[Samba] Failed to join domain: failed to join domain 'XXX.YYY' over rpc: Access denied
Cyril Feraudet
samba at feraudet.com
Tue Aug 26 06:08:51 MDT 2014
Le 2014-08-26 12:30, Rowland Penny a écrit :
> On 26/08/14 11:02, Cyril Feraudet wrote:
>> Hi all,
>>
>> I get an error when I try to join domain from CentOS 6.5. Have you an
>> idea ?
>>
>>
>> /etc/samba/smb.conf :
>> ---------------------
>> [global]
>> workgroup = XXX
>> server string = Samba Server Version %v
>> log file = /var/log/samba/log.%m
>> max log size = 50
>> realm = XXX.YYY
>> security = ads
>> idmap uid = 10000-20000
>> idmap gid = 10000-20000
>> password server = dcserver.xxx.yyy
>> winbind separator = \
>>
>>
>
> What version of samba are you using ?
# smbd -V
Version 3.6.9-169.el6_5
>
>> /etc/krb5.conf :
>> ----------------
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>> default_realm = XXX.YYY
>> dns_lookup_realm = false
>> dns_lookup_kdc = false
>> ticket_lifetime = 24h
>> renew_lifetime = 7d
>> forwardable = true
>>
>> [realms]
>> XXX.YYY = {
>> kdc = dcserver.xxx.yyy:88
>> admin_server = dcserver.xxx.yyy:749
>> }
>>
>> [domain_realm]
>> .xxx.yyy = XXX.YYY
>> xxx.yyy = XXX.YYY
>>
>> /var/kerberos/krb5kdc/kdc.conf :
>> --------------------------------
>> [kdcdefaults]
>> kdc_ports = 88
>> kdc_tcp_ports = 88
>>
>> [realms]
>> XXX.YYY= {
>> #master_key_type = aes256-cts
>> acl_file = /var/kerberos/krb5kdc/kadm5.acl
>> dict_file = /usr/share/dict/words
>> admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
>> supported_enctypes = aes256-cts:normal aes128-cts:normal
>> des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal
>> des-cbc-md5:normal des-cbc-crc:normal
>> }
>>
>
> This krb5.conf from my laptop:
>
> [libdefaults]
> default_realm = EXAMPLE.COM
> dns_lookup_realm = false
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> forwardable = yes
>
>> Then :
>> ------
>>
>> # kinit administrateur at XXX.YYY
>> Password for administrateur at XXX.YYY:
>>
>> # kdb5_util create -s
>> Loading random data
>> Initializing database '/var/kerberos/krb5kdc/principal' for realm
>> 'XXX.YYY',
>> master key name 'K/M at XXX.YYY'
>> You will be prompted for the database Master Password.
>> It is important that you NOT FORGET this password.
>> Enter KDC database master key:
>> Re-enter KDC database master key to verify:
>>
>>
>
> I have never had to do the above, what do think it does and why do you
> do it ?
I just followed this howto :
http://searchadmin.org/Thread-step-by-step-configure-squid-proxy-with-active-directory-authentication-on-centos/
>
>> # net ads join -U "administrateur at JALMA.NET" -S serveur-8.jalma.net
>> Enter administrateur at JALMA.NET's password:
>> Failed to join domain: failed to join domain 'JALMA.NET' over rpc:
>> Access denied
>>
>
> I normally just do 'net ads join -U Administrator at EXAMPLE.COM'
>
> and get:
>
> Using short domain name -- EXAMPLE
> Joined 'CLIENT' to realm 'example.com'
>
> I wonder if yours is failing because you are doing the step that I
> (and most people) never do.
>
> Rowland
>
>> # net -d 5 ads join -U "administrateur at JALMA.NET" -S
>> serveur-8.jalma.net
>> INFO: Current debug levels:
>> all: 5
>> tdb: 5
>> printdrivers: 5
>> lanman: 5
>> smb: 5
>> rpc_parse: 5
>> rpc_srv: 5
>> rpc_cli: 5
>> passdb: 5
>> sam: 5
>> auth: 5
>> winbind: 5
>> vfs: 5
>> idmap: 5
>> quota: 5
>> acls: 5
>> locking: 5
>> msdfs: 5
>> dmapi: 5
>> registry: 5
>> lp_load_ex: refreshing parameters
>> Initialising global parameters
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
>> (16384)
>> INFO: Current debug levels:
>> all: 5
>> tdb: 5
>> printdrivers: 5
>> lanman: 5
>> smb: 5
>> rpc_parse: 5
>> rpc_srv: 5
>> rpc_cli: 5
>> passdb: 5
>> sam: 5
>> auth: 5
>> winbind: 5
>> vfs: 5
>> idmap: 5
>> quota: 5
>> acls: 5
>> locking: 5
>> msdfs: 5
>> dmapi: 5
>> registry: 5
>> params.c:pm_process() - Processing configuration file
>> "/etc/samba/smb.conf"
>> Processing section "[global]"
>> doing parameter workgroup = JALMA
>> doing parameter server string = Samba Server Version %v
>> doing parameter log file = /var/log/samba/log.%m
>> doing parameter max log size = 50
>> doing parameter realm = JALMA.NET
>> doing parameter security = ads
>> doing parameter idmap uid = 10000-20000
>> WARNING: The "idmap uid" option is deprecated
>> doing parameter idmap gid = 10000-20000
>> WARNING: The "idmap gid" option is deprecated
>> doing parameter password server = serveur-8.jalma.net
>> doing parameter winbind separator =
