Cyril Feraudet
2014-Aug-26 10:02 UTC
[Samba] Failed to join domain: failed to join domain 'XXX.YYY' over rpc: Access denied
Hi all, I get an error when I try to join domain from CentOS 6.5. Have you an idea ? /etc/samba/smb.conf : --------------------- [global] workgroup = XXX server string = Samba Server Version %v log file = /var/log/samba/log.%m max log size = 50 realm = XXX.YYY security = ads idmap uid = 10000-20000 idmap gid = 10000-20000 password server = dcserver.xxx.yyy winbind separator = \ /etc/krb5.conf : ---------------- [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = XXX.YYY dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] XXX.YYY = { kdc = dcserver.xxx.yyy:88 admin_server = dcserver.xxx.yyy:749 } [domain_realm] .xxx.yyy = XXX.YYY xxx.yyy = XXX.YYY /var/kerberos/krb5kdc/kdc.conf : -------------------------------- [kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 [realms] XXX.YYY= { #master_key_type = aes256-cts acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal } Then : ------ # kinit administrateur at XXX.YYY Password for administrateur at XXX.YYY: # kdb5_util create -s Loading random data Initializing database '/var/kerberos/krb5kdc/principal' for realm 'XXX.YYY', master key name 'K/M at XXX.YYY' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: # net ads join -U "administrateur at JALMA.NET" -S serveur-8.jalma.net Enter administrateur at JALMA.NET's password: Failed to join domain: failed to join domain 'JALMA.NET' over rpc: Access denied # net -d 5 ads join -U "administrateur at JALMA.NET" -S serveur-8.jalma.net INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" Processing section "[global]" doing parameter workgroup = JALMA doing parameter server string = Samba Server Version %v doing parameter log file = /var/log/samba/log.%m doing parameter max log size = 50 doing parameter realm = JALMA.NET doing parameter security = ads doing parameter idmap uid = 10000-20000 WARNING: The "idmap uid" option is deprecated doing parameter idmap gid = 10000-20000 WARNING: The "idmap gid" option is deprecated doing parameter password server = serveur-8.jalma.net doing parameter winbind separator pm_process() returned Yes Substituting charset 'UTF-8' for LOCALE Netbios name list:- my_netbios_names[0]="SERVEUR-4" added interface eth0 ip=fe80::217:a4ff:fe8b:f1cb%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff:: added interface eth0 ip=192.168.10.22 bcast=192.168.10.255 netmask=255.255.255.0 Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED Enter administrateur at JALMA.NET's password: libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx in: struct libnet_JoinCtx dc_name : 'serveur-8.jalma.net' machine_name : 'SERVEUR-4' domain_name : * domain_name : 'JALMA.NET' account_ou : NULL admin_account : 'administrateur at JALMA.NET' machine_password : NULL join_flags : 0x00000023 (35) 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT 0: WKSSVC_JOIN_FLAGS_DEFER_SPN 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE os_version : NULL os_name : NULL create_upn : 0x00 (0) upn : NULL modify_config : 0x00 (0) ads : NULL debug : 0x01 (1) use_kerberos : 0x00 (0) secure_channel_type : SEC_CHAN_WKSTA (2) Connecting to host=serveur-8.jalma.net Opening cache file at /var/lib/samba/gencache.tdb Opening cache file at /var/lib/samba/gencache_notrans.tdb sitename_fetch: Returning sitename for JALMA.NET: "Premier-Site-par-defaut" name serveur-8.jalma.net#20 found. Connecting to 192.168.10.40 at port 445 Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 0 SO_SNDBUF = 19800 SO_RCVBUF = 87380 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 Substituting charset 'UTF-8' for LOCALE Bind RPC Pipe: host serveur-8.jalma.net auth_type 0, auth_level 1 rpc_api_pipe: host serveur-8.jalma.net rpc_read_send: data_to_read: 52 check_bind_response: accepted! rpc_api_pipe: host serveur-8.jalma.net rpc_read_send: data_to_read: 32 rpc_api_pipe: host serveur-8.jalma.net rpc_read_send: