal aes128-cts:normal
>>> des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal
>>> des-cbc-md5:normal des-cbc-crc:normal
>>> }
>>>
>>
>> This krb5.conf from my laptop:
>>
>> [libdefaults]
>> default_realm = EXAMPLE.COM
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>> ticket_lifetime = 24h
>> forwardable = yes
>>
>>> Then :
>>> ------
>>>
>>> # kinit administrateur at XXX.YYY
>>> Password for administrateur at XXX.YYY:
>>>
>>> # kdb5_util create -s
>>> Loading random data
>>> Initializing database '/var/kerberos/krb5kdc/principal' for realm
>>> 'XXX.YYY',
>>> master key name 'K/M at XXX.YYY'
>>> You will be prompted for the database Master Password.
>>> It is important that you NOT FORGET this password.
>>> Enter KDC database master key:
>>> Re-enter KDC database master key to verify:
>>>
>>>
>>
>> I have never had to do the above, what do think it does and why do
>> you do it ?
> I just followed this howto :
> http://searchadmin.org/Thread-step-by-step-configure-squid-proxy-with-active-directory-authentication-on-centos/
>>
>>> # net ads join -U "administrateur at JALMA.NET" -S serveur-8.jalma.net
>>> Enter administrateur at JALMA.NET's password:
>>> Failed to join domain: failed to join domain 'JALMA.NET' over rpc:
>>> Access denied
>>>
>>
>> I normally just do 'net ads join -U Administrator at EXAMPLE.COM'
>>
>> and get:
>>
>> Using short domain name -- EXAMPLE
>> Joined 'CLIENT' to realm 'example.com'
>>
>> I wonder if yours is failing because you are doing the step that I
>> (and most people) never do.
>>
>> Rowland
>>
>>> # net -d 5 ads join -U "administrateur at JALMA.NET" -S
>>> serveur-8.jalma.net
>>> INFO: Current debug levels:
>>> all: 5
>>> tdb: 5
>>> printdrivers: 5
>>> lanman: 5
>>> smb: 5
>>> rpc_parse: 5
>>> rpc_srv: 5
>>> rpc_cli: 5
>>> passdb: 5
>>> sam: 5
>>> auth: 5
>>> winbind: 5
>>> vfs: 5
>>> idmap: 5
>>> quota: 5
>>> acls: 5
>>> locking: 5
>>> msdfs: 5
>>> dmapi: 5
>>> registry: 5
>>> lp_load_ex: refreshing parameters
>>> Initialising global parameters
>>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
>>> (16384)
>>> INFO: Current debug levels:
>>> all: 5
>>> tdb: 5
>>> printdrivers: 5
>>> lanman: 5
>>> smb: 5
>>> rpc_parse: 5
>>> rpc_srv: 5
>>> rpc_cli: 5
>>> passdb: 5
>>> sam: 5
>>> auth: 5
>>> winbind: 5
>>> vfs: 5
>>> idmap: 5
>>> quota: 5
>>> acls: 5
>>> locking: 5
>>> msdfs: 5
>>> dmapi: 5
>>> registry: 5
>>> params.c:pm_process() - Processing configuration file
>>> "/etc/samba/smb.conf"
>>> Processing section "[global]"
>>> doing parameter workgroup = JALMA
>>> doing parameter server string = Samba Server Version %v
>>> doing parameter log file = /var/log/samba/log.%m
>>> doing parameter max log size = 50
>>> doing parameter realm = JALMA.NET
>>> doing parameter security = ads
>>> doing parameter idmap uid = 10000-20000
>>> WARNING: The "idmap uid" option is deprecated
>>> doing parameter idmap gid = 10000-20000
>>> WARNING: The "idmap gid" option is deprecated
>>> doing parameter password server = serveur-8.jalma.net
>>> doing parameter winbind separator =
>>> pm_process() returned Yes
>>> Substituting charset 'UTF-8' for LOCALE
>>> Netbios name list:-
>>> my_netbios_names[0]="SERVEUR-4"
>>> added interface eth0 ip=fe80::217:a4ff:fe8b:f1cb%eth0
>>> bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
>>> added interface eth0 ip=192.168.10.22 bcast=192.168.10.255
>>> netmask=255.255.255.0
>>> Registered MSG_REQ_POOL_USAGE
>>> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
>>> Enter administrateur at JALMA.NET's password:
>>> libnet_Join:
>>> libnet_JoinCtx: struct libnet_JoinCtx
>>> in: struct libnet_JoinCtx
>>> dc_name : 'serveur-8.jalma.net'
>>> machine_name : 'SERVEUR-4'
>>> domain_name : *
>>> domain_name : 'JALMA.NET'
>>> account_ou : NULL
>>> admin_account : 'administrateur at JALMA.NET'
>>> machine_password : NULL
>>> join_flags : 0x00000023 (35)
>>> 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
>>> 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
>>> 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
>>> 0: WKSSVC_JOIN_FLAGS_DEFER_SPN
>>> 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
>>> 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
>>> 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
>>> 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
>>> 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
>>> 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
>>> 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
>>> os_version : NULL
>>> os_name : NULL
>>> create_upn : 0x00 (0)
>>> upn : NULL
>>> modify_config : 0x00 (0)
>>> ads : NULL
>>> debug : 0x01 (1)
>>> use_kerberos : 0x00 (0)
>>> secure_channel_type : SEC_CHAN_WKSTA (2)
>>> Connecting to host=serveur-8.jalma.net
>>> Opening cache file at /var/lib/samba/gencache.tdb
>>> Opening cache file at /var/lib/samba/gencache_notrans.tdb
>>> sitename_fetch: Returning sitename for JALMA.NET:
>>> "Premier-Site-par-defaut"
>>> name serveur-8.jalma.net#20 found.
