[Samba] Failed to join domain: failed to join domain 'XXX.YYY' over rpc: Access denied
Cyril Feraudet
samba at feraudet.com
Tue Aug 26 06:29:38 MDT 2014
It work ! Thank you very mutch !
Le 2014-08-26 14:24, Rowland Penny a écrit :
> On 26/08/14 13:08, Cyril Feraudet wrote:
>> Le 2014-08-26 12:30, Rowland Penny a écrit :
>>> On 26/08/14 11:02, Cyril Feraudet wrote:
>>>> Hi all,
>>>>
>>>> I get an error when I try to join domain from CentOS 6.5. Have you
>>>> an idea ?
>>>>
>>>>
>>>> /etc/samba/smb.conf :
>>>> ---------------------
>>>> [global]
>>>> workgroup = XXX
>>>> server string = Samba Server Version %v
>>>> log file = /var/log/samba/log.%m
>>>> max log size = 50
>>>> realm = XXX.YYY
>>>> security = ads
>>>> idmap uid = 10000-20000
>>>> idmap gid = 10000-20000
>>>> password server = dcserver.xxx.yyy
>>>> winbind separator = \
>>>>
>>>>
>>>
>>> What version of samba are you using ?
>>
>> # smbd -V
>> Version 3.6.9-169.el6_5
>
> OK, you are using a fairly recent version of samba, so you need to use
> different lines in smb.conf, this is based on my WORKING laptop:
>
> [global]
> workgroup = XXX
> security = ADS
> realm = XXX.YYY
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> server string = Samba 3 Client %h
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> winbind expand groups = 4
> winbind nss info = rfc2307
> winbind refresh tickets = Yes
> winbind normalize names = Yes
> idmap config * : backend = tdb
> idmap config * : range = 2000-9999
> idmap config XXX : backend = ad
> idmap config XXX : range = 10000-999999
> idmap config XXX : schema_mode = rfc2307
>
> This will rely on the users having uidNumber's in the range
> 10000-999999, if your users do not have uidNumber's, change 'idmap
> config XXX : backend = ad' to 'idmap config XXX : backend = rid'
>
> If /etc/krb5.keytab exists, delete it. Change /etc/krb5.conf to match
> the one I posted earlier, now stop all samba deamons and then join the
> domain again:
>
> net ads join -U Administrator at EXAMPLE.COM
>
> restart smbd, nmbd and winbind
>
> ensure that the passwd & group lines in /etc/nsswitch.conf have
> 'winbind' added to them
>
> at this point 'getent passwd' should return all users, local & domain.
>
> Rowland
>>
>>>
>>>> /etc/krb5.conf :
>>>> ----------------
>>>> [logging]
>>>> default = FILE:/var/log/krb5libs.log
>>>> kdc = FILE:/var/log/krb5kdc.log
>>>> admin_server = FILE:/var/log/kadmind.log
>>>>
>>>> [libdefaults]
>>>> default_realm = XXX.YYY
>>>> dns_lookup_realm = false
>>>> dns_lookup_kdc = false
>>>> ticket_lifetime = 24h
>>>> renew_lifetime = 7d
>>>> forwardable = true
>>>>
>>>> [realms]
>>>> XXX.YYY = {
>>>> kdc = dcserver.xxx.yyy:88
>>>> admin_server = dcserver.xxx.yyy:749
>>>> }
>>>>
>>>> [domain_realm]
>>>> .xxx.yyy = XXX.YYY
>>>> xxx.yyy = XXX.YYY
>>>>
>>>> /var/kerberos/krb5kdc/kdc.conf :
>>>> --------------------------------
>>>> [kdcdefaults]
>>>> kdc_ports = 88
>>>> kdc_tcp_ports = 88
>>>>
>>>> [realms]
>>>> XXX.YYY= {
>>>> #master_key_type = aes256-cts
>>>> acl_file = /var/kerberos/krb5kdc/kadm5.acl
>>>> dict_file = /usr/share/dict/words
>>>> admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
>>>> supported_enctypes = aes256-cts:normal aes128-cts:normal
>>>> des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal
>>>> des-cbc-md5:normal des-cbc-crc:normal
>>>> }
>>>>
>>>
>>> This krb5.conf from my laptop:
>>>
>>> [libdefaults]
>>> default_realm = EXAMPLE.COM
>>> dns_lookup_realm = false
>>> dns_lookup_kdc = true
>>> ticket_lifetime = 24h
>>> forwardable = yes
>>>
>>>> Then :
>>>> ------
>>>>
>>>> # kinit administrateur at XXX.YYY
>>>> Password for administrateur at XXX.YYY:
>>>>
>>>> # kdb5_util create -s
>>>> Loading random data
>>>> Initializing database '/var/kerberos/krb5kdc/principal' for realm
>>>> 'XXX.YYY',
>>>> master key name 'K/M at XXX.YYY'
>>>> You will be prompted for the database Master Password.
