samba - Dec 2023 - Failed to join domain - some user account restriction has prevented successful authentication

I'm setting up a FreeBSD server as a domain member of an Active Directory
environment. There's two W2K22 domain controllers in the AD.

In the past, I've used the samba416 port to compile on a few FreeBSD
servers. But on this new FreeBSD server, I'm using the samba416 package.
After installing and configuring, I find that I am unable to join the domain.
Error message as follows:


Failed to join domain: failed to lookup DC info for domain 'EXAMPLE.COM'
over rpc: Indicates a referenced user name and authentication information are
valid, but some user account restriction has prevented successful authentication
(such as time-of-day restrictions).


It seems that my sign-in info is valid but for some reason, it is unable to join
the domain.

I've checked for the following:
1. /etc/nsswitch contains the correct parameters- i.e. passwd: files winbind;
group: files winbind
2. within 5 minutes of the time displayed by our DCs
3. winbindd appears to be configured but does not start due to lack of a
successful join.

I have tried another server admin authentication creds but it's not working-
it shows the exact same error message as above.

# cat /etc/krb5.conf
#/etc/krb5.conf

[libdefaults]
    default_realm        = EXAMPLE.COM
    dns_lookup_realm     = true 
    dns_lookup_kdc       = true
    forwardable          = true
    ticket_lifetime      = 24h
    renew_lifetime       = 7d 
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 
    permitted_enctypes   = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96



# net ads keytab list
#

I'm wondering if this is in any way related to the Kerberos hardening
changes that was introduced by Microsoft in late 2022 and to be performed in
phases throughout 2023?

What else should I be checking for? What event ID(s) should I be checking in the
event logs on the DCs?

~Doug

> I'm setting up a FreeBSD server as a domain member of an Active
> Directory environment. There's two W2K22 domain controllers in the AD.
> 
> In the past, I've used the samba416 port to compile on a few FreeBSD
> servers. But on this new FreeBSD server, I'm using the samba416
package.
> After installing and configuring, I find that I am unable to join the
> domain. Error message as follows:
> 
> 
> Failed to join domain: failed to lookup DC info for domain
'EXAMPLE.COM'
> over rpc: Indicates a referenced user name and authentication
> information are valid, but some user account restriction has prevented
> successful authentication (such as time-of-day restrictions).
> 
> 
> It seems that my sign-in info is valid but for some reason, it is unable
> to join the domain.
> 
> I've checked for the following:
> 1. /etc/nsswitch contains the correct parameters- i.e. passwd: files
> winbind; group: files winbind 2. within 5 minutes of the time displayed
> by our DCs 3. winbindd appears to be configured but does not start due
> to lack of a successful join.
> 
> I have tried another server admin authentication creds but it's not
> working- it shows the exact same error message as above.
> 
> # cat /etc/krb5.conf
> #/etc/krb5.conf
> 
> [libdefaults]
>     default_realm        = EXAMPLE.COM
>     dns_lookup_realm     = true
>     dns_lookup_kdc       = true
>     forwardable          = true
>     ticket_lifetime      = 24h
>     renew_lifetime       = 7d
>     default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-
> 96
>     default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-
> 96
>     permitted_enctypes   = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-
> 96
> 
> 
> 
> # net ads keytab list
> #
> 
> I'm wondering if this is in any way related to the Kerberos hardening
> changes that was introduced by Microsoft in late 2022 and to be
> performed in phases throughout 2023?
> 
> What else should I be checking for? What event ID(s) should I be
> checking in the event logs on the DCs?
> 
Turns out I needed to require Kerberos as part of the domain join as follows:

# net ads join -U administrator --use-kerberos=required

We stopped accepting domain joins using RPC a few months ago. So the
use-kerberos parameter is needed.

~Doug