[Samba] Failed to join domain: failed to join domain 'XXX.YYY' over rpc: Access denied

Rowland Penny rowlandpenny at googlemail.com
Tue Aug 26 04:30:28 MDT 2014 

On 26/08/14 11:02, Cyril Feraudet wrote:
> Hi all,
>
> I get an error when I try to join domain from CentOS 6.5. Have you an 
> idea ?
>
>
> /etc/samba/smb.conf :
> ---------------------
> [global]
>         workgroup = XXX
>         server string = Samba Server Version %v
>         log file = /var/log/samba/log.%m
>         max log size = 50
>         realm = XXX.YYY
>         security = ads
>         idmap uid = 10000-20000
>         idmap gid = 10000-20000
>         password server = dcserver.xxx.yyy
>         winbind separator = \
>
>

What version of samba are you using ?

> /etc/krb5.conf :
> ----------------
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>  default_realm = XXX.YYY
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  ticket_lifetime = 24h
>  renew_lifetime = 7d
>  forwardable = true
>
> [realms]
>  XXX.YYY = {
>   kdc = dcserver.xxx.yyy:88
>   admin_server = dcserver.xxx.yyy:749
>  }
>
> [domain_realm]
>  .xxx.yyy = XXX.YYY
>  xxx.yyy = XXX.YYY
>
> /var/kerberos/krb5kdc/kdc.conf :
> --------------------------------
> [kdcdefaults]
>  kdc_ports = 88
>  kdc_tcp_ports = 88
>
> [realms]
>  XXX.YYY= {
>   #master_key_type = aes256-cts
>   acl_file = /var/kerberos/krb5kdc/kadm5.acl
>   dict_file = /usr/share/dict/words
>   admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
>   supported_enctypes = aes256-cts:normal aes128-cts:normal 
> des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal 
> des-cbc-md5:normal des-cbc-crc:normal
>  }
>

This krb5.conf from my laptop:

[libdefaults]
      default_realm = EXAMPLE.COM
      dns_lookup_realm = false
      dns_lookup_kdc = true
      ticket_lifetime = 24h
      forwardable = yes

> Then :
> ------
>
> # kinit administrateur at XXX.YYY
> Password for administrateur at XXX.YYY:
>
> # kdb5_util create -s
> Loading random data
> Initializing database '/var/kerberos/krb5kdc/principal' for realm 
> 'XXX.YYY',
> master key name 'K/M at XXX.YYY'
> You will be prompted for the database Master Password.
> It is important that you NOT FORGET this password.
> Enter KDC database master key:
> Re-enter KDC database master key to verify:
>
>

I have never had to do the above, what do think it does and why do you 
do it ?

> # net ads join -U "administrateur at JALMA.NET" -S serveur-8.jalma.net
> Enter administrateur at JALMA.NET's password:
> Failed to join domain: failed to join domain 'JALMA.NET' over rpc: 
> Access denied
>

I normally just do 'net ads join -U Administrator at EXAMPLE.COM'

and get:

Using short domain name -- EXAMPLE
Joined 'CLIENT' to realm 'example.com'

I wonder if yours is failing because you are doing the step that I (and 
most people) never do.

