1312109 – net ads join throws "Failed to join domain: failed to set machine kerberos encryption types: Insufficient access"

Bug 1312109 - net ads join throws "Failed to join domain: failed to set machine kerberos encryption types: Insufficient access"

Summary: net ads join throws "Failed to join domain: failed to set machine kerberos en...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	samba
Sub Component:
Version:	7.2
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Guenther Deschner
QA Contact:	Robin Hack
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1351260
TreeView+	depends on / blocked

Reported:	2016-02-25 18:30 UTC by Dmitry Zhukovski
Modified:	2019-12-16 05:26 UTC (History)
CC List:	11 users (show)
Fixed In Version:	samba-4.4.4-1.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1351260 (view as bug list)
Environment:
Last Closed:	2016-11-04 06:59:13 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2468	0	normal	SHIPPED_LIVE	samba bug fix and enhancement update	2016-11-03 14:06:51 UTC
Samba Project	11755	0	None	None	None	2019-07-16 13:48:48 UTC

Description Dmitry Zhukovski 2016-02-25 18:30:19 UTC

Description of problem:
Customer is attempting to join AD domain via "net ads join -U xxx@domain -S <DC hostname>". Command throws "Failed to join domain: failed to set machine kerberos encryption types: Insufficient access"


Version-Release number of selected component (if applicable):
RHEL7.2

samba-4.2.3-10.el7.x86_64
samba-client-4.2.3-10.el7.x86_64
samba-client-libs-4.2.3-10.el7.x86_64
samba-common-4.2.3-10.el7.noarch
samba-common-libs-4.2.3-10.el7.x86_64
samba-common-tools-4.2.3-10.el7.x86_64
samba-libs-4.2.3-10.el7.x86_64
samba-winbind-4.2.3-10.el7.x86_64
samba-winbind-clients-4.2.3-10.el7.x86_64
samba-winbind-krb5-locator-4.2.3-10.el7.x86_64
samba-winbind-modules-4.2.3-10.el7.x86_64


How reproducible:
Any time

Steps to Reproduce:
1. make sure that user joining client don't have permissions to modify msDS-SupportedEncryptionTypes LDAP attribute (settings "The account supports Kerberos AES 128/256 bit encryption"
2. run net ads join -U user@domain -S <DC hostname>
2.
3.

Actual results:
get "Failed to join domain: failed to set machine kerberos encryption types: Insufficient access"
Client seems is joined domain but still error message

Expected results:
client joins domain without any errors


Additional info:
http://blogs.msdn.com/b/openspecification/archive/2011/05/31/windows-configurations-for-kerberos-supported-encryption-type.aspx

BZ is related to upstream patch https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=d9ede628af3c4befc1249a1ad4ee4e23ef75b7c7

Comment 19 errata-xmlrpc 2016-11-04 06:59:13 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2468.html

Note You need to log in before you can comment on or make changes to this bug.