>>> Connecting to 192.168.10.40 at port 445
>>> Socket options:
>>> SO_KEEPALIVE = 0
>>> SO_REUSEADDR = 0
>>> SO_BROADCAST = 0
>>> TCP_NODELAY = 1
>>> TCP_KEEPCNT = 9
>>> TCP_KEEPIDLE = 7200
>>> TCP_KEEPINTVL = 75
>>> IPTOS_LOWDELAY = 0
>>> IPTOS_THROUGHPUT = 0
>>> SO_REUSEPORT = 0
>>> SO_SNDBUF = 19800
>>> SO_RCVBUF = 87380
>>> SO_SNDLOWAT = 1
>>> SO_RCVLOWAT = 1
>>> SO_SNDTIMEO = 0
>>> SO_RCVTIMEO = 0
>>> TCP_QUICKACK = 1
>>> Substituting charset 'UTF-8' for LOCALE
>>> Bind RPC Pipe: host serveur-8.jalma.net auth_type 0, auth_level 1
>>> rpc_api_pipe: host serveur-8.jalma.net
>>> rpc_read_send: data_to_read: 52
>>> check_bind_response: accepted!
>>> rpc_api_pipe: host serveur-8.jalma.net
>>> rpc_read_send: data_to_read: 32
>>> rpc_api_pipe: host serveur-8.jalma.net
>>> rpc_read_send: data_to_read: 180
>>> rpc_api_pipe: host serveur-8.jalma.net
>>> rpc_read_send: data_to_read: 32
>>> saf_fetch: failed to find server for "jalma.net" domain
>>> get_dc_list: preferred server list: ", serveur-8.jalma.net"
>>> sitename_fetch: Returning sitename for JALMA.NET:
>>> "Premier-Site-par-defaut"
>>> name serveur-8.jalma.net#20 found.
>>> get_dc_list: returning 1 ip addresses in an ordered list
>>> get_dc_list: 192.168.10.40:389
>>> create_local_private_krb5_conf_for_domain: wrote file
>>> /var/lib/samba/smb_krb5/krb5.conf.JALMA with realm JALMA.NET KDC
>>> list = kdc = 192.168.10.40
>>>
>>> Bind RPC Pipe: host serveur-8.jalma.net auth_type 0, auth_level 1
>>> rpc_api_pipe: host serveur-8.jalma.net
>>> rpc_read_send: data_to_read: 52
>>> check_bind_response: accepted!
>>> rpc_api_pipe: host serveur-8.jalma.net
>>> rpc_read_send: data_to_read: 32
>>> rpc_api_pipe: host serveur-8.jalma.net
>>> rpc_read_send: data_to_read: 32
>>> rpc_api_pipe: host serveur-8.jalma.net
>>> rpc_read_send: data_to_read: 16
>>> rpc_client/cli_pipe.c:491: RPC fault code WERR_ACCESS_DENIED
>>> received from host serveur-8.jalma.net!
>>> rpc_api_pipe: host serveur-8.jalma.net
>>> cli_api_pipe failed: NT_STATUS_IO_DEVICE_ERROR
>>> libnet_Join:
>>> libnet_JoinCtx: struct libnet_JoinCtx
>>> out: struct libnet_JoinCtx
>>> account_name : NULL
>>> netbios_domain_name : 'JALMA'
>>> dns_domain_name : 'jalma.net'
>>> forest_name : 'jalma.net'
>>> dn : NULL
>>> domain_sid : *
>>> domain_sid :
>>> S-1-5-21-796845957-1343024091-682003330
>>> modified_config : 0x00 (0)
>>> error_string : 'failed to join domain
>>> 'JALMA.NET' over rpc: Access denied'
>>> domain_is_ad : 0x01 (1)
>>> result : WERR_ACCESS_DENIED
>>> Failed to join domain: failed to join domain 'JALMA.NET' over rpc:
>>> Access denied
>>> return code = -1
>>>
>>>
>>>
More information about the samba
mailing list