Bug 1312109 - net ads join throws "Failed to join domain: failed to set machine kerberos encryption types: Insufficient access"
Summary: net ads join throws "Failed to join domain: failed to set machine kerberos en...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: samba
Version: 7.2
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Guenther Deschner
QA Contact: Robin Hack
URL:
Whiteboard:
Depends On:
Blocks: 1351260
TreeView+ depends on / blocked
 
Reported: 2016-02-25 18:30 UTC by Dmitry Zhukovski
Modified: 2019-12-16 05:26 UTC (History)
11 users (show)

Fixed In Version: samba-4.4.4-1.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1351260 (view as bug list)
Environment:
Last Closed: 2016-11-04 06:59:13 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2468 0 normal SHIPPED_LIVE samba bug fix and enhancement update 2016-11-03 14:06:51 UTC
Samba Project 11755 0 None None None 2019-07-16 13:48:48 UTC

Description Dmitry Zhukovski 2016-02-25 18:30:19 UTC
Description of problem:
Customer is attempting to join AD domain via "net ads join -U xxx@domain -S <DC hostname>". Command throws "Failed to join domain: failed to set machine kerberos encryption types: Insufficient access"


Version-Release number of selected component (if applicable):
RHEL7.2

samba-4.2.3-10.el7.x86_64
samba-client-4.2.3-10.el7.x86_64
samba-client-libs-4.2.3-10.el7.x86_64
samba-common-4.2.3-10.el7.noarch
samba-common-libs-4.2.3-10.el7.x86_64
samba-common-tools-4.2.3-10.el7.x86_64
samba-libs-4.2.3-10.el7.x86_64
samba-winbind-4.2.3-10.el7.x86_64
samba-winbind-clients-4.2.3-10.el7.x86_64
samba-winbind-krb5-locator-4.2.3-10.el7.x86_64
samba-winbind-modules-4.2.3-10.el7.x86_64


How reproducible:
Any time

Steps to Reproduce:
1. make sure that user joining client don't have permissions to modify msDS-SupportedEncryptionTypes LDAP attribute (settings "The account supports Kerberos AES 128/256 bit encryption"
2. run net ads join -U user@domain -S <DC hostname>
2.
3.

Actual results:
get "Failed to join domain: failed to set machine kerberos encryption types: Insufficient access"
Client seems is joined domain but still error message

Expected results:
client joins domain without any errors


Additional info:
http://blogs.msdn.com/b/openspecification/archive/2011/05/31/windows-configurations-for-kerberos-supported-encryption-type.aspx

BZ is related to upstream patch https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=d9ede628af3c4befc1249a1ad4ee4e23ef75b7c7

Comment 19 errata-xmlrpc 2016-11-04 06:59:13 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2468.html


Note You need to log in before you can comment on or make changes to this bug.