data_to_read: 180 rpc_api_pipe: host serveur-8.jalma.net rpc_read_send: data_to_read: 32 saf_fetch: failed to find server for "jalma.net" domain get_dc_list: preferred server list: ", serveur-8.jalma.net" sitename_fetch: Returning sitename for JALMA.NET: "Premier-Site-par-defaut" name serveur-8.jalma.net#20 found. get_dc_list: returning 1 ip addresses in an ordered list get_dc_list: 192.168.10.40:389 create_local_private_krb5_conf_for_domain: wrote file /var/lib/samba/smb_krb5/krb5.conf.JALMA with realm JALMA.NET KDC list = kdc = 192.168.10.40 Bind RPC Pipe: host serveur-8.jalma.net auth_type 0, auth_level 1 rpc_api_pipe: host serveur-8.jalma.net rpc_read_send: data_to_read: 52 check_bind_response: accepted! rpc_api_pipe: host serveur-8.jalma.net rpc_read_send: data_to_read: 32 rpc_api_pipe: host serveur-8.jalma.net rpc_read_send: data_to_read: 32 rpc_api_pipe: host serveur-8.jalma.net rpc_read_send: data_to_read: 16 rpc_client/cli_pipe.c:491: RPC fault code WERR_ACCESS_DENIED received from host serveur-8.jalma.net! rpc_api_pipe: host serveur-8.jalma.net cli_api_pipe failed: NT_STATUS_IO_DEVICE_ERROR libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : 'JALMA' dns_domain_name : 'jalma.net' forest_name : 'jalma.net' dn : NULL domain_sid : * domain_sid : S-1-5-21-796845957-1343024091-682003330 modified_config : 0x00 (0) error_string : 'failed to join domain 'JALMA.NET' over rpc: Access denied' domain_is_ad : 0x01 (1) result : WERR_ACCESS_DENIED Failed to join domain: failed to join domain 'JALMA.NET' over rpc: Access denied return code = -1
steve
2014-Aug-26 10:30 UTC
[Samba] Failed to join domain: failed to join domain 'XXX.YYY' over rpc: Access denied
On Tue, 2014-08-26 at 12:02 +0200, Cyril Feraudet wrote:> Hi all, > > I get an error when I try to join domain from CentOS 6.5. Have you an > idea ? > > > /etc/samba/smb.conf : > --------------------- > [global] > workgroup = XXX > server string = Samba Server Version %v > log file = /var/log/samba/log.%m > max log size = 50 > realm = XXX.YYY > security = ads > idmap uid = 10000-20000 > idmap gid = 10000-20000 > password server = dcserver.xxx.yyy > winbind separator = \ > > > /etc/krb5.conf : > ---------------- > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = XXX.YYY > dns_lookup_realm = false > dns_lookup_kdc = falsecomment false and add: dns_lookup_kdc = true> ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = true > > [realms] > XXX.YYY = { > kdc = dcserver.xxx.yyy:88 > admin_server = dcserver.xxx.yyy:749 > } > > [domain_realm] > .xxx.yyy = XXX.YYY > xxx.yyy = XXX.YYY > > /var/kerberos/krb5kdc/kdc.conf : > -------------------------------- > [kdcdefaults] > kdc_ports = 88 > kdc_tcp_ports = 88 > > [realms] > XXX.YYY= { > #master_key_type = aes256-cts > acl_file = /var/kerberos/krb5kdc/kadm5.acl > dict_file = /usr/share/dict/words > admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab > supported_enctypes = aes256-cts:normal aes128-cts:normal > des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal > des-cbc-md5:normal des-cbc-crc:normal > } > > Then : > ------ > > # kinit administrateur at XXX.YYY > Password for administrateur at XXX.YYY: > > # kdb5_util create -s > Loading random data > Initializing database '/var/kerberos/krb5kdc/principal' for realm > 'XXX.YYY', > master key name 'K/M at XXX.YYY' > You will be prompted for the database Master Password. > It is important that you NOT FORGET this password. > Enter KDC database master key: > Re-enter KDC database master key to verify:Remove /var/kerberos/krb5kdc/principal> > > # net ads join -U "administrateur at JALMA.NET" -S serveur-8.jalma.netnow do: net ads join -Uadministrateur Any better? HTH
Rowland Penny
2014-Aug-26 10:30 UTC
[Samba] Failed to join domain: failed to join domain 'XXX.YYY' over rpc: Access denied
