thr3ads.net - samba - [Samba] Unable to join Windows 2k AD NT_STATUS_ACCESS

If this information is useful, please help other people find it:
Share via:

Elliot Mackenzie

2004-Jun-22 04:48 UTC

[Samba] Unable to join Windows 2k AD NT_STATUS_ACCESS_DENIED

I am having horrendous issues with trying to get Samba 3.0.4 to join to
a Windows 2000 AD (patched to current).  As this one is hurting a bit
and needs to be fixed soon, I was hoping I may find salvation in this
list from someone here who may be able to shed some useful light on this
issue.  I am using the latest gentoo mit-krb5 build.

 

Net join always results in NT_STATUS_ACCESS_DENIED - this is bizarre as
I am using the same administrative account I use to join Windows
workstations to the domain.  Klist shows me a Kerberos ticket that
appears to be valid.  I have wiped Kerberos tickets with kdestroy then
recreated one with kinit as that administrative account.  Net join and
still no gold.

 

Unfortunately the Windows logs are not particularly verbose and I
haven't been able to gain any further information.

 

Google is full of these sorts of errors, but they are not usually
accompanied by any solutions - most of which seem to be password issues.

 

Any ideas?  

 

Cheers,

Elliot.

 

 

mail log # net rpc join -S IOR-SRV-Z6 -d3 -U Administrator

[2004/06/22 13:18:34, 3] param/loadparm.c:lp_load(3877)

  lp_load: refreshing parameters

[2004/06/22 13:18:34, 3] param/loadparm.c:init_globals(1307)

  Initialising global parameters

[2004/06/22 13:18:34, 3] param/params.c:pm_process(566)

  params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"

[2004/06/22 13:18:34, 3] param/loadparm.c:do_section(3375)

  Processing section "[global]"

[2004/06/22 13:18:34, 2] lib/interface.c:add_interface(79)

  added interface ip=203.x.x.x bcast=203.x.x.255 nmask=255.255.255.0

[2004/06/22 13:18:34, 2] lib/interface.c:add_interface(79)

  added interface ip=192.x.x.x bcast=192.x.x.255 nmask=255.255.255.0

[2004/06/22 13:18:34, 3] libsmb/cliconnect.c:cli_start_connection(1373)

  Connecting to host=IOR-SRV-Z6

[2004/06/22 13:18:34, 3] lib/util_sock.c:open_socket_out(735)

  Connecting to 203.x.x.x at port 445

[2004/06/22 13:18:34, 1] libsmb/cliconnect.c:cli_full_connection(1473)

  failed tcon_X with NT_STATUS_ACCESS_DENIED

[2004/06/22 13:18:34, 1] utils/net.c:connect_to_ipc_anonymous(191)

  Cannot connect to server (anonymously).  Error was
NT_STATUS_ACCESS_DENIED

Password:

[2004/06/22 13:18:39, 3] libsmb/cliconnect.c:cli_start_connection(1373)

  Connecting to host=IOR-SRV-Z6

[2004/06/22 13:18:39, 3] lib/util_sock.c:open_socket_out(735)

  Connecting to 203.x.x.x at port 445

[2004/06/22 13:18:39, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(705)

  Doing spnego session setup (blob length=119)

[2004/06/22 13:18:39, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(730)

  got OID=1 2 840 48018 1 2 2

[2004/06/22 13:18:39, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(730)

  got OID=1 2 840 113554 1 2 2

[2004/06/22 13:18:39, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(730)

  got OID=1 2 840 113554 1 2 2 3

[2004/06/22 13:18:39, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(730)

  got OID=1 3 6 1 4 1 311 2 2 10

[2004/06/22 13:18:39, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(737)

  got principal=ior-srv-z6$@BRISBANE.COMPANY.COM.AU

[2004/06/22 13:18:39, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(878)

  Got challenge flags:

[2004/06/22 13:18:39, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)

  Got NTLMSSP neg_flags=0x62890215

[2004/06/22 13:18:39, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(900)

  NTLMSSP: Set final flags:

