NT ADS Join from Samba 3.6.6+ to Windows Server 2008 ADS fails with ACCESS_DENIED?

Mon Apr 22 08:31:30 MDT 2013

On Mon, Apr 22, 2013 at 7:17 AM, Michael DePaulo <mikedep333 at gmail.com> wrote:
>
> Actually, it sounds like your customer manually enabled 1 or more of the
> group policy settings to require digital signatures of network traffic, and
> that's why the reg keys were set. I looked through the "Group Policy
> Settings Reference" spreadsheet available on microsoft.com, and I think
> these are all the signing-related settings on server 2008 R2. It was
> probably the LDAP settings that affected you:
> Computer Configuration\Windows Settings\Local Policies\Security Options
> Domain controller: LDAP server signing requirements
> Computer Configuration\Windows Settings\Local Policies\Security Options
> Domain member: Digitally encrypt or sign secure channel data (always)
> Computer Configuration\Windows Settings\Local Policies\Security Options
> Domain member: Digitally sign secure channel data (when possible)
> Computer Configuration\Windows Settings\Local Policies\Security Options
> Microsoft network client: Digitally sign communications (always)
> Computer Configuration\Windows Settings\Local Policies\Security Options
> Microsoft network client: Digitally sign communications (if server agrees)
> Computer Configuration\Windows Settings\Local Policies\Security Options
> Microsoft network server: Digitally sign communications (always)
> Computer Configuration\Windows Settings\Local Policies\Security Options
> Microsoft network server: Digitally sign communications (if client agrees)
> Computer Configuration\Windows Settings\Local Policies\Security Options
> Network security: LDAP client signing requirements
>
>
> Samba's smb.conf has similar digital signature options.I looked through
> the manpage for smb.conf, I think they are:
> client ldap sasl wrapping (G)
> client signing (G)
> server signing (G)
>
> So I am fairly certain that changing "client ldap sasl wrapping" from the
> default 3.6.6 value of "plain" to "sign" would have solved your problem
> without you having to modify server-side reg keys.

Thank you for that useful piece of info. However, there was, up until
3.6.13, a bug in the join code that I fixed that caused problems with
joining a Kerberos only domain.

As a result it wasn't clear if there were further bugs or a configuration issue.

> On Mon, Apr 22, 2013 at 9:46 AM, Richard Sharpe
> <realrichardsharpe at gmail.com> wrote:
>>
>> On Mon, Apr 22, 2013 at 12:40 AM, Andrej Pintar <api984 at gmail.com> wrote:
>> > Richard Sharpe <realrichardsharpe <at> gmail.com> writes:
>> >
>> >>
>> >> Hi folks,
>> >>
>> >> We are seeing a Samba 3.6.6+ installation when trying to join a Server
>> >> 2008 ADS domain fail with ACCESS DENIED.
>> >>
>> >> We use 'net ads join' and see the following during the join process:
>> >>
>> >> SPNEGO login failed: Access denied
>> >> failed session setup with NT_STATUS_ACCESS_DENIED
>> >>
>> >> The command seems to only be prepared to use NTLMSSP rather than KRB5.
>> >>
>> >> Is there some policy setting in ADS that enforces KRB5 authentication?
>> >> Can they require that the older RPCs not be used?
>> >>
>> >
>> > Took me 3 weeks to find what it was.
>> >
>> > You need to change 2 reg keys in NETLOGON service to make those ACCESS
>> > DENY
>> > go away. You can also test with rpcclient a samlogon function to see if
>> > it
>> > works ok.
>>
>> This is awesome. Thatnk you very much. Now we can test and see why it
>> fails when it succeeds for Windows.
>>
>> > I was using ADS security. This fixed all samba versions. 3.0.33 3.6.6.
>> > and
>> > 4.0.0. Just to say none of them worked when i tested.
>> >
>> > Netlogon service:
>> >
>> > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
>> > "DisablePasswordChange"=dword:00000000
>> > "maximumpasswordage"=dword:0000001e
>> > "requiresignorseal"=dword:00000001
>> > "requirestrongkey"=dword:00000000 <- this
>> > "sealsecurechannel"=dword:00000001 <- this
>> > "signsecurechannel"=dword:00000001 <- this (this was missing i think
>> > when i changed it)
>> > "Update"="no"
>> > "SysvolReady"=dword:00000001 <- added also
>> > "SysVol"="C:\\WINDOWS\\SYSVOL\\sysvol"
>> >
>> > This should make it work.
>> >
>> >
>> >
>> >
>>
>>
>>
>> --
>> Regards,
>> Richard Sharpe
>> (何以解憂？唯有杜康。--曹操)
>
>

--
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)