[Samba] Failed to join domain - some user account restriction has prevented successful authentication
Doug Sampson
dougs at dawnsign.com
Thu Dec 28 18:49:33 UTC 2023
> I'm setting up a FreeBSD server as a domain member of an Active
> Directory environment. There's two W2K22 domain controllers in the AD.
>
> In the past, I've used the samba416 port to compile on a few FreeBSD
> servers. But on this new FreeBSD server, I'm using the samba416 package.
> After installing and configuring, I find that I am unable to join the
> domain. Error message as follows:
>
>
> Failed to join domain: failed to lookup DC info for domain 'EXAMPLE.COM'
> over rpc: Indicates a referenced user name and authentication
> information are valid, but some user account restriction has prevented
> successful authentication (such as time-of-day restrictions).
>
>
> It seems that my sign-in info is valid but for some reason, it is unable
> to join the domain.
>
> I've checked for the following:
> 1. /etc/nsswitch contains the correct parameters- i.e. passwd: files
> winbind; group: files winbind 2. within 5 minutes of the time displayed
> by our DCs 3. winbindd appears to be configured but does not start due
> to lack of a successful join.
>
> I have tried another server admin authentication creds but it's not
> working- it shows the exact same error message as above.
>
> # cat /etc/krb5.conf
> #/etc/krb5.conf
>
> [libdefaults]
> default_realm = EXAMPLE.COM
> dns_lookup_realm = true
> dns_lookup_kdc = true
> forwardable = true
> ticket_lifetime = 24h
> renew_lifetime = 7d
> default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-
> 96
> default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-
> 96
> permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-
> 96
>
>
>
> # net ads keytab list
> #
>
> I'm wondering if this is in any way related to the Kerberos hardening
> changes that was introduced by Microsoft in late 2022 and to be
> performed in phases throughout 2023?
>
> What else should I be checking for? What event ID(s) should I be
> checking in the event logs on the DCs?
>
Turns out I needed to require Kerberos as part of the domain join as follows:
# net ads join -U administrator --use-kerberos=required
We stopped accepting domain joins using RPC a few months ago. So the use-kerberos parameter is needed.
~Doug
More information about the samba
mailing list