[2004/06/22 13:18:39, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)

  Got NTLMSSP neg_flags=0x60080215

[2004/06/22 13:18:39, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)

  NTLMSSP Sign/Seal - Initialising with flags:

[2004/06/22 13:18:39, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)

  Got NTLMSSP neg_flags=0x60080215

[2004/06/22 13:18:39, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(181)

  lsa_io_sec_qos: length c does not match size 8

[2004/06/22 13:18:39, 3] libsmb/cliconnect.c:cli_start_connection(1373)

  Connecting to host=IOR-SRV-Z6

[2004/06/22 13:18:39, 3] lib/util_sock.c:open_socket_out(735)

  Connecting to 203.x.x.x at port 445

[2004/06/22 13:18:39, 1] libsmb/cliconnect.c:cli_full_connection(1473)

  failed tcon_X with NT_STATUS_ACCESS_DENIED

[2004/06/22 13:18:39, 1] utils/net.c:connect_to_ipc_anonymous(191)

  Cannot connect to server (anonymously).  Error was
NT_STATUS_ACCESS_DENIED

Unable to join domain BRISBANE.

[2004/06/22 13:18:39, 2] utils/net.c:main(792)

  return code = 1

Daniel Ramaley

2004-Jun-22 13:22 UTC

head link

[Samba] Unable to join Windows 2k AD NT_STATUS_ACCESS_DENIED

What was the output of the "net ads join" command?

