Bug 1312109 - net ads join throws "Failed to join domain: failed to set machine kerberos encryption types: Insufficient access"
net ads join throws "Failed to join domain: failed to set machine kerberos en...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: samba (Show other bugs)
7.2
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: Guenther Deschner
Robin Hack
: ZStream
Depends On:
Blocks: 1351260
  Show dependency treegraph
 
Reported: 2016-02-25 13:30 EST by Dmitry Zhukovski
Modified: 2016-11-04 02:59 EDT (History)
11 users (show)

See Also:
Fixed In Version: samba-4.4.4-1.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1351260 (view as bug list)
Environment:
Last Closed: 2016-11-04 02:59:13 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Samba Project 11755 None None None 2016-02-26 05:37 EST

  None (edit)
Description Dmitry Zhukovski 2016-02-25 13:30:19 EST
Description of problem:
Customer is attempting to join AD domain via "net ads join -U xxx@domain -S <DC hostname>". Command throws "Failed to join domain: failed to set machine kerberos encryption types: Insufficient access"


Version-Release number of selected component (if applicable):
RHEL7.2

samba-4.2.3-10.el7.x86_64
samba-client-4.2.3-10.el7.x86_64
samba-client-libs-4.2.3-10.el7.x86_64
samba-common-4.2.3-10.el7.noarch
samba-common-libs-4.2.3-10.el7.x86_64
samba-common-tools-4.2.3-10.el7.x86_64
samba-libs-4.2.3-10.el7.x86_64
samba-winbind-4.2.3-10.el7.x86_64
samba-winbind-clients-4.2.3-10.el7.x86_64
samba-winbind-krb5-locator-4.2.3-10.el7.x86_64
samba-winbind-modules-4.2.3-10.el7.x86_64


How reproducible:
Any time

Steps to Reproduce:
1. make sure that user joining client don't have permissions to modify msDS-SupportedEncryptionTypes LDAP attribute (settings "The account supports Kerberos AES 128/256 bit encryption"
2. run net ads join -U user@domain -S <DC hostname>
2.
3.

Actual results:
get "Failed to join domain: failed to set machine kerberos encryption types: Insufficient access"
Client seems is joined domain but still error message

Expected results:
client joins domain without any errors


Additional info:
http://blogs.msdn.com/b/openspecification/archive/2011/05/31/windows-configurations-for-kerberos-supported-encryption-type.aspx

BZ is related to upstream patch https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=d9ede628af3c4befc1249a1ad4ee4e23ef75b7c7
Comment 19 errata-xmlrpc 2016-11-04 02:59:13 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2468.html

Note You need to log in before you can comment on or make changes to this bug.