[Samba] Failed to join domain - some user account restriction has prevented successful authentication
Doug Sampson
dougs at dawnsign.com
Fri Dec 22 01:00:59 UTC 2023
I'm setting up a FreeBSD server as a domain member of an Active Directory environment. There's two W2K22 domain controllers in the AD.
In the past, I've used the samba416 port to compile on a few FreeBSD servers. But on this new FreeBSD server, I'm using the samba416 package. After installing and configuring, I find that I am unable to join the domain. Error message as follows:
Failed to join domain: failed to lookup DC info for domain 'EXAMPLE.COM' over rpc: Indicates a referenced user name and authentication information are valid, but some user account restriction has prevented successful authentication (such as time-of-day restrictions).
It seems that my sign-in info is valid but for some reason, it is unable to join the domain.
I've checked for the following:
1. /etc/nsswitch contains the correct parameters- i.e. passwd: files winbind; group: files winbind
2. within 5 minutes of the time displayed by our DCs
3. winbindd appears to be configured but does not start due to lack of a successful join.
I have tried another server admin authentication creds but it's not working- it shows the exact same error message as above.
# cat /etc/krb5.conf
#/etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
forwardable = true
ticket_lifetime = 24h
renew_lifetime = 7d
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
# net ads keytab list
#
I'm wondering if this is in any way related to the Kerberos hardening changes that was introduced by Microsoft in late 2022 and to be performed in phases throughout 2023?
What else should I be checking for? What event ID(s) should I be checking in the event logs on the DCs?
~Doug
More information about the samba
mailing list