Cannot connect to local domain from Windows 7/10 - Access is denied

samba-ad
samba
ad-connection
dns
ucs-4-2
linux

#1

I discovered this amazing tool 2 days ago.

Then I installed the version: UCS 4.2 by following the YouTube tutorial below:

DNS server, SSH and Web Management console, among others, works properly (checked).
I also installed the following applications/plugins:

Active Directory Connection
Active Directory Takeover
Active Directory-compatible Domain Controller
DHCP server

as you can see on the following image:

I have the following Linux distribution:

root@ucs:~# cat /etc/*-release
DISTRIB_ID=Univention
DISTRIB_RELEASE="4.2-2 errata159"
DISTRIB_CODENAME=Lesum

DISTRIB_DESCRIPTION="Univention Corporate Server 4.2-2 errata159 (Lesum)"
PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
NAME="Debian GNU/Linux"
VERSION_ID="8"
VERSION="8 (jessie)"
ID=debian
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

and the following Samba version:

root@ucs:~# samba -V
Version 4.6.1-Debian

As I said above, on this Linux machine I have configured the package:

Active Directory-compatible Domain Controller

I configured one user there: myuser which is under the group: Domain Users.

My problem is, when trying to connect from Windows 7 or Windows 10 to the local domain defined there: mydomain.intranet

I get the error:

The join operation was not successful. This could be because an existing computer account having name "MYUSER-PC" was previously created using a different set of credentials. Use a different computer name, or contact your administrator to remove any stale conflicting account. The error was:

Access is denied

as you can see on the following image:

image

I think one other interesting detail is that if I set a wrong password for the above existing user, I get the following message, so the system is able to know if the password is right or not.

image

Below you have a fragment of the samba error log file on the UCS 4.2 server:

[2017/09/11 19:28:10.549384,  3, pid=13368] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0xe2088297
[2017/09/11 19:28:10.551776,  3, pid=13368] ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
  Got user=[myuser] domain=[mydomain.intranet] workstation=[DELL-INSPIRON] len1=24 len2=326
[2017/09/11 19:28:10.551800,  3, pid=13368] ../source4/auth/ntlm/auth.c:271(auth_check_password_send)
  auth_check_password_send: Checking password for unmapped user [mydomain.intranet]\[myuser]@[DELL-INSPIRON]
  auth_check_password_send: mapped user is: [MYDOMAIN]\[myuser]@[DELL-INSPIRON]
[2017/09/11 19:28:10.552319,  3, pid=13368] ../libcli/auth/ntlm_check.c:397(ntlm_password_check)
  ntlm_password_check: NTLMv2 password check failed
[2017/09/11 19:28:10.552331,  3, pid=13368] ../libcli/auth/ntlm_check.c:442(ntlm_password_check)
  ntlm_password_check: Lanman passwords NOT PERMITTED for user myuser
[2017/09/11 19:28:10.552360,  3, pid=13368] ../libcli/auth/ntlm_check.c:586(ntlm_password_check)
  ntlm_password_check: LM password, NT MD4 password in LM field and LMv2 failed for user myuser
[2017/09/11 19:28:10.552481,  2, pid=13368] ../source4/auth/ntlm/auth.c:430(auth_check_password_recv)
  auth_check_password_recv: sam_ignoredomain authentication for user [MYDOMAIN\myuser] FAILED with error NT_STATUS_WRONG_PASSWORD
[2017/09/11 19:28:10.552503,  2, pid=13368] ../auth/gensec/spnego.c:768(gensec_spnego_server_negTokenTarg)
  SPNEGO login failed: NT_STATUS_WRONG_PASSWORD
[2017/09/11 19:28:10.552532,  3, pid=13368] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:134
[2017/09/11 19:28:10.555454,  3, pid=13368] ../source3/smbd/server_exit.c:246(exit_server_common)
  Server exit (NT_STATUS_CONNECTION_RESET)

I have repeated the installation process of UCS 4.2 from the begining 3 different times in 2 different computers getting the same problem.

Any idea on how to troubleshoot this?

Thanks.


#2

Ok, answering my own question above, the following worked:
Domain: mydomain.intranet
User name: Administrator
Password: <thepassword>

References:

https://stackoverflow.com/questions/46151146/windows-client-connecting-to-ucs-samba-server-the-join-operation-was-not-suc

https://unix.stackexchange.com/questions/391622/windows-client-connecting-to-ucs-samba-server-the-join-operation-was-not-suc/

Thanks.