Samba Joining A Windows Domain May Fail With Error "ads_sasl_spnego_krb5_bind failed: NT_STATUS_NOT

Asset ID:	1-72-1504492.1
Update Date:	2018-04-12
Keywords:

Solution Type Problem Resolution Sure

Solution 1504492.1 : Samba Joining A Windows Domain May Fail With Error "ads_sasl_spnego_krb5_bind failed: NT_STATUS_NOT_SUPPORTED"

Applies to:

Sun Blade X6270 M2 Server Module - Version All Versions to All Versions [Release All Releases]
Solaris Operating System - Version 10 3/05 to 11 11/11 [Release 10.0 to 11.0]
Information in this document applies to any platform.
Joining a windows domain may fail with "ads_sasl_spnego_krb5_bind failed: NT_STATUS_NOT_SUPPORTED"

Symptoms

Using the command "net ads join ..." to join a Samba server into a Windows domain may fail and display the message

"kinit succeeded but ads_sasl_spnego_krb5_bind failed: NT_STATUS_NOT_SUPPORTED".

Example:

# net ads join -U username
Enter username's password:
kinit succeeded but ads_sasl_spnego_krb5_bind failed: NT_STATUS_NOT_SUPPORTED
Failed to join domain: failed to connect to AD: NT_STATUS_NOT_SUPPORTED

More details become visible when using the option "-d 10" (for extended debugging) on the command-line.

When being run in debug mode, the command will create a large amount of verbose output.

Among the debug information the command also displays the settings that are coded in the /etc/samba/smb.conf configuration file.

The important parameter in this situation, that is causing the command to fail, is the parameter "client ldap sasl wrapping" that is configured to the value "sign" in this example.

Example:

# net ads join -d 10 -U username
...
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
doing parameter workgroup = EXAMPLE
doing parameter security = ADS
doing parameter realm = EXAMPLE.COM
doing parameter client ldap sasl wrapping = sign
...
kerberos_kinit_password: as username@EXAMPLE.COM using [MEMORY:net_ads] as ccache and config [/var/samba/locks/smb_krb5/krb5.conf.
EXAMPLE]
kinit succeeded but ads_sasl_spnego_krb5_bind failed: NT_STATUS_NOT_SUPPORTED
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : NULL
            netbios_domain_name      : 'EXAMPLE'
            dns_domain_name          : 'example.com'
            forest_name              : 'example.com'
            dn                       : NULL
            domain_sid               : *
                domain_sid               : S-1-5-21-1234567890-1234567890-1234567890
            modified_config          : 0x00 (0)
            error_string             : 'failed to connect to AD: NT_STATUS_NOT_SUPPORTED'
            domain_is_ad             : 0x01 (1)
            result                   : WERR_GENERAL_FAILURE
Failed to join domain: failed to connect to AD: NT_STATUS_NOT_SUPPORTED
return code = -1

Cause

The man page smb.conf(4) describes this parameter as follows:

# man smb.conf
...
     client ldap sasl wrapping (G)
...
         The values sign and seal are only available if Samba has
         been compiled against a modern OpenLDAP version (2.3.x
         or higher).
...

The Samba software packages that are contained in Solaris do contain it's own implementation of a LDAP library, and the binaries (i.e. the command /usr/bin/net) have been compiled to make use of that LDAP library.

That LDAP library provides different features and functionality than the corresponding one from OpenLDAP.

That's the reason why the parameter "client ldap sasl wrapping" cannot become configured to "sign" or "seal" when using the Samba software packages that are contained in Solaris.

Solution

Edit the /etc/samba/smb.conf file and remove the parameter "client ldap sasl wrapping" from the configuration, or reconfigure the value for that parameter to the default value "plain".

Attachments

This solution has no attachment