[Samba] Failed to join domain - some user account restriction has prevented successful authentication

Doug Sampson dougs at dawnsign.com
Thu Dec 28 18:49:33 UTC 2023 

> I'm setting up a FreeBSD server as a domain member of an Active
> Directory environment. There's two W2K22 domain controllers in the AD.
> 
> In the past, I've used the samba416 port to compile on a few FreeBSD
> servers. But on this new FreeBSD server, I'm using the samba416 package.
> After installing and configuring, I find that I am unable to join the
> domain. Error message as follows:
> 
> 
> Failed to join domain: failed to lookup DC info for domain 'EXAMPLE.COM'
> over rpc: Indicates a referenced user name and authentication
> information are valid, but some user account restriction has prevented
> successful authentication (such as time-of-day restrictions).
> 
> 
> It seems that my sign-in info is valid but for some reason, it is unable
> to join the domain.
> 
> I've checked for the following:
> 1. /etc/nsswitch contains the correct parameters- i.e. passwd: files
> winbind; group: files winbind 2. within 5 minutes of the time displayed
> by our DCs 3. winbindd appears to be configured but does not start due
> to lack of a successful join.
> 
> I have tried another server admin authentication creds but it's not
> working- it shows the exact same error message as above.
> 
> # cat /etc/krb5.conf
> #/etc/krb5.conf
> 
> [libdefaults]
>     default_realm        = EXAMPLE.COM
>     dns_lookup_realm     = true
>     dns_lookup_kdc       = true
>     forwardable          = true
>     ticket_lifetime      = 24h
>     renew_lifetime       = 7d
>     default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-
> 96
>     default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-
> 96
>     permitted_enctypes   = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-
> 96
> 
> 
> 
> # net ads keytab list
> #
> 
> I'm wondering if this is in any way related to the Kerberos hardening
> changes that was introduced by Microsoft in late 2022 and to be
> performed in phases throughout 2023?
> 
> What else should I be checking for? What event ID(s) should I be
> checking in the event logs on the DCs?
> 

Turns out I needed to require Kerberos as part of the domain join as follows:

# net ads join -U administrator --use-kerberos=required

We stopped accepting domain joins using RPC a few months ago. So the use-kerberos parameter is needed.

~Doug

More information about the samba mailing list