NT ADS Join from Samba 3.6.6+ to Windows Server 2008 ADS fails with ACCESS_DENIED?

Richard Sharpe realrichardsharpe at gmail.com
Mon Feb 11 13:15:28 MST 2013

On Mon, Feb 11, 2013 at 11:02 AM, Volker Lendecke
<Volker.Lendecke at sernet.de> wrote:
> On Mon, Feb 11, 2013 at 10:49:41AM -0800, Richard Sharpe wrote:
>> Hi folks,
>> We are seeing a Samba 3.6.6+ installation when trying to join a Server
>> 2008 ADS domain fail with ACCESS DENIED.
>> We use 'net ads join' and see the following during the join process:
>> SPNEGO login failed: Access denied
>> failed session setup with NT_STATUS_ACCESS_DENIED
>> The command seems to only be prepared to use NTLMSSP rather than KRB5.
>> Is there some policy setting in ADS that enforces KRB5 authentication?
>> Can they require that the older RPCs not be used?
> kinit and the -k switch to net ads join does not help?

I am not sure at the moment. The customer won't tell us about their
policies. That seems to work for me here, but I notice that during the
net ads join it does at least one NTLMSSP authentication, so if there
is some way to refuse NTLMSSP, then that might be our problem.

So far my searching has not turned up anything that allows you to
force KRB5 authentication.

Richard Sharpe

More information about the samba-technical mailing list