Bug 4771 - join samba 2.0.25b to a 2003 rc2 domain - error
join samba 2.0.25b to a 2003 rc2 domain - error
Status: CLOSED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: net utility
3.0.25b
x86 Windows 2003
: P3 normal
: none
Assigned To: Kai Blin
Samba QA Contact
:
: 5230 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-10 09:16 UTC by hugh
Modified: 2009-03-24 06:57 UTC (History)
4 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description hugh 2007-07-10 09:16:26 UTC
We have identified a problem joining samba to a windows 2003 rc2 domain.
Using mit kerberos 1.5, and the latest version of samba (3.0.25b), net join
ads would throw up the error:

cli_rpc_pipe_open: cli_nt_create failed on pipe \NETLOGON to machine
domaincontroller.mynet.mydomain.com.  Error was NT_STATUS_ACCESS_DENIED
net_rpc_join_ok: failed to get schannel session key from server
domaincontroller.mynet.mydomain.com for domain mynet. Error was
NT_STATUS_ACCESS_DENIED
Failed to verify membership in domain!
Failed to join domain: Success
return code = -1

A temporary workaround for this is to add "netlogon" to the group policy
under "named pipes that can be accessed anonymously".  this would seem to
suggest that samba cannot join a domain unless it is granted anonymous
access to the netlogon pipe.

Our windows admins dont want to permanently open this, so is there a way to
get samba net join to work correctly without having anonymous access to the
netlogon pipe?
Comment 1 Jim McDonough 2008-01-31 08:55:55 UTC
Are you trying to do an rpc join?  or just a net join, and the ads part is failing so it falls back?

Guenther just checked in some code on the latest 3.0.28 and 3.2 that fixes up some of the kerberos encryption types, so perhaps giving that a try might help.
Comment 2 hugh 2008-02-01 07:19:34 UTC
Hi,
I'll download the latest version and test to let you know.  I am doing a net join ads, as mentioned in the earlier post.  As mentioned, if the \NETLOGON pipe is opened up on the windows AD server, it works fine.  But as soon as our domain policies are applied, it restricts anonymous access to those ports.  As soon as this happens, we are unable to complete a net join ads successfully.  So the problem happens when there is no anonymous access to \netlogon.


In reply to comment #1)
> Are you trying to do an rpc join?  or just a net join, and the ads part is
> failing so it falls back?
> 
> Guenther just checked in some code on the latest 3.0.28 and 3.2 that fixes up
> some of the kerberos encryption types, so perhaps giving that a try might help.
> 

Comment 3 David Pullman (DSN code 5.1.1) 2008-03-31 16:39:35 UTC
We are migrating to RHEL 4 and are seeing the same problem with the samba-3.0.25b-1.el4_6.4 rpm in RHEL 4.  The Samba server can be joined if the netlogon setting is added.  If not, the server fails when joined.  An account is created, but it has no trust relationship, so no authentication works with the Samba instance.

The 3.0.14a version we ran on our Solaris servers did not have this issue.  We can still join that version to the same AD domain today without the netlogon setting.

This appears to only affect joining.  Once joined the netlogon can be taken out and the Samba server works fine (so far).

Comment 4 Kai Blin 2008-06-23 16:42:05 UTC
Using 3.0.30, I can net ads join a Win2k3 domain just fine.
Can you try if this is still failing with 3.0.30 please?
Comment 5 Shelby Dunlap 2008-11-21 12:21:38 UTC
Is this the same bug as bug 5230 ?(In reply to comment #4)
> Using 3.0.30, I can net ads join a Win2k3 domain just fine.
> Can you try if this is still failing with 3.0.30 please?

Is this the same as bug 5230 ?

I tested 3.0.32 and it resolves the issue discussed here for our systems.
Comment 6 Kai Blin 2008-11-21 15:29:52 UTC
*** Bug 5230 has been marked as a duplicate of this bug. ***
Comment 7 Kai Blin 2009-03-24 06:57:06 UTC
Fixed in 3.0.32.
Comment 8 Kai Blin 2009-03-24 06:57:18 UTC
Closing