Rowland

> # net -d 5 ads join -U "administrateur at JALMA.NET" -S serveur-8.jalma.net
> INFO: Current debug levels:
>   all: 5
>   tdb: 5
>   printdrivers: 5
>   lanman: 5
>   smb: 5
>   rpc_parse: 5
>   rpc_srv: 5
>   rpc_cli: 5
>   passdb: 5
>   sam: 5
>   auth: 5
>   winbind: 5
>   vfs: 5
>   idmap: 5
>   quota: 5
>   acls: 5
>   locking: 5
>   msdfs: 5
>   dmapi: 5
>   registry: 5
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> INFO: Current debug levels:
>   all: 5
>   tdb: 5
>   printdrivers: 5
>   lanman: 5
>   smb: 5
>   rpc_parse: 5
>   rpc_srv: 5
>   rpc_cli: 5
>   passdb: 5
>   sam: 5
>   auth: 5
>   winbind: 5
>   vfs: 5
>   idmap: 5
>   quota: 5
>   acls: 5
>   locking: 5
>   msdfs: 5
>   dmapi: 5
>   registry: 5
> params.c:pm_process() - Processing configuration file 
> "/etc/samba/smb.conf"
> Processing section "[global]"
> doing parameter workgroup = JALMA
> doing parameter server string = Samba Server Version %v
> doing parameter log file = /var/log/samba/log.%m
> doing parameter max log size = 50
> doing parameter realm = JALMA.NET
> doing parameter security = ads
> doing parameter idmap uid = 10000-20000
> WARNING: The "idmap uid" option is deprecated
> doing parameter idmap gid = 10000-20000
> WARNING: The "idmap gid" option is deprecated
> doing parameter password server = serveur-8.jalma.net
> doing parameter winbind separator =
> pm_process() returned Yes
> Substituting charset 'UTF-8' for LOCALE
> Netbios name list:-
> my_netbios_names[0]="SERVEUR-4"
> added interface eth0 ip=fe80::217:a4ff:fe8b:f1cb%eth0 
> bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
> added interface eth0 ip=192.168.10.22 bcast=192.168.10.255 
> netmask=255.255.255.0
> Registered MSG_REQ_POOL_USAGE
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> Enter administrateur at JALMA.NET's password:
> libnet_Join:
>     libnet_JoinCtx: struct libnet_JoinCtx
>         in: struct libnet_JoinCtx
>             dc_name                  : 'serveur-8.jalma.net'
>             machine_name             : 'SERVEUR-4'
>             domain_name              : *
>                 domain_name              : 'JALMA.NET'
>             account_ou               : NULL
>             admin_account            : 'administrateur at JALMA.NET'
>             machine_password         : NULL
>             join_flags               : 0x00000023 (35)
>                    0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
>                    0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
>                    0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
>                    0: WKSSVC_JOIN_FLAGS_DEFER_SPN
>                    0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
>                    0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
>                    1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
>                    0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
>                    0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
>                    1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
>                    1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
>             os_version               : NULL
>             os_name                  : NULL
>             create_upn               : 0x00 (0)
>             upn                      : NULL
>             modify_config            : 0x00 (0)
>             ads                      : NULL
>             debug                    : 0x01 (1)
>             use_kerberos             : 0x00 (0)
>             secure_channel_type      : SEC_CHAN_WKSTA (2)
> Connecting to host=serveur-8.jalma.net
> Opening cache file at /var/lib/samba/gencache.tdb
> Opening cache file at /var/lib/samba/gencache_notrans.tdb
> sitename_fetch: Returning sitename for JALMA.NET: 
> "Premier-Site-par-defaut"
> name serveur-8.jalma.net#20 found.
> Connecting to 192.168.10.40 at port 445
> Socket options:
>         SO_KEEPALIVE = 0
>         SO_REUSEADDR = 0
>         SO_BROADCAST = 0
>         TCP_NODELAY = 1
>         TCP_KEEPCNT = 9
>         TCP_KEEPIDLE = 7200
>         TCP_KEEPINTVL = 75
>         IPTOS_LOWDELAY = 0
>         IPTOS_THROUGHPUT = 0
>         SO_REUSEPORT = 0
>         SO_SNDBUF = 19800
>         SO_RCVBUF = 87380
>         SO_SNDLOWAT = 1
>         SO_RCVLOWAT = 1
>         SO_SNDTIMEO = 0
>         SO_RCVTIMEO = 0
>         TCP_QUICKACK = 1
> Substituting charset 'UTF-8' for LOCALE
> Bind RPC Pipe: host serveur-8.jalma.net auth_type 0, auth_level 1
> rpc_api_pipe: host serveur-8.jalma.net
> rpc_read_send: data_to_read: 52
> check_bind_response: accepted!
> rpc_api_pipe: host serveur-8.jalma.net
> rpc_read_send: data_to_read: 32
> rpc_api_pipe: host serveur-8.jalma.net
> rpc_read_send: data_to_read: 180
> rpc_api_pipe: host serveur-8.jalma.net
> rpc_read_send: data_to_read: 32
> saf_fetch: failed to find server for "jalma.net" domain
> get_dc_list: preferred server list: ", serveur-8.jalma.net"
> sitename_fetch: Returning sitename for JALMA.NET: 
> "Premier-Site-par-defaut"
> name serveur-8.jalma.net#20 found.
> get_dc_list: returning 1 ip addresses in an ordered list
> get_dc_list: 192.168.10.40:389
> create_local_private_krb5_conf_for_domain: wrote file 
> /var/lib/samba/smb_krb5/krb5.conf.JALMA with realm JALMA.NET KDC list 
> =     kdc = 192.168.10.40
>
> Bind RPC Pipe: host serveur-8.jalma.net auth_type 0, auth_level 1
> rpc_api_pipe: host serveur-8.jalma.net
> rpc_read_send: data_to_read: 52
> check_bind_response: accepted!
> rpc_api_pipe: host serveur-8.jalma.net
> rpc_read_send: data_to_read: 32
> rpc_api_pipe: host serveur-8.jalma.net
> rpc_read_send: data_to_read: 32
> rpc_api_pipe: host serveur-8.jalma.net
> rpc_read_send: data_to_read: 16
> rpc_client/cli_pipe.c:491: RPC fault code WERR_ACCESS_DENIED received 
> from host serveur-8.jalma.net!
> rpc_api_pipe: host serveur-8.jalma.net
> cli_api_pipe failed: NT_STATUS_IO_DEVICE_ERROR
> libnet_Join:
>     libnet_JoinCtx: struct libnet_JoinCtx
>         out: struct libnet_JoinCtx
>             account_name             : NULL
>             netbios_domain_name      : 'JALMA'
>             dns_domain_name          : 'jalma.net'
>             forest_name              : 'jalma.net'
>             dn                       : NULL
>             domain_sid               : *
>                 domain_sid               : 
> S-1-5-21-796845957-1343024091-682003330
>             modified_config          : 0x00 (0)
>             error_string             : 'failed to join domain 
> 'JALMA.NET' over rpc: Access denied'
>             domain_is_ad             : 0x01 (1)
>             result                   : WERR_ACCESS_DENIED
> Failed to join domain: failed to join domain 'JALMA.NET' over rpc: 
> Access denied
> return code = -1
>
>
>

More information about the samba mailing list