>> pm_process() returned Yes
>> Substituting charset 'UTF-8' for LOCALE
>> Netbios name list:-
>> my_netbios_names[0]="SERVEUR-4"
>> added interface eth0 ip=fe80::217:a4ff:fe8b:f1cb%eth0
>> bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
>> added interface eth0 ip=192.168.10.22 bcast=192.168.10.255
>> netmask=255.255.255.0
>> Registered MSG_REQ_POOL_USAGE
>> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
>> Enter administrateur at JALMA.NET's password:
>> libnet_Join:
>> libnet_JoinCtx: struct libnet_JoinCtx
>> in: struct libnet_JoinCtx
>> dc_name : 'serveur-8.jalma.net'
>> machine_name : 'SERVEUR-4'
>> domain_name : *
>> domain_name : 'JALMA.NET'
>> account_ou : NULL
>> admin_account : 'administrateur at JALMA.NET'
>> machine_password : NULL
>> join_flags : 0x00000023 (35)
>> 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
>> 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
>> 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
>> 0: WKSSVC_JOIN_FLAGS_DEFER_SPN
>> 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
>> 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
>> 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
>> 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
>> 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
>> 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
>> 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
>> os_version : NULL
>> os_name : NULL
>> create_upn : 0x00 (0)
>> upn : NULL
>> modify_config : 0x00 (0)
>> ads : NULL
>> debug : 0x01 (1)
>> use_kerberos : 0x00 (0)
>> secure_channel_type : SEC_CHAN_WKSTA (2)
>> Connecting to host=serveur-8.jalma.net
>> Opening cache file at /var/lib/samba/gencache.tdb
>> Opening cache file at /var/lib/samba/gencache_notrans.tdb
>> sitename_fetch: Returning sitename for JALMA.NET:
>> "Premier-Site-par-defaut"
>> name serveur-8.jalma.net#20 found.
>> Connecting to 192.168.10.40 at port 445
>> Socket options:
>> SO_KEEPALIVE = 0
>> SO_REUSEADDR = 0
>> SO_BROADCAST = 0
>> TCP_NODELAY = 1
>> TCP_KEEPCNT = 9
>> TCP_KEEPIDLE = 7200
>> TCP_KEEPINTVL = 75
>> IPTOS_LOWDELAY = 0
>> IPTOS_THROUGHPUT = 0
>> SO_REUSEPORT = 0
>> SO_SNDBUF = 19800
>> SO_RCVBUF = 87380
>> SO_SNDLOWAT = 1
>> SO_RCVLOWAT = 1
>> SO_SNDTIMEO = 0
>> SO_RCVTIMEO = 0
>> TCP_QUICKACK = 1
>> Substituting charset 'UTF-8' for LOCALE
>> Bind RPC Pipe: host serveur-8.jalma.net auth_type 0, auth_level 1
>> rpc_api_pipe: host serveur-8.jalma.net
>> rpc_read_send: data_to_read: 52
>> check_bind_response: accepted!
>> rpc_api_pipe: host serveur-8.jalma.net
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host serveur-8.jalma.net
>> rpc_read_send: data_to_read: 180
>> rpc_api_pipe: host serveur-8.jalma.net
>> rpc_read_send: data_to_read: 32
>> saf_fetch: failed to find server for "jalma.net" domain
>> get_dc_list: preferred server list: ", serveur-8.jalma.net"
>> sitename_fetch: Returning sitename for JALMA.NET:
>> "Premier-Site-par-defaut"
>> name serveur-8.jalma.net#20 found.
>> get_dc_list: returning 1 ip addresses in an ordered list
>> get_dc_list: 192.168.10.40:389
>> create_local_private_krb5_conf_for_domain: wrote file
>> /var/lib/samba/smb_krb5/krb5.conf.JALMA with realm JALMA.NET KDC list
>> = kdc = 192.168.10.40
>>
>> Bind RPC Pipe: host serveur-8.jalma.net auth_type 0, auth_level 1
>> rpc_api_pipe: host serveur-8.jalma.net
>> rpc_read_send: data_to_read: 52
>> check_bind_response: accepted!
>> rpc_api_pipe: host serveur-8.jalma.net
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host serveur-8.jalma.net
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host serveur-8.jalma.net
>> rpc_read_send: data_to_read: 16
>> rpc_client/cli_pipe.c:491: RPC fault code WERR_ACCESS_DENIED received
>> from host serveur-8.jalma.net!
>> rpc_api_pipe: host serveur-8.jalma.net
>> cli_api_pipe failed: NT_STATUS_IO_DEVICE_ERROR
>> libnet_Join:
>> libnet_JoinCtx: struct libnet_JoinCtx
>> out: struct libnet_JoinCtx
>> account_name : NULL
>> netbios_domain_name : 'JALMA'
>> dns_domain_name : 'jalma.net'
>> forest_name : 'jalma.net'
>> dn : NULL
>> domain_sid : *
>> domain_sid :
>> S-1-5-21-796845957-1343024091-682003330
>> modified_config : 0x00 (0)
>> error_string : 'failed to join domain
>> 'JALMA.NET' over rpc: Access denied'
>> domain_is_ad : 0x01 (1)
>> result : WERR_ACCESS_DENIED
>> Failed to join domain: failed to join domain 'JALMA.NET' over rpc:
>> Access denied
>> return code = -1
>>
>>
>>
More information about the samba
mailing list