DescriptionDmitry Zhukovski
2016-02-25 18:30:19 UTC
Description of problem:
Customer is attempting to join AD domain via "net ads join -U xxx@domain -S <DC hostname>". Command throws "Failed to join domain: failed to set machine kerberos encryption types: Insufficient access"
Version-Release number of selected component (if applicable):
RHEL7.2
samba-4.2.3-10.el7.x86_64
samba-client-4.2.3-10.el7.x86_64
samba-client-libs-4.2.3-10.el7.x86_64
samba-common-4.2.3-10.el7.noarch
samba-common-libs-4.2.3-10.el7.x86_64
samba-common-tools-4.2.3-10.el7.x86_64
samba-libs-4.2.3-10.el7.x86_64
samba-winbind-4.2.3-10.el7.x86_64
samba-winbind-clients-4.2.3-10.el7.x86_64
samba-winbind-krb5-locator-4.2.3-10.el7.x86_64
samba-winbind-modules-4.2.3-10.el7.x86_64
How reproducible:
Any time
Steps to Reproduce:
1. make sure that user joining client don't have permissions to modify msDS-SupportedEncryptionTypes LDAP attribute (settings "The account supports Kerberos AES 128/256 bit encryption"
2. run net ads join -U user@domain -S <DC hostname>
2.
3.
Actual results:
get "Failed to join domain: failed to set machine kerberos encryption types: Insufficient access"
Client seems is joined domain but still error message
Expected results:
client joins domain without any errors
Additional info:
http://blogs.msdn.com/b/openspecification/archive/2011/05/31/windows-configurations-for-kerberos-supported-encryption-type.aspx
BZ is related to upstream patch https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=d9ede628af3c4befc1249a1ad4ee4e23ef75b7c7
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://rhn.redhat.com/errata/RHBA-2016-2468.html