[Samba] Failed to join domain: failed to join domain 'XXX.YYY' over rpc: Access denied
Cyril Feraudet
samba at feraudet.com
Tue Aug 26 04:02:34 MDT 2014
Hi all,
I get an error when I try to join domain from CentOS 6.5. Have you an
idea ?
/etc/samba/smb.conf :
---------------------
[global]
workgroup = XXX
server string = Samba Server Version %v
log file = /var/log/samba/log.%m
max log size = 50
realm = XXX.YYY
security = ads
idmap uid = 10000-20000
idmap gid = 10000-20000
password server = dcserver.xxx.yyy
winbind separator = \
/etc/krb5.conf :
----------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = XXX.YYY
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
XXX.YYY = {
kdc = dcserver.xxx.yyy:88
admin_server = dcserver.xxx.yyy:749
}
[domain_realm]
.xxx.yyy = XXX.YYY
xxx.yyy = XXX.YYY
/var/kerberos/krb5kdc/kdc.conf :
--------------------------------
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
XXX.YYY= {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal
des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal
des-cbc-md5:normal des-cbc-crc:normal
}
Then :
------
# kinit administrateur at XXX.YYY
Password for administrateur at XXX.YYY:
# kdb5_util create -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm
'XXX.YYY',
master key name 'K/M at XXX.YYY'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
# net ads join -U "administrateur at JALMA.NET" -S serveur-8.jalma.net
Enter administrateur at JALMA.NET's password:
Failed to join domain: failed to join domain 'JALMA.NET' over rpc:
Access denied
# net -d 5 ads join -U "administrateur at JALMA.NET" -S serveur-8.jalma.net
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
(16384)
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
Processing section "[global]"
doing parameter workgroup = JALMA
doing parameter server string = Samba Server Version %v
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 50
doing parameter realm = JALMA.NET
doing parameter security = ads
doing parameter idmap uid = 10000-20000
WARNING: The "idmap uid" option is deprecated
doing parameter idmap gid = 10000-20000
WARNING: The "idmap gid" option is deprecated
doing parameter password server = serveur-8.jalma.net
doing parameter winbind separator =
pm_process() returned Yes
Substituting charset 'UTF-8' for LOCALE
Netbios name list:-
my_netbios_names[0]="SERVEUR-4"
added interface eth0 ip=fe80::217:a4ff:fe8b:f1cb%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=192.168.10.22 bcast=192.168.10.255
netmask=255.255.255.0
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Enter administrateur at JALMA.NET's password:
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : 'serveur-8.jalma.net'
machine_name : 'SERVEUR-4'
domain_name : *
domain_name : 'JALMA.NET'
account_ou : NULL
admin_account : 'administrateur at JALMA.NET'
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
create_upn : 0x00 (0)
upn : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
Connecting to host=serveur-8.jalma.net
Opening cache file at /var/lib/samba/gencache.tdb
Opening cache file at /var/lib/samba/gencache_notrans.tdb
sitename_fetch: Returning sitename for JALMA.NET:
"Premier-Site-par-defaut"
name serveur-8.jalma.net#20 found.
Connecting to 192.168.10.40 at port 445
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 19800
SO_RCVBUF = 87380
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
Substituting charset 'UTF-8' for LOCALE
Bind RPC Pipe: host serveur-8.jalma.net auth_type 0, auth_level 1
rpc_api_pipe: host serveur-8.jalma.net
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host serveur-8.jalma.net
rpc_read_send: data_to_read: 32
rpc_api_pipe: host serveur-8.jalma.net
rpc_read_send: data_to_read: 180
rpc_api_pipe: host serveur-8.jalma.net
rpc_read_send: data_to_read: 32
saf_fetch: failed to find server for "jalma.net" domain
get_dc_list: preferred server list: ", serveur-8.jalma.net"
sitename_fetch: Returning sitename for JALMA.NET:
"Premier-Site-par-defaut"
name serveur-8.jalma.net#20 found.
get_dc_list: returning 1 ip addresses in an ordered list
get_dc_list: 192.168.10.40:389
create_local_private_krb5_conf_for_domain: wrote file
/var/lib/samba/smb_krb5/krb5.conf.JALMA with realm JALMA.NET KDC list =
kdc = 192.168.10.40
Bind RPC Pipe: host serveur-8.jalma.net auth_type 0, auth_level 1
rpc_api_pipe: host serveur-8.jalma.net
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host serveur-8.jalma.net
rpc_read_send: data_to_read: 32
rpc_api_pipe: host serveur-8.jalma.net
rpc_read_send: data_to_read: 32
rpc_api_pipe: host serveur-8.jalma.net
rpc_read_send: data_to_read: 16
rpc_client/cli_pipe.c:491: RPC fault code WERR_ACCESS_DENIED received
from host serveur-8.jalma.net!
rpc_api_pipe: host serveur-8.jalma.net
cli_api_pipe failed: NT_STATUS_IO_DEVICE_ERROR
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : 'JALMA'
dns_domain_name : 'jalma.net'
forest_name : 'jalma.net'
dn : NULL
domain_sid : *
domain_sid :
S-1-5-21-796845957-1343024091-682003330
modified_config : 0x00 (0)
error_string : 'failed to join domain
'JALMA.NET' over rpc: Access denied'
domain_is_ad : 0x01 (1)
result : WERR_ACCESS_DENIED
Failed to join domain: failed to join domain 'JALMA.NET' over rpc:
Access denied
return code = -1
More information about the samba
mailing list