NT ADS Join from Samba 3.6.6+ to Windows Server 2008 ADS fails with ACCESS_DENIED?

Andrej Pintar api984 at gmail.com
Mon Apr 22 01:40:05 MDT 2013

Richard Sharpe <realrichardsharpe <at> gmail.com> writes:

> Hi folks,
> We are seeing a Samba 3.6.6+ installation when trying to join a Server
> 2008 ADS domain fail with ACCESS DENIED.
> We use 'net ads join' and see the following during the join process:
> SPNEGO login failed: Access denied
> failed session setup with NT_STATUS_ACCESS_DENIED
> The command seems to only be prepared to use NTLMSSP rather than KRB5.
> Is there some policy setting in ADS that enforces KRB5 authentication?
> Can they require that the older RPCs not be used?

Took me 3 weeks to find what it was.

You need to change 2 reg keys in NETLOGON service to make those ACCESS DENY
go away. You can also test with rpcclient a samlogon function to see if it
works ok.

I was using ADS security. This fixed all samba versions. 3.0.33 3.6.6. and
4.0.0. Just to say none of them worked when i tested. 

Netlogon service:
"requirestrongkey"=dword:00000000 <- this
"sealsecurechannel"=dword:00000001 <- this
"signsecurechannel"=dword:00000001 <- this (this was missing i think 
when i changed it)
"SysvolReady"=dword:00000001 <- added also

This should make it work.

More information about the samba-technical mailing list