On Monday 21 June 2004 11:47 pm, Elliot Mackenzie wrote:>I am having horrendous issues with trying to get Samba 3.0.4 to join
> to a Windows 2000 AD (patched to current).  As this one is hurting a
> bit and needs to be fixed soon, I was hoping I may find salvation in
> this list from someone here who may be able to shed some useful light
> on this issue.  I am using the latest gentoo mit-krb5 build.
>
>
>
>Net join always results in NT_STATUS_ACCESS_DENIED - this is bizarre
> as I am using the same administrative account I use to join Windows
> workstations to the domain.  Klist shows me a Kerberos ticket that
> appears to be valid.  I have wiped Kerberos tickets with kdestroy
> then recreated one with kinit as that administrative account.  Net
> join and still no gold.
>
>
>
>Unfortunately the Windows logs are not particularly verbose and I
>haven't been able to gain any further information.
>
>
>
>Google is full of these sorts of errors, but they are not usually
>accompanied by any solutions - most of which seem to be password
> issues.
>
>
>
>Any ideas?
>
>
>
>Cheers,
>
>Elliot.
>
>
>
>
>
>mail log # net rpc join -S IOR-SRV-Z6 -d3 -U Administrator
>
>[2004/06/22 13:18:34, 3] param/loadparm.c:lp_load(3877)
>
>  lp_load: refreshing parameters
>
>[2004/06/22 13:18:34, 3] param/loadparm.c:init_globals(1307)
>
>  Initialising global parameters
>
>[2004/06/22 13:18:34, 3] param/params.c:pm_process(566)
>
>  params.c:pm_process() - Processing configuration file
>"/etc/samba/smb.conf"
>
>[2004/06/22 13:18:34, 3] param/loadparm.c:do_section(3375)
>
>  Processing section "[global]"
>
>[2004/06/22 13:18:34, 2] lib/interface.c:add_interface(79)
>
>  added interface ip=203.x.x.x bcast=203.x.x.255 nmask=255.255.255.0
>
>[2004/06/22 13:18:34, 2] lib/interface.c:add_interface(79)
>
>  added interface ip=192.x.x.x bcast=192.x.x.255 nmask=255.255.255.0
>
>[2004/06/22 13:18:34, 3]
> libsmb/cliconnect.c:cli_start_connection(1373)
>
>  Connecting to host=IOR-SRV-Z6
>
>[2004/06/22 13:18:34, 3] lib/util_sock.c:open_socket_out(735)
>
>  Connecting to 203.x.x.x at port 445
>
>[2004/06/22 13:18:34, 1] libsmb/cliconnect.c:cli_full_connection(1473)
>
>  failed tcon_X with NT_STATUS_ACCESS_DENIED
>
>[2004/06/22 13:18:34, 1] utils/net.c:connect_to_ipc_anonymous(191)
>
>  Cannot connect to server (anonymously).  Error was
>NT_STATUS_ACCESS_DENIED
>
>Password:
>
>[2004/06/22 13:18:39, 3]
> libsmb/cliconnect.c:cli_start_connection(1373)
>
>  Connecting to host=IOR-SRV-Z6
>
>[2004/06/22 13:18:39, 3] lib/util_sock.c:open_socket_out(735)
>
>  Connecting to 203.x.x.x at port 445
>
>[2004/06/22 13:18:39, 3]
>libsmb/cliconnect.c:cli_session_setup_spnego(705)
>
>  Doing spnego session setup (blob length=119)
>
>[2004/06/22 13:18:39, 3]
>libsmb/cliconnect.c:cli_session_setup_spnego(730)
>
>  got OID=1 2 840 48018 1 2 2
>
>[2004/06/22 13:18:39, 3]
>libsmb/cliconnect.c:cli_session_setup_spnego(730)
>
>  got OID=1 2 840 113554 1 2 2
>
>[2004/06/22 13:18:39, 3]
>libsmb/cliconnect.c:cli_session_setup_spnego(730)
>
>  got OID=1 2 840 113554 1 2 2 3
>
>[2004/06/22 13:18:39, 3]
>libsmb/cliconnect.c:cli_session_setup_spnego(730)
>
>  got OID=1 3 6 1 4 1 311 2 2 10
>
>[2004/06/22 13:18:39, 3]
>libsmb/cliconnect.c:cli_session_setup_spnego(737)
>
>  got principal=ior-srv-z6$@BRISBANE.COMPANY.COM.AU
>
>[2004/06/22 13:18:39, 3]
> libsmb/ntlmssp.c:ntlmssp_client_challenge(878)
>
>  Got challenge flags:
>
>[2004/06/22 13:18:39, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
>
>  Got NTLMSSP neg_flags=0x62890215
>
>[2004/06/22 13:18:39, 3]
> libsmb/ntlmssp.c:ntlmssp_client_challenge(900)
>
>  NTLMSSP: Set final flags:
>
>[2004/06/22 13:18:39, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
>
>  Got NTLMSSP neg_flags=0x60080215
>
>[2004/06/22 13:18:39, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
>
>  NTLMSSP Sign/Seal - Initialising with flags:
>
>[2004/06/22 13:18:39, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
>
>  Got NTLMSSP neg_flags=0x60080215
>
>[2004/06/22 13:18:39, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(181)
>
>  lsa_io_sec_qos: length c does not match size 8
>
>[2004/06/22 13:18:39, 3]
> libsmb/cliconnect.c:cli_start_connection(1373)
>
>  Connecting to host=IOR-SRV-Z6
>
>[2004/06/22 13:18:39, 3] lib/util_sock.c:open_socket_out(735)
>
>  Connecting to 203.x.x.x at port 445
>
>[2004/06/22 13:18:39, 1] libsmb/cliconnect.c:cli_full_connection(1473)
>
>  failed tcon_X with NT_STATUS_ACCESS_DENIED
>
>[2004/06/22 13:18:39, 1] utils/net.c:connect_to_ipc_anonymous(191)
>
>  Cannot connect to server (anonymously).  Error was
>NT_STATUS_ACCESS_DENIED
>
>Unable to join domain BRISBANE.
>
>[2004/06/22 13:18:39, 2] utils/net.c:main(792)
>
>  return code = 1
-- 
------------------------------------------------------------------------
Dan Ramaley
Digital Media Library Specialist
(515) 271-1934
Cowles Library 140, Drake University

Aden, Steve

2004-Jun-22 18:51 UTC

head link

[Samba] Unable to join Windows 2k AD NT_STATUS_ACCESS_DENIED

If you have kinit'd a ticket for your w2k Administrator account you
should just use "net ads join". If your kerberos and smb.conf are
correctly configured, you should be able to join the domain. "net rpc
join" uses NTLMSSP which can be seen in your log (fails because you
didn't give a password).

