Environment
Open Enterprise Server (OES)Domain Services for Windows (DSfW)
OES 23.4
OES 24.1
OES 24.2
Situation
When trying to have a Linux client join a DSfW domain per "net ads join" command, or per YaST > 'Network Services' > 'Windows Domain Membership' on SUSE, the join domain procedure fails with the following error messages:"
ads_print_error: AD LDAP ERROR: 19 (Constraint violation): (null)
connect_to_domain_password_server: unable to open the domain client session to machine <DSFW_DOMAIN_CONTROLLER_FQDN>. Flags[0x00000000] Error was : NT_STATUS_ACCESS_DENIED.
Failed to join domain: failed to verify domain membership after joining: {Access Denied} A process has requested access to an object but has not been granted those access rights.
"
Cause
Upon creation of the computer object for the joining Linux host, the Samba client authenticates the computer object per NetrServerAuthenticate3 method with the Netlogon Remote Procedure protocol ([MS-NRPC]) over SMB.The Linux samba client uses AES encryption for computing the ClientCredential that is conveyed per NetrServerAuthenticate3 method for authentication. However, since DSfW does not support AES encryption with the NetrServerAuthenticate3 method yet, it fails to validate the ClientCredential and consequentially returns STATUS_ACCESS_DENIED.