Join AD domain failed SPNEGO login failed: {Access Denied} A process has requested access to an object but has not been granted those access rights

Question

I meet a problem when trying to join Active Directory domain with Samba.

The error message is

cli_session_creds_prepare_krb5: Doing kinit for myaccount@domain.com to access domaincontroller.hostname
cli_session_setup_spnego_send: Connect to access domaincontroller.hostname as myaccount@domain.com using SPNEGO
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
Bad SMB2 signature for message
[0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0000] C1 A6 B1 DE DE D5 5D 6D   E5 27 86 90 39 7C 4E 1E   ......]m .'..9|N.
SPNEGO login failed: {Access Denied} A process has requested access to an object but has not been granted those access rights.

My AD server is windows server 2012.

I am quite sure there is something wrong configured on AD server, because same Linux host join other AD domain successuflly.

My command is "net ads join -U myaccount -k"

Here, "an object but has not been granted access rights", how can I know what object and what access permission required?

I did follow actions:

using ldapsearch to make sure LDAP interface working fine, yes it is working fine
join other AD domain, success
If I do not use "-k", the error message will be:

    error_string             : 'Failed to set machine spn: 
    Operations error
    Do you have sufficient permissions to create machine accounts?'

Looks like set service principle name failed, however, I can setspn -S on AD server successfully.

So, I am guessing there is something wrong on kerberos service configuration, any suggestion on how to troubleshoot this issue is welcome.

Thanks in advance.

You might want to clarify the Windows version you’re using. There’s no such thing as Windows Server 2010. There is Windows Server 2008 and Windows Server 2012. — Greg W, May 17 '20 at 09:54
Sure, @GregW, thank you for pointing out this typo, my windows is 2012. Thanks! — zhaorong, May 17 '20 at 10:55
Have you made sure an object with the same name doesn’t already exist in AD? — Appleoddity, May 17 '20 at 15:58
Thank you @Appleoddity, yes, I tried, that is another error message: " Failed to join domain: Failed to set machine spn: Constraint violation Do you have sufficient permissions to create machine accounts? " Here is Operation error (without -k in join command) thanks. — zhaorong, May 17 '20 at 22:45

Join AD domain failed SPNEGO login failed: {Access Denied} A process has requested access to an object but has not been granted those access rights

0 Answers0