>>>> It is important that you NOT FORGET this password.
>>>> Enter KDC database master key:
>>>> Re-enter KDC database master key to verify:
>>>>
>>>>
>>>
>>> I have never had to do the above, what do think it does and why do
>>> you do it ?
>> I just followed this howto :
>> http://searchadmin.org/Thread-step-by-step-configure-squid-proxy-with-active-directory-authentication-on-centos/
>>>
>>>> # net ads join -U "administrateur at JALMA.NET" -S serveur-8.jalma.net
>>>> Enter administrateur at JALMA.NET's password:
>>>> Failed to join domain: failed to join domain 'JALMA.NET' over rpc:
>>>> Access denied
>>>>
>>>
>>> I normally just do 'net ads join -U Administrator at EXAMPLE.COM'
>>>
>>> and get:
>>>
>>> Using short domain name -- EXAMPLE
>>> Joined 'CLIENT' to realm 'example.com'
>>>
>>> I wonder if yours is failing because you are doing the step that I
>>> (and most people) never do.
>>>
>>> Rowland
>>>
>>>> # net -d 5 ads join -U "administrateur at JALMA.NET" -S
>>>> serveur-8.jalma.net
>>>> INFO: Current debug levels:
>>>> all: 5
>>>> tdb: 5
>>>> printdrivers: 5
>>>> lanman: 5
>>>> smb: 5
>>>> rpc_parse: 5
>>>> rpc_srv: 5
>>>> rpc_cli: 5
>>>> passdb: 5
>>>> sam: 5
>>>> auth: 5
>>>> winbind: 5
>>>> vfs: 5
>>>> idmap: 5
>>>> quota: 5
>>>> acls: 5
>>>> locking: 5
>>>> msdfs: 5
>>>> dmapi: 5
>>>> registry: 5
>>>> lp_load_ex: refreshing parameters
>>>> Initialising global parameters
>>>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
>>>> (16384)
>>>> INFO: Current debug levels:
>>>> all: 5
>>>> tdb: 5
>>>> printdrivers: 5
>>>> lanman: 5
>>>> smb: 5
>>>> rpc_parse: 5
>>>> rpc_srv: 5
>>>> rpc_cli: 5
>>>> passdb: 5
>>>> sam: 5
>>>> auth: 5
>>>> winbind: 5
>>>> vfs: 5
>>>> idmap: 5
>>>> quota: 5
>>>> acls: 5
>>>> locking: 5
>>>> msdfs: 5
>>>> dmapi: 5
>>>> registry: 5
>>>> params.c:pm_process() - Processing configuration file
>>>> "/etc/samba/smb.conf"
>>>> Processing section "[global]"
>>>> doing parameter workgroup = JALMA
>>>> doing parameter server string = Samba Server Version %v
>>>> doing parameter log file = /var/log/samba/log.%m
>>>> doing parameter max log size = 50
>>>> doing parameter realm = JALMA.NET
>>>> doing parameter security = ads
>>>> doing parameter idmap uid = 10000-20000
>>>> WARNING: The "idmap uid" option is deprecated
>>>> doing parameter idmap gid = 10000-20000
>>>> WARNING: The "idmap gid" option is deprecated
>>>> doing parameter password server = serveur-8.jalma.net
>>>> doing parameter winbind separator =
>>>> pm_process() returned Yes
>>>> Substituting charset 'UTF-8' for LOCALE
>>>> Netbios name list:-
>>>> my_netbios_names[0]="SERVEUR-4"
>>>> added interface eth0 ip=fe80::217:a4ff:fe8b:f1cb%eth0
>>>> bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
>>>> added interface eth0 ip=192.168.10.22 bcast=192.168.10.255
>>>> netmask=255.255.255.0
>>>> Registered MSG_REQ_POOL_USAGE
>>>> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
>>>> Enter administrateur at JALMA.NET's password:
>>>> libnet_Join:
>>>> libnet_JoinCtx: struct libnet_JoinCtx
>>>> in: struct libnet_JoinCtx
>>>> dc_name : 'serveur-8.jalma.net'
>>>> machine_name : 'SERVEUR-4'
>>>> domain_name : *
>>>> domain_name : 'JALMA.NET'
>>>> account_ou : NULL
>>>> admin_account : 'administrateur at JALMA.NET'
>>>> machine_password : NULL
>>>> join_flags : 0x00000023 (35)
>>>> 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
>>>> 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
>>>> 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
>>>> 0: WKSSVC_JOIN_FLAGS_DEFER_SPN
>>>> 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
>>>> 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
>>>> 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
>>>> 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
>>>> 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
>>>> 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
>>>> 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
>>>> os_version : NULL
>>>> os_name : NULL
>>>> create_upn : 0x00 (0)
>>>> upn : NULL
>>>> modify_config : 0x00 (0)
>>>> ads : NULL
>>>> debug : 0x01 (1)
>>>> use_kerberos : 0x00 (0)
>>>> secure_channel_type : SEC_CHAN_WKSTA (2)
>>>> Connecting to host=serveur-8.jalma.net
>>>> Opening cache file at /var/lib/samba/gencache.tdb
>>>> Opening cache file at /var/lib/samba/gencache_notrans.tdb
>>>> sitename_fetch: Returning sitename for JALMA.NET:
>>>> "Premier-Site-par-defaut"
>>>> name serveur-8.jalma.net#20 found.
