Cyril Feraudet
2014-Aug-26 10:02 UTC
[Samba] Failed to join domain: failed to join domain 'XXX.YYY' over rpc: Access denied
Hi all,
I get an error when I try to join domain from CentOS 6.5. Have you an
idea ?
/etc/samba/smb.conf :
---------------------
[global]
workgroup = XXX
server string = Samba Server Version %v
log file = /var/log/samba/log.%m
max log size = 50
realm = XXX.YYY
security = ads
idmap uid = 10000-20000
idmap gid = 10000-20000
password server = dcserver.xxx.yyy
winbind separator = \
/etc/krb5.conf :
----------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = XXX.YYY
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
XXX.YYY = {
kdc = dcserver.xxx.yyy:88
admin_server = dcserver.xxx.yyy:749
}
[domain_realm]
.xxx.yyy = XXX.YYY
xxx.yyy = XXX.YYY
/var/kerberos/krb5kdc/kdc.conf :
--------------------------------
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
XXX.YYY= {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal
des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal
des-cbc-md5:normal des-cbc-crc:normal
}
Then :
------
# kinit administrateur at XXX.YYY
Password for administrateur at XXX.YYY:
# kdb5_util create -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm
'XXX.YYY',
master key name 'K/M at XXX.YYY'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
# net ads join -U "administrateur at JALMA.NET" -S serveur-8.jalma.net
Enter administrateur at JALMA.NET's password:
Failed to join domain: failed to join domain 'JALMA.NET' over rpc:
Access denied
# net -d 5 ads join -U "administrateur at JALMA.NET" -S
serveur-8.jalma.net
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
(16384)
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
Processing section "[global]"
doing parameter workgroup = JALMA
doing parameter server string = Samba Server Version %v
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 50
doing parameter realm = JALMA.NET
doing parameter security = ads
doing parameter idmap uid = 10000-20000
WARNING: The "idmap uid" option is deprecated
doing parameter idmap gid = 10000-20000
WARNING: The "idmap gid" option is deprecated
doing parameter password server = serveur-8.jalma.net
doing parameter winbind separator pm_process() returned Yes
Substituting charset 'UTF-8' for LOCALE
Netbios name list:-
my_netbios_names[0]="SERVEUR-4"
added interface eth0 ip=fe80::217:a4ff:fe8b:f1cb%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=192.168.10.22 bcast=192.168.10.255
netmask=255.255.255.0
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Enter administrateur at JALMA.NET's password:
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : 'serveur-8.jalma.net'
machine_name : 'SERVEUR-4'
domain_name : *
domain_name : 'JALMA.NET'
account_ou : NULL
admin_account : 'administrateur at JALMA.NET'
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
create_upn : 0x00 (0)
upn : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
Connecting to host=serveur-8.jalma.net
Opening cache file at /var/lib/samba/gencache.tdb
Opening cache file at /var/lib/samba/gencache_notrans.tdb
sitename_fetch: Returning sitename for JALMA.NET:
"Premier-Site-par-defaut"
name serveur-8.jalma.net#20 found.
Connecting to 192.168.10.40 at port 445
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 19800
SO_RCVBUF = 87380
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
Substituting charset 'UTF-8' for LOCALE
Bind RPC Pipe: host serveur-8.jalma.net auth_type 0, auth_level 1
rpc_api_pipe: host serveur-8.jalma.net
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host serveur-8.jalma.net
rpc_read_send: data_to_read: 32
rpc_api_pipe: host serveur-8.jalma.net
rpc_read_send: data_to_read: 180
rpc_api_pipe: host serveur-8.jalma.net
rpc_read_send: data_to_read: 32
saf_fetch: failed to find server for "jalma.net" domain
get_dc_list: preferred server list: ", serveur-8.jalma.net"
sitename_fetch: Returning sitename for JALMA.NET:
"Premier-Site-par-defaut"
name serveur-8.jalma.net#20 found.
