We were testing Kerberos-only mode. This was set up using the following GPO Settings: Local Computer Policy -> Windows settings -> Security settings -> Local Policies -> Security options Network Security: Restrict NTLM: Incoming NTLM traffic : Deny All accounts. Network Security: Restrict NTLM: NTLM authentication in this domain: Deny ALL Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers: Deny ALL The result is that net ads join -k succeeds, but says that it fails in during verifying (actually, in libnet_join_ok) with: return code = -1 Failed to join domain: failed to verify domain membership after joining: Access denied The reason for the failure is that we do not tell cli_full_connect to use Kerberos. I will attach a patch that fixes this problem.
The following patch seems to work. It also requires a small change to libnet_join.h --- source3/libnet/libnet_join.c 2013-01-29 00:49:31.000000000 -0800 +++ libnet_join.c 2013-02-26 23:30:28.918123569 -0800 @@ -1142,7 +1142,8 @@ static NTSTATUS libnet_join_joindomain_r NTSTATUS libnet_join_ok(const char *netbios_domain_name, const char *machine_name, - const char *dc_name) + const char *dc_name, + bool use_kerberos) { uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; struct cli_state *cli = NULL; @@ -1151,6 +1152,7 @@ NTSTATUS libnet_join_ok(const char *netb NTSTATUS status; char *machine_password = NULL; char *machine_account = NULL; + int flags = 0; if (!dc_name) { return NT_STATUS_INVALID_PARAMETER; @@ -1171,6 +1173,10 @@ NTSTATUS libnet_join_ok(const char *netb return NT_STATUS_NO_MEMORY; } + if (use_kerberos) { + flags |= CLI_FULL_CONNECTION_USE_KERBEROS; + } + status = cli_full_connection(&cli, NULL, dc_name, NULL, 0, @@ -1178,7 +1184,7 @@ NTSTATUS libnet_join_ok(const char *netb machine_account, NULL, machine_password, - 0, + flags, Undefined); free(machine_account); free(machine_password); @@ -1247,7 +1253,8 @@ static WERROR libnet_join_post_verify(TA status = libnet_join_ok(r->out.netbios_domain_name, r->in.machine_name, - r->in.dc_name); + r->in.dc_name, + r->in.use_kerberos); if (!NT_STATUS_IS_OK(status)) { libnet_join_set_error_string(mem_ctx, r, "failed to verify domain membership after joining: %s", @@ -2051,6 +2058,7 @@ static WERROR libnet_join_rollback(TALLO u->in.admin_account = r->in.admin_account; u->in.admin_password = r->in.admin_password; u->in.modify_config = r->in.modify_config; + u->in.use_kerberos = r->in.use_kerberos; u->in.unjoin_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE | WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE; --- samba-3.6.12/source3/libnet/libnet_join.h 2013-01-29 00:49:31.000000000 -0800 +++ libnet_join.h 2013-02-26 23:16:23.937622975 -0800 @@ -25,7 +25,8 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name, const char *machine_name, - const char *dc_name); + const char *dc_name, + const bool use_kerberos); WERROR libnet_init_JoinCtx(TALLOC_CTX *mem_ctx, struct libnet_JoinCtx **r); WERROR libnet_init_UnjoinCtx(TALLOC_CTX *mem_ctx,
If there is agreement that this is a reasonable fix, I will attach a patch with a Signed-Off-By line.
Looks completely correct to me - thanks ! Submit with a signed-off by line and I'll push to master, and let's get this into 4.0.next and 3.6.next. Cheers, Jeremy.
Created attachment 8590 [details] A cleaned up patch This is the cleaned up patch.
Comment on attachment 8590 [details] A cleaned up patch Pushed to master. Also applies cleanly to 4.0.x.
Re-assigning to Karolin for inclusion in 4.0.next. Jeremy.
Pushed to autobuild-v4-0-test.
Pushed to v4-0-test. Closing out bug report. Thanks!