[Samba] Unable to join Windows 2k AD NT_STATUS_ACCESS_DENIED

Aden, Steve saden at itscommunications.com
Tue Jun 22 18:51:22 GMT 2004 

If you have kinit'd a ticket for your w2k Administrator account you
should just use "net ads join". If your kerberos and smb.conf are
correctly configured, you should be able to join the domain. "net rpc
join" uses NTLMSSP which can be seen in your log (fails because you
didn't give a password).

Steve


Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Opinions, conclusions and other information contained in this message that do not relate to official business shall be understood as neither given nor endorsed by ITS

-----Original Message-----
From: Daniel Ramaley [mailto:daniel.ramaley at DRAKE.EDU] 
Sent: Tuesday, June 22, 2004 9:21 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Unable to join Windows 2k AD
NT_STATUS_ACCESS_DENIED


What was the output of the "net ads join" command?

On Monday 21 June 2004 11:47 pm, Elliot Mackenzie wrote:
>I am having horrendous issues with trying to get Samba 3.0.4 to join
> to a Windows 2000 AD (patched to current).  As this one is hurting a
> bit and needs to be fixed soon, I was hoping I may find salvation in
> this list from someone here who may be able to shed some useful light
> on this issue.  I am using the latest gentoo mit-krb5 build.
>
>
>
>Net join always results in NT_STATUS_ACCESS_DENIED - this is bizarre
> as I am using the same administrative account I use to join Windows
> workstations to the domain.  Klist shows me a Kerberos ticket that
> appears to be valid.  I have wiped Kerberos tickets with kdestroy
> then recreated one with kinit as that administrative account.  Net
> join and still no gold.
>
>
>
>Unfortunately the Windows logs are not particularly verbose and I
>haven't been able to gain any further information.
>
>
>
>Google is full of these sorts of errors, but they are not usually
>accompanied by any solutions - most of which seem to be password
> issues.
>
>
>
>Any ideas?
>
>
>
>Cheers,
>
>Elliot.
>
>
>
>
>
>mail log # net rpc join -S IOR-SRV-Z6 -d3 -U Administrator
>
>[2004/06/22 13:18:34, 3] param/loadparm.c:lp_load(3877)
>
>  lp_load: refreshing parameters
>
>[2004/06/22 13:18:34, 3] param/loadparm.c:init_globals(1307)
>
>  Initialising global parameters
>
>[2004/06/22 13:18:34, 3] param/params.c:pm_process(566)
>
>  params.c:pm_process() - Processing configuration file
>"/etc/samba/smb.conf"
>
>[2004/06/22 13:18:34, 3] param/loadparm.c:do_section(3375)
>
>  Processing section "[global]"
>
>[2004/06/22 13:18:34, 2] lib/interface.c:add_interface(79)
>
>  added interface ip=203.x.x.x bcast=203.x.x.255 nmask=255.255.255.0
>
>[2004/06/22 13:18:34, 2] lib/interface.c:add_interface(79)
>
>  added interface ip=192.x.x.x bcast=192.x.x.255 nmask=255.255.255.0
>
>[2004/06/22 13:18:34, 3]
> libsmb/cliconnect.c:cli_start_connection(1373)
>
>  Connecting to host=IOR-SRV-Z6
>
>[2004/06/22 13:18:34, 3] lib/util_sock.c:open_socket_out(735)
>
>  Connecting to 203.x.x.x at port 445
>
>[2004/06/22 13:18:34, 1] libsmb/cliconnect.c:cli_full_connection(1473)
>
>  failed tcon_X with NT_STATUS_ACCESS_DENIED
>
>[2004/06/22 13:18:34, 1] utils/net.c:connect_to_ipc_anonymous(191)
>
>  Cannot connect to server (anonymously).  Error was
>NT_STATUS_ACCESS_DENIED
>
>Password:
>
>[2004/06/22 13:18:39, 3]
> libsmb/cliconnect.c:cli_start_connection(1373)
>
>  Connecting to host=IOR-SRV-Z6
>
>[2004/06/22 13:18:39, 3] lib/util_sock.c:open_socket_out(735)
>
>  Connecting to 203.x.x.x at port 445
>
>[2004/06/22 13:18:39, 3]
>libsmb/cliconnect.c:cli_session_setup_spnego(705)
>
>  Doing spnego session setup (blob length=119)
>
>[2004/06/22 13:18:39, 3]
>libsmb/cliconnect.c:cli_session_setup_spnego(730)
>
>  got OID=1 2 840 48018 1 2 2
>
>[2004/06/22 13:18:39, 3]
>libsmb/cliconnect.c:cli_session_setup_spnego(730)
>
>  got OID=1 2 840 113554 1 2 2
>
>[2004/06/22 13:18:39, 3]
>libsmb/cliconnect.c:cli_session_setup_spnego(730)
>
>  got OID=1 2 840 113554 1 2 2 3
>
>[2004/06/22 13:18:39, 3]
>libsmb/cliconnect.c:cli_session_setup_spnego(730)
>
>  got OID=1 3 6 1 4 1 311 2 2 10
>
>[2004/06/22 13:18:39, 3]
>libsmb/cliconnect.c:cli_session_setup_spnego(737)
>
>  got principal=ior-srv-z6$@BRISBANE.COMPANY.COM.AU
>
>[2004/06/22 13:18:39, 3]
> libsmb/ntlmssp.c:ntlmssp_client_challenge(878)
>
>  Got challenge flags:
>
>[2004/06/22 13:18:39, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
>
>  Got NTLMSSP neg_flags=0x62890215
>
>[2004/06/22 13:18:39, 3]
> libsmb/ntlmssp.c:ntlmssp_client_challenge(900)
>
>  NTLMSSP: Set final flags:
>
>[2004/06/22 13:18:39, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
>
>  Got NTLMSSP neg_flags=0x60080215
>
>[2004/06/22 13:18:39, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
>
>  NTLMSSP Sign/Seal - Initialising with flags:
>
>[2004/06/22 13:18:39, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
>
>  Got NTLMSSP neg_flags=0x60080215
>
>[2004/06/22 13:18:39, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(181)
>
>  lsa_io_sec_qos: length c does not match size 8
>
>[2004/06/22 13:18:39, 3]
> libsmb/cliconnect.c:cli_start_connection(1373)
>
>  Connecting to host=IOR-SRV-Z6
>
>[2004/06/22 13:18:39, 3] lib/util_sock.c:open_socket_out(735)
>
>  Connecting to 203.x.x.x at port 445
>
>[2004/06/22 13:18:39, 1] libsmb/cliconnect.c:cli_full_connection(1473)
>
>  failed tcon_X with NT_STATUS_ACCESS_DENIED
>
>[2004/06/22 13:18:39, 1] utils/net.c:connect_to_ipc_anonymous(191)
>
>  Cannot connect to server (anonymously).  Error was
>NT_STATUS_ACCESS_DENIED
>
>Unable to join domain BRISBANE.
>
>[2004/06/22 13:18:39, 2] utils/net.c:main(792)
>
>  return code = 1

-- 
------------------------------------------------------------------------
Dan Ramaley
Digital Media Library Specialist
(515) 271-1934
Cowles Library 140, Drake University

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba


_____________________________________________________
This message was content-scanned by IXC Shield 
Powered by GatewayDefender - BH0afd93a4.00000001.mml

More information about the samba mailing list