Bug 9689 - net ads join -k fails when AD is in Kerberos-only mode.
Summary: net ads join -k fails when AD is in Kerberos-only mode.
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: Other (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-02-26 23:13 UTC by Richard Sharpe
Modified: 2013-03-04 09:28 UTC (History)
0 users

See Also:


Attachments
A cleaned up patch (2.92 KB, patch)
2013-02-27 04:40 UTC, Richard Sharpe
jra: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Richard Sharpe 2013-02-26 23:13:51 UTC
We were testing Kerberos-only mode. This was set up using the following GPO Settings:

Local Computer Policy -> Windows settings -> Security settings -> Local
Policies -> Security options

Network Security: Restrict NTLM: Incoming NTLM traffic : Deny All accounts.
Network Security: Restrict NTLM: NTLM authentication in this domain: Deny ALL
Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers:  Deny
ALL

The result is that net ads join -k succeeds, but says that it fails in during verifying (actually, in libnet_join_ok) with:

return code = -1
Failed to join domain: failed to verify domain membership after joining: Access
denied

The reason for the failure is that we do not tell cli_full_connect to use Kerberos.

I will attach a patch that fixes this problem.
Comment 1 Richard Sharpe 2013-02-26 23:30:50 UTC
The following patch seems to work. It also requires a small change to libnet_join.h

--- source3/libnet/libnet_join.c       2013-01-29 00:49:31.000000000 -0800
+++ libnet_join.c       2013-02-26 23:30:28.918123569 -0800
@@ -1142,7 +1142,8 @@ static NTSTATUS libnet_join_joindomain_r

 NTSTATUS libnet_join_ok(const char *netbios_domain_name,
                        const char *machine_name,
-                       const char *dc_name)
+                       const char *dc_name,
+                       bool use_kerberos)
 {
        uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
        struct cli_state *cli = NULL;
@@ -1151,6 +1152,7 @@ NTSTATUS libnet_join_ok(const char *netb
        NTSTATUS status;
        char *machine_password = NULL;
        char *machine_account = NULL;
+       int flags = 0;

        if (!dc_name) {
                return NT_STATUS_INVALID_PARAMETER;
@@ -1171,6 +1173,10 @@ NTSTATUS libnet_join_ok(const char *netb
                return NT_STATUS_NO_MEMORY;
        }

+       if (use_kerberos) {
+               flags |= CLI_FULL_CONNECTION_USE_KERBEROS;
+       }
+
        status = cli_full_connection(&cli, NULL,
                                     dc_name,
                                     NULL, 0,
@@ -1178,7 +1184,7 @@ NTSTATUS libnet_join_ok(const char *netb
                                     machine_account,
                                     NULL,
                                     machine_password,
-                                    0,
+                                    flags,
                                     Undefined);
        free(machine_account);
        free(machine_password);
@@ -1247,7 +1253,8 @@ static WERROR libnet_join_post_verify(TA

        status = libnet_join_ok(r->out.netbios_domain_name,
                                r->in.machine_name,
-                               r->in.dc_name);
+                               r->in.dc_name,
+                               r->in.use_kerberos);
        if (!NT_STATUS_IS_OK(status)) {
                libnet_join_set_error_string(mem_ctx, r,
                        "failed to verify domain membership after joining: %s",
@@ -2051,6 +2058,7 @@ static WERROR libnet_join_rollback(TALLO
        u->in.admin_account     = r->in.admin_account;
        u->in.admin_password    = r->in.admin_password;
        u->in.modify_config     = r->in.modify_config;
+       u->in.use_kerberos      = r->in.use_kerberos;
        u->in.unjoin_flags      = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
                                  WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;

--- samba-3.6.12/source3/libnet/libnet_join.h       2013-01-29 00:49:31.000000000 -0800
+++ libnet_join.h       2013-02-26 23:16:23.937622975 -0800
@@ -25,7 +25,8 @@

 NTSTATUS libnet_join_ok(const char *netbios_domain_name,
                        const char *machine_name,
-                       const char *dc_name);
+                       const char *dc_name,
+                       const bool use_kerberos);
 WERROR libnet_init_JoinCtx(TALLOC_CTX *mem_ctx,
                           struct libnet_JoinCtx **r);
 WERROR libnet_init_UnjoinCtx(TALLOC_CTX *mem_ctx,
Comment 2 Richard Sharpe 2013-02-26 23:31:27 UTC
If there is agreement that this is a reasonable fix, I will attach a patch with a Signed-Off-By line.
Comment 3 Jeremy Allison 2013-02-27 00:47:31 UTC
Looks completely correct to me - thanks !

Submit with a signed-off by line and I'll push to master, and let's get this into 4.0.next and 3.6.next.

Cheers,

Jeremy.
Comment 4 Richard Sharpe 2013-02-27 04:40:59 UTC
Created attachment 8590 [details]
A cleaned up patch

This is the cleaned up patch.
Comment 5 Jeremy Allison 2013-02-27 20:07:30 UTC
Comment on attachment 8590 [details]
A cleaned up patch

Pushed to master. Also applies cleanly to 4.0.x.
Comment 6 Jeremy Allison 2013-02-27 20:08:08 UTC
Re-assigning to Karolin for inclusion in 4.0.next.
Jeremy.
Comment 7 Karolin Seeger 2013-03-01 15:41:31 UTC
Pushed to autobuild-v4-0-test.
Comment 8 Karolin Seeger 2013-03-04 09:28:15 UTC
Pushed to v4-0-test.
Closing out bug report.

Thanks!