NT ADS Join from Samba 3.6.6+ to Windows Server 2008 ADS fails with ACCESS_DENIED?

Volker Lendecke Volker.Lendecke at SerNet.DE
Mon Feb 11 12:02:40 MST 2013

On Mon, Feb 11, 2013 at 10:49:41AM -0800, Richard Sharpe wrote:
> Hi folks,
> We are seeing a Samba 3.6.6+ installation when trying to join a Server
> 2008 ADS domain fail with ACCESS DENIED.
> We use 'net ads join' and see the following during the join process:
> SPNEGO login failed: Access denied
> failed session setup with NT_STATUS_ACCESS_DENIED
> The command seems to only be prepared to use NTLMSSP rather than KRB5.
> Is there some policy setting in ADS that enforces KRB5 authentication?
> Can they require that the older RPCs not be used?

kinit and the -k switch to net ads join does not help?


SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de

visit us at CeBIT: March 5th - 9th 2013, hall 6, booth E15
all about SAMBA and verinice, firewalls, Linux and Windows
free tickets available via email here : cebit at sernet.com !

More information about the samba-technical mailing list