J. Alexander Jacocks
2014-Mar-05 23:29 UTC
[Samba] Trouble Joining Windows 2008R2 Domain with Error 'failed to lookup DC info for domain 'FULLY.QUALIFIED.DOMAIN' over rpc: Access denied'
All,
I've been trying to troubleshoot a difficult-to-pin-down domain join issue,
where a fully-updated CentOS 6 host cannot join a domain hosted by a
fully-patched Windows 2008 R2 domain controller.
I am running CentOS 6's samba build version 3.6.9-167.el6_5.
I have checked all of the usual suspects (time, kerberos, DNS lookup), and
all seem well:
# kinit administrator
Password for administrator at FULLY.QUALIFIED.DOMAIN:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at FULLY.QUALIFIED.DOMAIN
Valid starting Expires Service principal
03/05/14 22:56:38 03/06/14 08:56:44
krbtgt/FULLY.QUALIFIED.DOMAIN at FULLY.QUALIFIED.DOMAIN
renew until 03/12/14 22:56:38
# host dc1
dc1.fully.qualified.domain has address 172.16.50.2
# host 172.16.50.2
2.50.16.172.in-addr.arpa domain name pointer dc1.fully.qualified.domain.
Here is the kerberos config that I am using. Notice that I have a parent
domain, as well, but I'm not trying to attach to that:
# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = FULLY.QUALIFIED.DOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
FULLY.QUALIFIED.DOMAIN = {
kdc = dc1.fully.qualified.domain
admin_server = dc1.fully.qualified.domain
}
QUALIFIED.DOMAIN = {
kdc = dc001.qualified.domain
kdc = dc002.qualified.domain
kdc = dc003.qualified.domain
kdc = dc004.qualified.domain
admin_server = dc001.qualified.domain
}
[domain_realm]
.fully.qualified.domain = FULLY.QUALIFIED.DOMAIN
fully.qualified.domain = FULLY.QUALIFIED.DOMAIN
.qualified.domain = QUALIFIED.DOMAIN
qualified.domain = QUALIFIED.DOMAIN
And my Samba config is fairly sparse, as well, as it's the base Red
Hat/CentOS config, with a couple additions, for GPOs deployed on our
domains:
# egrep -v '^#|^;' /etc/samba/smb.conf | uniq
[global]
workgroup = FULLY
password server = dc1.fully.qualified.domain
realm = fully.qualified.domain
security = ads
idmap config * : range = 16777216-33554431
template shell = /bin/false
winbind use default domain = true
winbind offline logon = false
allow trusted domains = yes
client signing = mandatory
server signing = mandatory
client lanman auth = no
client ntlmv2 auth = yes
server string = Samba Server Version %v
log file = /var/log/samba/log.%m
max log size = 50
passdb backend = tdbsam
load printers = yes
cups options = raw
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
I then unlinked and disabled all GPOs, on the single domain controller, and
I still could not join. Here is what I am getting, at debugging level 10,
on join. The error I get, at the end, is very generic, so it's hard to pin
down:
failed to lookup DC info for domain 'FULLY.QUALIFIED.DOMAIN' over rpc:
Access denied
I can't seem to find any place that RPC might be blocked, in my Windows
config. However, I am far from a Windows master.
Here is the full transscript, on debug 5:
# net -d 5 ads join -U administrator%PASSWORD
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
Processing section "[global]"
doing parameter workgroup = FULLY
doing parameter password server = dc1.fully.qualified.domain
doing parameter realm = fully.qualified.domain
doing parameter security = ads
doing parameter idmap config * : range = 16777216-33554431
doing parameter template shell = /bin/false
doing parameter winbind use default domain = true
doing parameter winbind offline logon = false
doing parameter allow trusted domains = yes
doing parameter client signing = mandatory
doing parameter server signing = mandatory
doing parameter client lanman auth = no
doing parameter client ntlmv2 auth = yes
doing parameter server string = Samba Server Version %v
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 50
doing parameter passdb backend = tdbsam
doing parameter load printers = yes
doing parameter cups options = raw
pm_process() returned Yes
Substituting charset 'UTF-8' for LOCALE
Netbios name list:-
my_netbios_names[0]="SCM2"
added interface eth0 ip=172.16.50.21 bcast=172.16.50.255
netmask=255.255.255.0
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'SCM2'
domain_name : *
domain_name : 'FULLY.QUALIFIED.DOMAIN'
account_ou : NULL
admin_account : 'administrator'
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
create_upn : 0x00 (0)
upn : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
Opening cache file at /var/lib/samba/gencache.tdb
Opening cache file at /var/lib/samba/gencache_notrans.tdb
sitename_fetch: Returning sitename for FULLY.QUALIFIED.DOMAIN:
"Default-First-Site-Name"
ads_dns_lookup_srv: 1 records returned in the answer section.
Connecting to host=dc1.fully.qualified.domain
sitename_fetch: Returning sitename for FULLY.QUALIFIED.DOMAIN:
"Default-First-Site-Name"
name dc1.fully.qualified.domain#20 found.
Connecting to 172.16.50.2 at port 445
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 19800
SO_RCVBUF = 87380
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
Substituting charset 'UTF-8' for LOCALE
Doing spnego session setup (blob length=136)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: Access denied
failed session setup with NT_STATUS_ACCESS_DENIED
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : NULL
dns_domain_name : NULL
forest_name : NULL
dn : NULL
domain_sid : NULL
domain_sid : (NULL SID)
modified_config : 0x00 (0)
error_string : 'failed to lookup DC info for domain
'FULLY.QUALIFIED.DOMAIN' over rpc: Access denied'
domain_is_ad : 0x00 (0)
result : WERR_ACCESS_DENIED
Failed to join domain: failed to lookup DC info for domain
'FULLY.QUALIFIED.DOMAIN' over rpc: Access denied
return code = -1
Any advice would be most welcome!
Thanks!
- Alex
steve
2014-Mar-05 23:45 UTC
[Samba] Trouble Joining Windows 2008R2 Domain with Error 'failed to lookup DC info for domain 'FULLY.QUALIFIED.DOMAIN' over rpc: Access denied'
On Wed, 2014-03-05 at 18:29 -0500, J. Alexander Jacocks wrote:
For the join, try simply:
krb5.conf:
[libdefaults]
default_realm = FULLY.QUALIFIED.DOMAIN
dns_lookup_realm = false
dns_lookup_kdc = true
with smb.conf:
[global]
workgroup = FULLY
realm = FULLY.QUALIFIED.DOMAIN
security = ads
kerberos method = system keytab
Put the frilly stuff back later.
HTH
Steve
> # cat /etc/krb5.conf
>
> [libdefaults]
> default_realm = FULLY.QUALIFIED.DOMAIN
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true