NT ADS Join from Samba 3.6.6+ to Windows Server 2008 ADS fails with ACCESS_DENIED?

[Richard Sharpe]

On Mon, Apr 22, 2013 at 12:40 AM, Andrej Pintar <api984 at gmail.com> wrote:
> Richard Sharpe <realrichardsharpe <at> gmail.com> writes:
>
>>
>> Hi folks,
>>
>> We are seeing a Samba 3.6.6+ installation when trying to join a Server
>> 2008 ADS domain fail with ACCESS DENIED.
>>
>> We use 'net ads join' and see the following during the join process:
>>
>> SPNEGO login failed: Access denied
>> failed session setup with NT_STATUS_ACCESS_DENIED
>>
>> The command seems to only be prepared to use NTLMSSP rather than KRB5.
>>
>> Is there some policy setting in ADS that enforces KRB5 authentication?
>> Can they require that the older RPCs not be used?
>>
>
> Took me 3 weeks to find what it was.
>
> You need to change 2 reg keys in NETLOGON service to make those ACCESS DENY
> go away. You can also test with rpcclient a samlogon function to see if it
> works ok.

This is awesome. Thatnk you very much. Now we can test and see why it
fails when it succeeds for Windows.

> I was using ADS security. This fixed all samba versions. 3.0.33 3.6.6. and
> 4.0.0. Just to say none of them worked when i tested.
>
> Netlogon service:
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
> "DisablePasswordChange"=dword:00000000
> "maximumpasswordage"=dword:0000001e
> "requiresignorseal"=dword:00000001
> "requirestrongkey"=dword:00000000 <- this
> "sealsecurechannel"=dword:00000001 <- this
> "signsecurechannel"=dword:00000001 <- this (this was missing i think
> when i changed it)
> "Update"="no"
> "SysvolReady"=dword:00000001 <- added also
> "SysVol"="C:\\WINDOWS\\SYSVOL\\sysvol"
>
> This should make it work.
>
>
>
>



-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)