We have identified a problem joining samba to a windows 2003 rc2 domain.
Using mit kerberos 1.5, and the latest version of samba (3.0.25b), net join
ads would throw up the error:
cli_rpc_pipe_open: cli_nt_create failed on pipe \NETLOGON to machine
domaincontroller.mynet.mydomain.com. Error was NT_STATUS_ACCESS_DENIED
net_rpc_join_ok: failed to get schannel session key from server
domaincontroller.mynet.mydomain.com for domain mynet. Error was
Failed to verify membership in domain!
Failed to join domain: Success
return code = -1
A temporary workaround for this is to add "netlogon" to the group policy
under "named pipes that can be accessed anonymously". this would seem to
suggest that samba cannot join a domain unless it is granted anonymous
access to the netlogon pipe.
Our windows admins dont want to permanently open this, so is there a way to
get samba net join to work correctly without having anonymous access to the
Are you trying to do an rpc join? or just a net join, and the ads part is failing so it falls back?
Guenther just checked in some code on the latest 3.0.28 and 3.2 that fixes up some of the kerberos encryption types, so perhaps giving that a try might help.
I'll download the latest version and test to let you know. I am doing a net join ads, as mentioned in the earlier post. As mentioned, if the \NETLOGON pipe is opened up on the windows AD server, it works fine. But as soon as our domain policies are applied, it restricts anonymous access to those ports. As soon as this happens, we are unable to complete a net join ads successfully. So the problem happens when there is no anonymous access to \netlogon.
In reply to comment #1)
> Are you trying to do an rpc join? or just a net join, and the ads part is
> failing so it falls back?
> Guenther just checked in some code on the latest 3.0.28 and 3.2 that fixes up
> some of the kerberos encryption types, so perhaps giving that a try might help.
We are migrating to RHEL 4 and are seeing the same problem with the samba-3.0.25b-1.el4_6.4 rpm in RHEL 4. The Samba server can be joined if the netlogon setting is added. If not, the server fails when joined. An account is created, but it has no trust relationship, so no authentication works with the Samba instance.
The 3.0.14a version we ran on our Solaris servers did not have this issue. We can still join that version to the same AD domain today without the netlogon setting.
This appears to only affect joining. Once joined the netlogon can be taken out and the Samba server works fine (so far).
Using 3.0.30, I can net ads join a Win2k3 domain just fine.
Can you try if this is still failing with 3.0.30 please?
Is this the same bug as bug 5230 ?(In reply to comment #4)
> Using 3.0.30, I can net ads join a Win2k3 domain just fine.
> Can you try if this is still failing with 3.0.30 please?
Is this the same as bug 5230 ?
I tested 3.0.32 and it resolves the issue discussed here for our systems.
*** Bug 5230 has been marked as a duplicate of this bug. ***
Fixed in 3.0.32.