NT ADS Join from Samba 3.6.6+ to Windows Server 2008 ADS fails with ACCESS_DENIED?
realrichardsharpe at gmail.com
Mon Apr 22 07:46:47 MDT 2013
On Mon, Apr 22, 2013 at 12:40 AM, Andrej Pintar <api984 at gmail.com> wrote:
> Richard Sharpe <realrichardsharpe <at> gmail.com> writes:
>> Hi folks,
>> We are seeing a Samba 3.6.6+ installation when trying to join a Server
>> 2008 ADS domain fail with ACCESS DENIED.
>> We use 'net ads join' and see the following during the join process:
>> SPNEGO login failed: Access denied
>> failed session setup with NT_STATUS_ACCESS_DENIED
>> The command seems to only be prepared to use NTLMSSP rather than KRB5.
>> Is there some policy setting in ADS that enforces KRB5 authentication?
>> Can they require that the older RPCs not be used?
> Took me 3 weeks to find what it was.
> You need to change 2 reg keys in NETLOGON service to make those ACCESS DENY
> go away. You can also test with rpcclient a samlogon function to see if it
> works ok.
This is awesome. Thatnk you very much. Now we can test and see why it
fails when it succeeds for Windows.
> I was using ADS security. This fixed all samba versions. 3.0.33 3.6.6. and
> 4.0.0. Just to say none of them worked when i tested.
> Netlogon service:
> "requirestrongkey"=dword:00000000 <- this
> "sealsecurechannel"=dword:00000001 <- this
> "signsecurechannel"=dword:00000001 <- this (this was missing i think
> when i changed it)
> "SysvolReady"=dword:00000001 <- added also
> This should make it work.
More information about the samba-technical