On 26/08/14 11:02, Cyril Feraudet wrote:> Hi all, > > I get an error when I try to join domain from CentOS 6.5. Have you an > idea ? > > > /etc/samba/smb.conf : > --------------------- > [global] > workgroup = XXX > server string = Samba Server Version %v > log file = /var/log/samba/log.%m > max log size = 50 > realm = XXX.YYY > security = ads > idmap uid = 10000-20000 > idmap gid = 10000-20000 > password server = dcserver.xxx.yyy > winbind separator = \ > >What version of samba are you using ?> /etc/krb5.conf : > ---------------- > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = XXX.YYY > dns_lookup_realm = false > dns_lookup_kdc = false > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = true > > [realms] > XXX.YYY = { > kdc = dcserver.xxx.yyy:88 > admin_server = dcserver.xxx.yyy:749 > } > > [domain_realm] > .xxx.yyy = XXX.YYY > xxx.yyy = XXX.YYY > > /var/kerberos/krb5kdc/kdc.conf : > -------------------------------- > [kdcdefaults] > kdc_ports = 88 > kdc_tcp_ports = 88 > > [realms] > XXX.YYY= { > #master_key_type = aes256-cts > acl_file = /var/kerberos/krb5kdc/kadm5.acl > dict_file = /usr/share/dict/words > admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab > supported_enctypes = aes256-cts:normal aes128-cts:normal > des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal > des-cbc-md5:normal des-cbc-crc:normal > } >This krb5.conf from my laptop: [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes> Then : > ------ > > # kinit administrateur at XXX.YYY > Password for administrateur at XXX.YYY: > > # kdb5_util create -s > Loading random data > Initializing database '/var/kerberos/krb5kdc/principal' for realm > 'XXX.YYY', > master key name 'K/M at XXX.YYY' > You will be prompted for the database Master Password. > It is important that you NOT FORGET this password. > Enter KDC database master key: > Re-enter KDC database master key to verify: > >I have never had to do the above, what do think it does and why do you do it ?> # net ads join -U "administrateur at JALMA.NET" -S serveur-8.jalma.net > Enter administrateur at JALMA.NET's password: > Failed to join domain: failed to join domain 'JALMA.NET' over rpc: > Access denied >I normally just do 'net ads join -U Administrator at EXAMPLE.COM' and get: Using short domain name -- EXAMPLE Joined 'CLIENT' to realm 'example.com' I wonder if yours is failing because you are doing the step that I (and most people) never do. Rowland> # net -d 5 ads join -U "administrateur at JALMA.NET" -S serveur-8.jalma.net > INFO: Current debug levels: > all: 5 > tdb: 5 > printdrivers: 5 > lanman: 5 > smb: 5 > rpc_parse: 5 > rpc_srv: 5 > rpc_cli: 5 > passdb: 5 > sam: 5 > auth: 5 > winbind: 5 > vfs: 5 > idmap: 5 > quota: 5 > acls: 5 > locking: 5 > msdfs: 5 > dmapi: 5 > registry: 5 > lp_load_ex: refreshing parameters > Initialising global parameters > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > INFO: Current debug levels: > all: 5 > tdb: 5 > printdrivers: 5 > lanman: 5 > smb: 5 > rpc_parse: 5 > rpc_srv: 5 > rpc_cli: 5 > passdb: 5 > sam: 5 > auth: 5 > winbind: 5 > vfs: 5 > idmap: 5 > quota: 5 > acls: 5 > locking: 5 > msdfs: 5 > dmapi: 5 > registry: 5 > params.c:pm_process() - Processing configuration file > "/etc/samba/smb.conf" > Processing section "[global]" > doing parameter workgroup = JALMA > doing parameter server string = Samba Server Version %v > doing parameter log file = /var/log/samba/log.%m > doing parameter max log size = 50 > doing parameter realm = JALMA.NET > doing parameter security = ads > doing parameter idmap uid = 10000-20000 > WARNING: The "idmap uid" option is deprecated > doing parameter idmap gid = 10000-20000 > WARNING: The "idmap gid" option is deprecated > doing parameter password server = serveur-8.jalma.net > doing parameter winbind separator > pm_process() returned Yes > Substituting charset 'UTF-8' for LOCALE > Netbios name list:- > my_netbios_names[0]="SERVEUR-4" > added interface eth0 ip=fe80::217:a4ff:fe8b:f1cb%eth0 > bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff:: > added interface eth0 ip=192.168.10.22 bcast=192.168.10.255 > netmask=255.255.255.0 > Registered