get_dc_list: returning 1 ip addresses in an ordered list
get_dc_list: 192.168.10.40:389
create_local_private_krb5_conf_for_domain: wrote file
/var/lib/samba/smb_krb5/krb5.conf.JALMA with realm JALMA.NET KDC list =
kdc = 192.168.10.40
Bind RPC Pipe: host serveur-8.jalma.net auth_type 0, auth_level 1
rpc_api_pipe: host serveur-8.jalma.net
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host serveur-8.jalma.net
rpc_read_send: data_to_read: 32
rpc_api_pipe: host serveur-8.jalma.net
rpc_read_send: data_to_read: 32
rpc_api_pipe: host serveur-8.jalma.net
rpc_read_send: data_to_read: 16
rpc_client/cli_pipe.c:491: RPC fault code WERR_ACCESS_DENIED received
from host serveur-8.jalma.net!
rpc_api_pipe: host serveur-8.jalma.net
cli_api_pipe failed: NT_STATUS_IO_DEVICE_ERROR
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : 'JALMA'
dns_domain_name : 'jalma.net'
forest_name : 'jalma.net'
dn : NULL
domain_sid : *
domain_sid :
S-1-5-21-796845957-1343024091-682003330
modified_config : 0x00 (0)
error_string : 'failed to join domain
'JALMA.NET' over rpc: Access denied'
domain_is_ad : 0x01 (1)
result : WERR_ACCESS_DENIED
Failed to join domain: failed to join domain 'JALMA.NET' over rpc:
Access denied
return code = -1
steve
2014-Aug-26 10:30 UTC
[Samba] Failed to join domain: failed to join domain 'XXX.YYY' over rpc: Access denied
On Tue, 2014-08-26 at 12:02 +0200, Cyril Feraudet wrote:> Hi all, > > I get an error when I try to join domain from CentOS 6.5. Have you an > idea ? > > > /etc/samba/smb.conf : > --------------------- > [global] > workgroup = XXX > server string = Samba Server Version %v > log file = /var/log/samba/log.%m > max log size = 50 > realm = XXX.YYY > security = ads > idmap uid = 10000-20000 > idmap gid = 10000-20000 > password server = dcserver.xxx.yyy > winbind separator = \ > > > /etc/krb5.conf : > ---------------- > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = XXX.YYY > dns_lookup_realm = false > dns_lookup_kdc = falsecomment false and add: dns_lookup_kdc = true> ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = true > > [realms] > XXX.YYY = { > kdc = dcserver.xxx.yyy:88 > admin_server = dcserver.xxx.yyy:749 > } > > [domain_realm] > .xxx.yyy = XXX.YYY > xxx.yyy = XXX.YYY > > /var/kerberos/krb5kdc/kdc.conf : > -------------------------------- > [kdcdefaults] > kdc_ports = 88 > kdc_tcp_ports = 88 > > [realms] > XXX.YYY= { > #master_key_type = aes256-cts > acl_file = /var/kerberos/krb5kdc/kadm5.acl > dict_file = /usr/share/dict/words > admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab > supported_enctypes = aes256-cts:normal aes128-cts:normal > des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal > des-cbc-md5:normal des-cbc-crc:normal > } > > Then : > ------ > > # kinit administrateur at XXX.YYY > Password for administrateur at XXX.YYY: > > # kdb5_util create -s > Loading random data > Initializing database '/var/kerberos/krb5kdc/principal' for realm > 'XXX.YYY', > master key name 'K/M at XXX.YYY' > You will be prompted for the database Master Password. > It is important that you NOT FORGET this password. > Enter KDC database master key: > Re-enter KDC database master key to verify:Remove /var/kerberos/krb5kdc/principal> > > # net ads join -U "administrateur at JALMA.NET" -S serveur-8.jalma.netnow do: net ads join -Uadministrateur Any better? HTH
Rowland Penny
2014-Aug-26 10:30 UTC
[Samba] Failed to join domain: failed to join domain 'XXX.YYY' over rpc: Access denied