Steve


Privileged/Confidential Information may be contained in this message. If you are
not the addressee indicated in this message (or responsible for delivery of the
message to such person), you may not copy or deliver this message to anyone. In
such case, you should destroy this message and kindly notify the sender by reply
email. Opinions, conclusions and other information contained in this message
that do not relate to official business shall be understood as neither given nor
endorsed by ITS

-----Original Message-----
From: Daniel Ramaley [mailto:daniel.ramaley@DRAKE.EDU] 
Sent: Tuesday, June 22, 2004 9:21 AM
To: samba@lists.samba.org
Subject: Re: [Samba] Unable to join Windows 2k AD
NT_STATUS_ACCESS_DENIED


What was the output of the "net ads join" command?

On Monday 21 June 2004 11:47 pm, Elliot Mackenzie wrote:>I am having horrendous issues with trying to get Samba 3.0.4 to join
> to a Windows 2000 AD (patched to current).  As this one is hurting a
> bit and needs to be fixed soon, I was hoping I may find salvation in
> this list from someone here who may be able to shed some useful light
> on this issue.  I am using the latest gentoo mit-krb5 build.
>
>
>
>Net join always results in NT_STATUS_ACCESS_DENIED - this is bizarre
> as I am using the same administrative account I use to join Windows
> workstations to the domain.  Klist shows me a Kerberos ticket that
> appears to be valid.  I have wiped Kerberos tickets with kdestroy
> then recreated one with kinit as that administrative account.  Net
> join and still no gold.
>
>
>
>Unfortunately the Windows logs are not particularly verbose and I
>haven't been able to gain any further information.
>
>
>
>Google is full of these sorts of errors, but they are not usually
>accompanied by any solutions - most of which seem to be password
> issues.
>
>
>
>Any ideas?
>
>
>
>Cheers,
>
>Elliot.
>
>
>
>
>
>mail log # net rpc join -S IOR-SRV-Z6 -d3 -U Administrator
>
>[2004/06/22 13:18:34, 3] param/loadparm.c:lp_load(3877)
>
>  lp_load: refreshing parameters
>
>[2004/06/22 13:18:34, 3] param/loadparm.c:init_globals(1307)
>
>  Initialising global parameters
>
>[2004/06/22 13:18:34, 3] param/params.c:pm_process(566)
>
>  params.c:pm_process() - Processing configuration file
>"/etc/samba/smb.conf"
>
>[2004/06/22 13:18:34, 3] param/loadparm.c:do_section(3375)
>
>  Processing section "[global]"
>
>[2004/06/22 13:18:34, 2] lib/interface.c:add_interface(79)
>
>  added interface ip=203.x.x.x bcast=203.x.x.255 nmask=255.255.255.0
>
>[2004/06/22 13:18:34, 2] lib/interface.c:add_interface(79)
>
>  added interface ip=192.x.x.x bcast=192.x.x.255 nmask=255.255.255.0
>
>[2004/06/22 13:18:34, 3]
> libsmb/cliconnect.c:cli_start_connection(1373)
>
>  Connecting to host=IOR-SRV-Z6
>
>[2004/06/22 13:18:34, 3] lib/util_sock.c:open_socket_out(735)
>
>  Connecting to 203.x.x.x at port 445
>
>[2004/06/22 13:18:34, 1] libsmb/cliconnect.c:cli_full_connection(1473)
>
>  failed tcon_X with NT_STATUS_ACCESS_DENIED
>
>[2004/06/22 13:18:34, 1] utils/net.c:connect_to_ipc_anonymous(191)
>
>  Cannot connect to server (anonymously).  Error was
>NT_STATUS_ACCESS_DENIED