>>>> Connecting to 192.168.10.40 at port 445
>>>> Socket options:
>>>> SO_KEEPALIVE = 0
>>>> SO_REUSEADDR = 0
>>>> SO_BROADCAST = 0
>>>> TCP_NODELAY = 1
>>>> TCP_KEEPCNT = 9
>>>> TCP_KEEPIDLE = 7200
>>>> TCP_KEEPINTVL = 75
>>>> IPTOS_LOWDELAY = 0
>>>> IPTOS_THROUGHPUT = 0
>>>> SO_REUSEPORT = 0
>>>> SO_SNDBUF = 19800
>>>> SO_RCVBUF = 87380
>>>> SO_SNDLOWAT = 1
>>>> SO_RCVLOWAT = 1
>>>> SO_SNDTIMEO = 0
>>>> SO_RCVTIMEO = 0
>>>> TCP_QUICKACK = 1
>>>> Substituting charset 'UTF-8' for LOCALE
>>>> Bind RPC Pipe: host serveur-8.jalma.net auth_type 0, auth_level 1
>>>> rpc_api_pipe: host serveur-8.jalma.net
>>>> rpc_read_send: data_to_read: 52
>>>> check_bind_response: accepted!
>>>> rpc_api_pipe: host serveur-8.jalma.net
>>>> rpc_read_send: data_to_read: 32
>>>> rpc_api_pipe: host serveur-8.jalma.net
>>>> rpc_read_send: data_to_read: 180
>>>> rpc_api_pipe: host serveur-8.jalma.net
>>>> rpc_read_send: data_to_read: 32
>>>> saf_fetch: failed to find server for "jalma.net" domain
>>>> get_dc_list: preferred server list: ", serveur-8.jalma.net"
>>>> sitename_fetch: Returning sitename for JALMA.NET:
>>>> "Premier-Site-par-defaut"
>>>> name serveur-8.jalma.net#20 found.
>>>> get_dc_list: returning 1 ip addresses in an ordered list
>>>> get_dc_list: 192.168.10.40:389
>>>> create_local_private_krb5_conf_for_domain: wrote file
>>>> /var/lib/samba/smb_krb5/krb5.conf.JALMA with realm JALMA.NET KDC
>>>> list = kdc = 192.168.10.40
>>>>
>>>> Bind RPC Pipe: host serveur-8.jalma.net auth_type 0, auth_level 1
>>>> rpc_api_pipe: host serveur-8.jalma.net
>>>> rpc_read_send: data_to_read: 52
>>>> check_bind_response: accepted!
>>>> rpc_api_pipe: host serveur-8.jalma.net
>>>> rpc_read_send: data_to_read: 32
>>>> rpc_api_pipe: host serveur-8.jalma.net
>>>> rpc_read_send: data_to_read: 32
>>>> rpc_api_pipe: host serveur-8.jalma.net
>>>> rpc_read_send: data_to_read: 16
>>>> rpc_client/cli_pipe.c:491: RPC fault code WERR_ACCESS_DENIED
>>>> received from host serveur-8.jalma.net!
>>>> rpc_api_pipe: host serveur-8.jalma.net
>>>> cli_api_pipe failed: NT_STATUS_IO_DEVICE_ERROR
>>>> libnet_Join:
>>>> libnet_JoinCtx: struct libnet_JoinCtx
>>>> out: struct libnet_JoinCtx
>>>> account_name : NULL
>>>> netbios_domain_name : 'JALMA'
>>>> dns_domain_name : 'jalma.net'
>>>> forest_name : 'jalma.net'
>>>> dn : NULL
>>>> domain_sid : *
>>>> domain_sid :
>>>> S-1-5-21-796845957-1343024091-682003330
>>>> modified_config : 0x00 (0)
>>>> error_string : 'failed to join domain
>>>> 'JALMA.NET' over rpc: Access denied'
>>>> domain_is_ad : 0x01 (1)
>>>> result : WERR_ACCESS_DENIED
>>>> Failed to join domain: failed to join domain 'JALMA.NET' over rpc:
>>>> Access denied
>>>> return code = -1
>>>>
>>>>
>>>>
More information about the samba
mailing list