MSG_REQ_POOL_USAGE > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED > Enter administrateur at JALMA.NET's password: > libnet_Join: > libnet_JoinCtx: struct libnet_JoinCtx > in: struct libnet_JoinCtx > dc_name : 'serveur-8.jalma.net' > machine_name : 'SERVEUR-4' > domain_name : * > domain_name : 'JALMA.NET' > account_ou : NULL > admin_account : 'administrateur at JALMA.NET' > machine_password : NULL > join_flags : 0x00000023 (35) > 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS > 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME > 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT > 0: WKSSVC_JOIN_FLAGS_DEFER_SPN > 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED > 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE > 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED > 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE > 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE > 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE > 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE > os_version : NULL > os_name : NULL > create_upn : 0x00 (0) > upn : NULL > modify_config : 0x00 (0) > ads : NULL > debug : 0x01 (1) > use_kerberos : 0x00 (0) > secure_channel_type : SEC_CHAN_WKSTA (2) > Connecting to host=serveur-8.jalma.net > Opening cache file at /var/lib/samba/gencache.tdb > Opening cache file at /var/lib/samba/gencache_notrans.tdb > sitename_fetch: Returning sitename for JALMA.NET: > "Premier-Site-par-defaut" > name serveur-8.jalma.net#20 found. > Connecting to 192.168.10.40 at port 445 > Socket options: > SO_KEEPALIVE = 0 > SO_REUSEADDR = 0 > SO_BROADCAST = 0 > TCP_NODELAY = 1 > TCP_KEEPCNT = 9 > TCP_KEEPIDLE = 7200 > TCP_KEEPINTVL = 75 > IPTOS_LOWDELAY = 0 > IPTOS_THROUGHPUT = 0 > SO_REUSEPORT = 0 > SO_SNDBUF = 19800 > SO_RCVBUF = 87380 > SO_SNDLOWAT = 1 > SO_RCVLOWAT = 1 > SO_SNDTIMEO = 0 > SO_RCVTIMEO = 0 > TCP_QUICKACK = 1 > Substituting charset 'UTF-8' for LOCALE > Bind RPC Pipe: host serveur-8.jalma.net auth_type 0, auth_level 1 > rpc_api_pipe: host serveur-8.jalma.net > rpc_read_send: data_to_read: 52 > check_bind_response: accepted! > rpc_api_pipe: host serveur-8.jalma.net > rpc_read_send: data_to_read: 32 > rpc_api_pipe: host serveur-8.jalma.net > rpc_read_send: data_to_read: 180 > rpc_api_pipe: host serveur-8.jalma.net > rpc_read_send: data_to_read: 32 > saf_fetch: failed to find server for "jalma.net" domain > get_dc_list: preferred server list: ", serveur-8.jalma.net" > sitename_fetch: Returning sitename for JALMA.NET: > "Premier-Site-par-defaut" > name serveur-8.jalma.net#20 found. > get_dc_list: returning 1 ip addresses in an ordered list > get_dc_list: 192.168.10.40:389 > create_local_private_krb5_conf_for_domain: wrote file > /var/lib/samba/smb_krb5/krb5.conf.JALMA with realm JALMA.NET KDC list > = kdc = 192.168.10.40 > > Bind RPC Pipe: host serveur-8.jalma.net auth_type 0, auth_level 1 > rpc_api_pipe: host serveur-8.jalma.net > rpc_read_send: data_to_read: 52 > check_bind_response: accepted! > rpc_api_pipe: host serveur-8.jalma.net > rpc_read_send: data_to_read: 32 > rpc_api_pipe: host serveur-8.jalma.net > rpc_read_send: data_to_read: 32 > rpc_api_pipe: host serveur-8.jalma.net > rpc_read_send: data_to_read: 16 > rpc_client/cli_pipe.c:491: RPC fault code WERR_ACCESS_DENIED received > from host serveur-8.jalma.net! > rpc_api_pipe: host serveur-8.jalma.net > cli_api_pipe failed: NT_STATUS_IO_DEVICE_ERROR > libnet_Join: > libnet_JoinCtx: struct libnet_JoinCtx > out: struct libnet_JoinCtx > account_name : NULL > netbios_domain_name : 'JALMA' > dns_domain_name : 'jalma.net' > forest_name : 'jalma.net' > dn : NULL > domain_sid : * > domain_sid : > S-1-5-21-796845957-1343024091-682003330 > modified_config : 0x00 (0) > error_string : 'failed to join domain > 'JALMA.NET' over rpc: Access denied' > domain_is_ad : 0x01 (1) > result : WERR_ACCESS_DENIED > Failed to join domain: failed to join domain 'JALMA.NET' over rpc: > Access denied > return code = -1 > > >