On 26/08/14 11:02, Cyril Feraudet wrote:> Hi all, > > I get an error when I try to join domain from CentOS 6.5. Have you an > idea ? > > > /etc/samba/smb.conf : > --------------------- > [global] > workgroup = XXX > server string = Samba Server Version %v > log file = /var/log/samba/log.%m > max log size = 50 > realm = XXX.YYY > security = ads > idmap uid = 10000-20000 > idmap gid = 10000-20000 > password server = dcserver.xxx.yyy > winbind separator = \ > >What version of samba are you using ?> /etc/krb5.conf : > ---------------- > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = XXX.YYY > dns_lookup_realm = false > dns_lookup_kdc = false > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = true > > [realms] > XXX.YYY = { > kdc = dcserver.xxx.yyy:88 > admin_server = dcserver.xxx.yyy:749 > } > > [domain_realm] > .xxx.yyy = XXX.YYY > xxx.yyy = XXX.YYY > > /var/kerberos/krb5kdc/kdc.conf : > -------------------------------- > [kdcdefaults] > kdc_ports = 88 > kdc_tcp_ports = 88 > > [realms] > XXX.YYY= { > #master_key_type = aes256-cts > acl_file = /var/kerberos/krb5kdc/kadm5.acl > dict_file = /usr/share/dict/words > admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab > supported_enctypes = aes256-cts:normal aes128-cts:normal > des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal > des-cbc-md5:normal des-cbc-crc:normal > } >This krb5.conf from my laptop: [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes> Then : > ------ > > # kinit administrateur at XXX.YYY > Password for administrateur at XXX.YYY: > > # kdb5_util create -s > Loading random data > Initializing database '/var/kerberos/krb5kdc/principal' for realm > 'XXX.YYY', > master key name 'K/M at XXX.YYY' > You will be prompted for the database Master Password. > It is important that you NOT FORGET this password. > Enter KDC database master key: > Re-enter KDC database master key to verify: > >I have never had to do the above, what do think it does and why do you do it ?> # net ads join -U "administrateur at JALMA.NET" -S serveur-8.jalma.net > Enter administrateur at JALMA.NET's password: > Failed to join domain: failed to join domain 'JALMA.NET' over rpc: > Access denied >I normally just do 'net ads join -U Administrator at EXAMPLE.COM' and get: Using short domain name -- EXAMPLE Joined 'CLIENT' to realm 'example.com' I wonder if yours is failing because you are doing the step that I (and most people) never do. Rowland> # net -d 5 ads join -U "administrateur at JALMA.NET" -S serveur-8.jalma.net > INFO: Current debug levels: > all: 5 > tdb: 5 > printdrivers: 5 > lanman: 5 > smb: 5 > rpc_parse: 5 > rpc_srv: 5 > rpc_cli: 5 > passdb: 5 > sam: 5 > auth: 5 > winbind: 5 > vfs: 5 > idmap: 5 > quota: 5 > acls: 5 > locking: 5 > msdfs: 5 > dmapi: 5 > registry: 5 > lp_load_ex: refreshing parameters > Initialising global parameters > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > INFO: Current debug levels: > all: 5 > tdb: 5 > printdrivers: 5 > lanman: 5 > smb: 5 > rpc_parse: 5 > rpc_srv: 5 > rpc_cli: 5 > passdb: 5 > sam: 5 > auth: 5 > winbind: 5 > vfs: 5 > idmap: 5 > quota: 5 > acls: 5 > locking: 5 > msdfs: 5 > dmapi: 5 > registry: 5 > params.c:pm_process() - Processing configuration file > "/etc/samba/smb.conf" > Processing section "[global]" > doing parameter workgroup = JALMA > doing parameter server string = Samba Server Version %v > doing parameter log file = /var/log/samba/log.%m > doing parameter max log size = 50 > doing parameter realm = JALMA.NET > doing parameter security = ads > doing parameter idmap uid = 10000-20000 > WARNING: The "idmap uid" option is deprecated > doing parameter idmap gid = 10000-20000 > WARNING: The "idmap gid" option is deprecated > doing parameter password server = serveur-8.jalma.net > doing parameter winbind separator > pm_process() returned Yes > Substituting charset 'UTF-8' for LOCALE > Netbios name list:- > my_netbios_names[0]="SERVEUR-4" > added interface eth0 ip=fe80::217:a4ff:fe8b:f1cb%eth0 > bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff:: > added interface eth0 ip=192.168.10.22 bcast=192.168.10.255 > netmask=255.255.255.0 > Registered MSG_REQ_POOL_USAGE > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED > Enter administrateur at JALMA.NET's password: > libnet_Join: > libnet_JoinCtx: struct libnet_JoinCtx > in: struct libnet_JoinCtx > dc_name : 'serveur-8.jalma.net' > machine_name : 'SERVEUR-4' > domain_name : * > domain_name : 'JALMA.NET' > account_ou : NULL > admin_account : 'administrateur at JALMA.NET' > machine_password : NULL > join_flags : 0x00000023 (35) > 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS > 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME > 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT > 0: WKSSVC_JOIN_FLAGS_DEFER_SPN > 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED > 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE > 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED > 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE > 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE > 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE > 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE > os_version : NULL > os_name : NULL > create_upn : 0x00 (0) > upn : NULL > modify_config : 0x00 (0) > ads : NULL > debug : 0x01 (1) > use_kerberos : 0x00 (0) > secure_channel_type : SEC_CHAN_WKSTA (2) > Connecting to host=serveur-8.jalma.net > Opening cache file at /var/lib/samba/gencache.tdb > Opening cache file at /var/lib/samba/gencache_notrans.tdb > sitename_fetch: Returning sitename for JALMA.NET: > "Premier-Site-par-defaut" > name serveur-8.jalma.net#20 found. > Connecting to 192.168.10.40 at port 445 > Socket options: > SO_KEEPALIVE = 0 > SO_REUSEADDR = 0 > SO_BROADCAST = 0 > TCP_NODELAY = 1 > TCP_KEEPCNT = 9 > TCP_KEEPIDLE = 7200 > TCP_KEEPINTVL = 75 > IPTOS_LOWDELAY = 0 > IPTOS_THROUGHPUT = 0 > SO_REUSEPORT = 0 > SO_SNDBUF = 19800 > SO_RCVBUF = 87380 > SO_SNDLOWAT = 1 > SO_RCVLOWAT = 1 > SO_SNDTIMEO = 0 > SO_RCVTIMEO = 0 > TCP_QUICKACK = 1 > Substituting charset 'UTF-8' for LOCALE > Bind RPC Pipe: host serveur-8.jalma.net auth_type 0, auth_level 1 > rpc_api_pipe: host serveur-8.jalma.net > rpc_read_send: data_to_read: 52 > check_bind_response: accepted! > rpc_api_pipe: host serveur-8.jalma.net > rpc_read_send: data_to_read: 32 > rpc_api_pipe: host serveur-8.jalma.net > rpc_read_send: data_to_read: 180 > rpc_api_pipe: host serveur-8.jalma.net > rpc_read_send: data_to_read: 32 > saf_fetch: failed to find server for "jalma.net" domain > get_dc_list: preferred server list: ", serveur-8.jalma.net" > sitename_fetch: Returning sitename for JALMA.NET: > "Premier-Site-par-defaut" > name serveur-8.jalma.net#20 found. > get_dc_list: returning 1 ip addresses in an ordered list > get_dc_list: 192.168.10.40:389 > create_local_private_krb5_conf_for_domain: wrote file > /var/lib/samba/smb_krb5/krb5.conf.JALMA with realm JALMA.NET KDC list > = kdc = 192.168.10.40 > > Bind RPC Pipe: host serveur-8.jalma.net auth_type 0, auth_level 1 > rpc_api_pipe: host serveur-8.jalma.net > rpc_read_send: data_to_read: 52 > check_bind_response: accepted! > rpc_api_pipe: host serveur-8.jalma.net > rpc_read_send: data_to_read: 32 > rpc_api_pipe: host serveur-8.jalma.net > rpc_read_send: data_to_read: 32 > rpc_api_pipe: host serveur-8.jalma.net > rpc_read_send: data_to_read: 16 > rpc_client/cli_pipe.c:491: RPC fault code WERR_ACCESS_DENIED received > from host serveur-8.jalma.net! > rpc_api_pipe: host serveur-8.jalma.net > cli_api_pipe failed: NT_STATUS_IO_DEVICE_ERROR > libnet_Join: > libnet_JoinCtx: struct libnet_JoinCtx > out: struct libnet_JoinCtx > account_name : NULL > netbios_domain_name : 'JALMA' > dns_domain_name : 'jalma.net' > forest_name : 'jalma.net' > dn : NULL > domain_sid : * > domain_sid : > S-1-5-21-796845957-1343024091-682003330 > modified_config : 0x00 (0) > error_string : 'failed to join domain > 'JALMA.NET' over rpc: Access denied' > domain_is_ad : 0x01 (1) > result : WERR_ACCESS_DENIED > Failed to join domain: failed to join domain 'JALMA.NET' over rpc: > Access denied > return code = -1 > > >