NT ADS Join from Samba 3.6.6+ to Windows Server 2008 ADS fails with ACCESS_DENIED?
api984 at gmail.com
Mon Apr 22 01:40:05 MDT 2013
Richard Sharpe <realrichardsharpe <at> gmail.com> writes:
> Hi folks,
> We are seeing a Samba 3.6.6+ installation when trying to join a Server
> 2008 ADS domain fail with ACCESS DENIED.
> We use 'net ads join' and see the following during the join process:
> SPNEGO login failed: Access denied
> failed session setup with NT_STATUS_ACCESS_DENIED
> The command seems to only be prepared to use NTLMSSP rather than KRB5.
> Is there some policy setting in ADS that enforces KRB5 authentication?
> Can they require that the older RPCs not be used?
Took me 3 weeks to find what it was.
You need to change 2 reg keys in NETLOGON service to make those ACCESS DENY
go away. You can also test with rpcclient a samlogon function to see if it
I was using ADS security. This fixed all samba versions. 3.0.33 3.6.6. and
4.0.0. Just to say none of them worked when i tested.
"requirestrongkey"=dword:00000000 <- this
"sealsecurechannel"=dword:00000001 <- this
"signsecurechannel"=dword:00000001 <- this (this was missing i think
when i changed it)
"SysvolReady"=dword:00000001 <- added also
This should make it work.
More information about the samba-technical