Problem reproduced with the xenial packages, even when using -k in the join command (so it authenticates using kerberos).
With my updated packages, I get further but it fails elsewhere: root@xenial:~# net ads join -U Administrator ldap_url_parse_ext(ldap://localhost/) ldap_init: trying /etc/ldap/ldap.conf ldap_init: using /etc/ldap/ldap.conf ldap_url_parse_ext(ldap://WIN-5GVSUKLMR3C.lowtech.internal) ldap_init: HOME env is /root ldap_init: trying /root/ldaprc ldap_init: trying /root/.ldaprc ldap_init: trying ldaprc ldap_init: LDAPCONF env is NULL ldap_init: LDAPRC env is NULL Enter Administrator's password: kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: Server is unwilling to perform Failed to join domain: failed to connect to AD: Server is unwilling to perform Adding some debugging shows: [LDAP] res_errno: 53, res_error: <00002029: LdapErr: DSID-0C0904CB, comment: Cannot bind using sign/seal on a connection on which TLS or SSL is in effect, data 0, v3839>, res_matched: <> Looks like there is a bad interaction between kerberos and ldap ssl Similarly, I can't use ldap tools with GSSAPI authentication together with TLS or start tls, so this doesn't seem to be exclusive to samba: root@xenial:~# kinit Administrator Password for Administrator@LOWTECH.INTERNAL: root@xenial:~# ldapwhoami SASL/GSSAPI authentication started SASL username: Administrator@LOWTECH.INTERNAL SASL SSF: 56 SASL data security layer installed. u:LOWTECH\Administrator root@xenial:~# ldapwhoami -ZZ SASL/GSSAPI authentication started SASL username: Administrator@LOWTECH.INTERNAL SASL SSF: 56 SASL data security layer installed. ldap_result: Can't contact LDAP server (-1) The tools do fetch the ldap service ticket: root@xenial:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator@LOWTECH.INTERNAL Valid starting Expires Service principal 12/28/2017 18:52:19 12/29/2017 04:52:19 krbtgt/LOWTECH.INTERNAL@LOWTECH.INTERNAL renew until 12/29/2017 18:52:17 12/28/2017 18:52:21 12/29/2017 04:52:19 ldap/win-5gvsuklmr3c.lowtech.internal@ renew until 12/29/2017 18:52:17 12/28/2017 18:52:21 12/29/2017 04:52:19 ldap/win-5gvsuklmr3c.lowtech.internal@LOWTECH.INTERNAL renew until 12/29/2017 18:52:17 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/1576799 Title: Regression: 2:4.3.8+dfsg-0ubuntu0.14.04.2 Failed to Issue the StartTLS instruction To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1576799/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs