Unable to join domain using samba tool net or realm/sssd

active-directory redhat samba sssd kerberos

Why are you using net? You should join the domain with samba-tool

samba-tool domain join domain.example.org DC -Uadministrator --realm=domain.example.org

net isn't really used in samba 4 anymore except for shares and some other stuff.
Don't mess with kerberos cryptographic settings.


I had the same issue, realm plus adcli was the solution. realm uses the samba-common backend by default. Get the realmd and adcli packages, and use 

# realm join --membership-software=adcli -U <username> <domain>

You never even have to use adcli directly. Note that the same permissions error occurs, but you continue to join the domain rather than fail at the encryption type denial.

This had me tied up for weeks. The project ended up getting delayed until I could figure it out. Learn from my pain.

Unfortunately, as far as I can tell adcli doesn't seem to have any way to verify the join without making changes to AD. To verify, you can back up /etc/samba/smb.conf and replace it with (just):

realm = <REALM>
workgroup = <WORKGROUP>

Then run net ads -P status to get a wealth of information pulled from AD about your newly enrolled machine account. You can do the same with ldapsearch against the DC, by searching with Windows tools, or by asking your AD admins, but I don't know which options to use for LDAP and I like to be self-sufficient.

Often times adcli/net enroll a machine but the sssd_ad doesn't quite work right for identity management out-of-the-box. I find especially in enterprise AD environments with RIDS in excess of 200000 or that have been updated from much older versions several times, problems generally pop up. If you get results from the net ads status command but still can't get user information, look for issues with sssd and sssd_ad. systemctl status sssd.service is a good place to start. However, troubleshooting sssd_ad for I'd mapping and authentication isn't in the scope of your original question.

Extra credit reading:

Docs for realm on freedesktop.org.

Docs for adcli on freedesktop.org.

Man page for sssd_ad


The problem also appeared to occur on debian and ubuntu after samba was upgraded from 4.1 to the 4.3 minor version. Which means it was not redhat specific. As an aside I did contact redhat support.

I was not able to find a solution, but I found a work around which is good enough. For some reason when the particular failure occurs the keytab is not created or an incorrect one is created. The bind to the active directory servers actually was successful and to make things work a new keytab needs to be created.

Failed to join domain: failed to set machine kerberos encryption types: Insufficient access

Run this to create the keytab:

net -P ads keytab create

Though I opted to keep using samba I think when using realm you can use this work around as well.

Related

Server not responding to SSH and HTTP but ping works
Can duplicate MAC addresses on same LAN cause trouble?
Iptables rules with ! character
Monitor LSI 3ware raid controller on ESXi
Disable ICMP Unreachable replies
SSD's in servers, best practice redundancy?
WSUS client detecting 0 updates
Alternative to ScaleMP?
Clean URLs and php extension on nginx
Millions of files in php's tmp error - how to delete? [closed]
windows server 2003 monitoring software combining SQL Server monitoring with CPU-IO stats
How to detect, in the guest operating system, if the vmware tools are out of date?