NT ADS Join from Samba 3.6.6+ to Windows Server 2008 ADS fails with ACCESS_DENIED?
Andrej Pintar
api984 at gmail.com
Mon Apr 22 01:40:05 MDT 2013
Richard Sharpe <realrichardsharpe <at> gmail.com> writes:
>
> Hi folks,
>
> We are seeing a Samba 3.6.6+ installation when trying to join a Server
> 2008 ADS domain fail with ACCESS DENIED.
>
> We use 'net ads join' and see the following during the join process:
>
> SPNEGO login failed: Access denied
> failed session setup with NT_STATUS_ACCESS_DENIED
>
> The command seems to only be prepared to use NTLMSSP rather than KRB5.
>
> Is there some policy setting in ADS that enforces KRB5 authentication?
> Can they require that the older RPCs not be used?
>
Took me 3 weeks to find what it was.
You need to change 2 reg keys in NETLOGON service to make those ACCESS DENY
go away. You can also test with rpcclient a samlogon function to see if it
works ok.
I was using ADS security. This fixed all samba versions. 3.0.33 3.6.6. and
4.0.0. Just to say none of them worked when i tested.
Netlogon service:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"DisablePasswordChange"=dword:00000000
"maximumpasswordage"=dword:0000001e
"requiresignorseal"=dword:00000001
"requirestrongkey"=dword:00000000 <- this
"sealsecurechannel"=dword:00000001 <- this
"signsecurechannel"=dword:00000001 <- this (this was missing i think
when i changed it)
"Update"="no"
"SysvolReady"=dword:00000001 <- added also
"SysVol"="C:\\WINDOWS\\SYSVOL\\sysvol"
This should make it work.
More information about the samba-technical
mailing list