>
>Password:
>
>[2004/06/22 13:18:39, 3]
> libsmb/cliconnect.c:cli_start_connection(1373)
>
>  Connecting to host=IOR-SRV-Z6
>
>[2004/06/22 13:18:39, 3] lib/util_sock.c:open_socket_out(735)
>
>  Connecting to 203.x.x.x at port 445
>
>[2004/06/22 13:18:39, 3]
>libsmb/cliconnect.c:cli_session_setup_spnego(705)
>
>  Doing spnego session setup (blob length=119)
>
>[2004/06/22 13:18:39, 3]
>libsmb/cliconnect.c:cli_session_setup_spnego(730)
>
>  got OID=1 2 840 48018 1 2 2
>
>[2004/06/22 13:18:39, 3]
>libsmb/cliconnect.c:cli_session_setup_spnego(730)
>
>  got OID=1 2 840 113554 1 2 2
>
>[2004/06/22 13:18:39, 3]
>libsmb/cliconnect.c:cli_session_setup_spnego(730)
>
>  got OID=1 2 840 113554 1 2 2 3
>
>[2004/06/22 13:18:39, 3]
>libsmb/cliconnect.c:cli_session_setup_spnego(730)
>
>  got OID=1 3 6 1 4 1 311 2 2 10
>
>[2004/06/22 13:18:39, 3]
>libsmb/cliconnect.c:cli_session_setup_spnego(737)
>
>  got principal=ior-srv-z6$@BRISBANE.COMPANY.COM.AU
>
>[2004/06/22 13:18:39, 3]
> libsmb/ntlmssp.c:ntlmssp_client_challenge(878)
>
>  Got challenge flags:
>
>[2004/06/22 13:18:39, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
>
>  Got NTLMSSP neg_flags=0x62890215
>
>[2004/06/22 13:18:39, 3]
> libsmb/ntlmssp.c:ntlmssp_client_challenge(900)
>
>  NTLMSSP: Set final flags:
>
>[2004/06/22 13:18:39, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
>
>  Got NTLMSSP neg_flags=0x60080215
>
>[2004/06/22 13:18:39, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
>
>  NTLMSSP Sign/Seal - Initialising with flags:
>
>[2004/06/22 13:18:39, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
>
>  Got NTLMSSP neg_flags=0x60080215
>
>[2004/06/22 13:18:39, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(181)
>
>  lsa_io_sec_qos: length c does not match size 8
>
>[2004/06/22 13:18:39, 3]
> libsmb/cliconnect.c:cli_start_connection(1373)
>
>  Connecting to host=IOR-SRV-Z6
>
>[2004/06/22 13:18:39, 3] lib/util_sock.c:open_socket_out(735)
>
>  Connecting to 203.x.x.x at port 445
>
>[2004/06/22 13:18:39, 1] libsmb/cliconnect.c:cli_full_connection(1473)
>
>  failed tcon_X with NT_STATUS_ACCESS_DENIED
>
>[2004/06/22 13:18:39, 1] utils/net.c:connect_to_ipc_anonymous(191)
>
>  Cannot connect to server (anonymously).  Error was
>NT_STATUS_ACCESS_DENIED
>
>Unable to join domain BRISBANE.
>
>[2004/06/22 13:18:39, 2] utils/net.c:main(792)
>
>  return code = 1
-- 
------------------------------------------------------------------------
Dan Ramaley
Digital Media Library Specialist
(515) 271-1934
Cowles Library 140, Drake University

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba


_____________________________________________________
This message was content-scanned by IXC Shield 
Powered by GatewayDefender - BH0afd93a4.00000001.mml

Apparently Analagous Threads

Search for more possibly parallel threads

samba - Jun 2004 - Unable to join Windows 2k AD NT_STATUS_ACCESS_DENIED

[Samba] Unable to join Windows 2k AD NT_STATUS_ACCESS_DENIED

[Samba] Unable to join Windows 2k AD NT_STATUS_ACCESS_DENIED

[Samba] Unable to join Windows 2k AD NT_STATUS_ACCESS_DENIED

Apparently Analagous Threads