[Samba] samba-tool join domain fails
Rowland Penny
rowlandpenny at googlemail.com
Wed Sep 25 06:00:43 MDT 2013
On 25/09/13 12:37, Axel wrote:
> Anyone?
>
> This is from log-level 10:
>
> <code>
> root at samba-dc1:/# samba-tool domain join intranet.DOMAIN.de DC
> -Uintranet/admin --realm=intranet.DOMAIN.de
> INFO: Current debug levels:
> all: 10
> tdb: 10
> printdrivers: 10
> lanman: 10
> smb: 10
> rpc_parse: 10
> rpc_srv: 10
> rpc_cli: 10
> passdb: 10
> sam: 10
> auth: 10
> winbind: 10
> vfs: 10
> idmap: 10
> quota: 10
> acls: 10
> locking: 10
> msdfs: 10
> dmapi: 10
> registry: 10
> scavenger: 10
> dns: 10
> ldb: 10
> pm_process() returned Yes
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'sasl-DIGEST-MD5' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> added interface eth0 ip=192.168.200.210 bcast=192.168.200.255
> netmask=255.255.255.0
> added interface eth0 ip=192.168.200.210 bcast=192.168.200.255
> netmask=255.255.255.0
> added interface eth0 ip=192.168.200.210 bcast=192.168.200.255
> netmask=255.255.255.0
> added interface eth0 ip=192.168.200.210 bcast=192.168.200.255
> netmask=255.255.255.0
> Finding a writeable DC for domain 'intranet.DOMAIN.de'
> added interface eth0 ip=192.168.200.210 bcast=192.168.200.255
> netmask=255.255.255.0
> added interface eth0 ip=192.168.200.210 bcast=192.168.200.255
> netmask=255.255.255.0
> finddcs: searching for a DC by DNS domain intranet.DOMAIN.de
> finddcs: looking for SRV records for _ldap._tcp.intranet.DOMAIN.de
> ads_dns_lookup_srv: 2 records returned in the answer section.
> ads_dns_parse_rr_srv: Parsed wi-pas04.intranet.DOMAIN.de [0, 100, 389]
> ads_dns_parse_rr_srv: Parsed wi-pas01.intranet.DOMAIN.de [0, 100, 389]
> finddcs: DNS SRV response 0 at '192.168.200.14'
> finddcs: DNS SRV response 1 at '10.8.0.1'
> finddcs: DNS SRV response 2 at '192.168.200.10'
> finddcs: performing CLDAP query on 192.168.200.14
> &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
> command : LOGON_SAM_LOGON_RESPONSE_EX (23)
> sbz : 0x0000 (0)
> server_type : 0x000001fc (508)
> 0: NBT_SERVER_PDC
> 1: NBT_SERVER_GC
> 1: NBT_SERVER_LDAP
> 1: NBT_SERVER_DS
> 1: NBT_SERVER_KDC
> 1: NBT_SERVER_TIMESERV
> 1: NBT_SERVER_CLOSEST
> 1: NBT_SERVER_WRITABLE
> 0: NBT_SERVER_GOOD_TIMESERV
> 0: NBT_SERVER_NDNC
> 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
> 0: NBT_SERVER_FULL_SECRET_DOMAIN_6
> 0: NBT_SERVER_ADS_WEB_SERVICE
> 0: NBT_SERVER_HAS_DNS_NAME
> 0: NBT_SERVER_IS_DEFAULT_NC
> 0: NBT_SERVER_FOREST_ROOT
> domain_uuid : d4836b14-2bf0-4c30-812a-aa7113035d1e
> forest : 'intranet.DOMAIN.de'
> dns_domain : 'intranet.DOMAIN.de'
> pdc_dns_name : 'wi-pas04.intranet.DOMAIN.de'
> domain_name : 'INTRANET'
> pdc_name : 'WI-PAS04'
> user_name : ''
> server_site : 'Standardname-des-ersten-Standorts'
> client_site : 'Standardname-des-ersten-Standorts'
> sockaddr_size : 0x00 (0)
> sockaddr: struct nbt_sockaddr
> sockaddr_family : 0x00000000 (0)
> pdc_ip : (null)
> remaining : DATA_BLOB length=0
> next_closest_site : NULL
> nt_version : 0x00000005 (5)
> 1: NETLOGON_NT_VERSION_1
> 0: NETLOGON_NT_VERSION_5
> 1: NETLOGON_NT_VERSION_5EX
> 0: NETLOGON_NT_VERSION_5EX_WITH_IP
> 0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
> 0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
> 0: NETLOGON_NT_VERSION_PDC
> 0: NETLOGON_NT_VERSION_IP
> 0: NETLOGON_NT_VERSION_LOCAL
> 0: NETLOGON_NT_VERSION_GC
> lmnt_token : 0xffff (65535)
> lm20_token : 0xffff (65535)
> finddcs: Found matching DC 192.168.200.14 with server_type=0x000001fc
> Found DC wi-pas04.intranet.DOMAIN.de
> Security token SIDs (1):
> SID[ 0]: S-1-5-18
> Privileges (0xFFFFFFFFFFFFFFFF):
> Privilege[ 0]: SeMachineAccountPrivilege
> Privilege[ 1]: SeTakeOwnershipPrivilege
> Privilege[ 2]: SeBackupPrivilege
> Privilege[ 3]: SeRestorePrivilege
> Privilege[ 4]: SeRemoteShutdownPrivilege
> Privilege[ 5]: SePrintOperatorPrivilege
> Privilege[ 6]: SeAddUsersPrivilege
> Privilege[ 7]: SeDiskOperatorPrivilege
> Privilege[ 8]: SeSecurityPrivilege
> Privilege[ 9]: SeSystemtimePrivilege
> Privilege[ 10]: SeShutdownPrivilege
> Privilege[ 11]: SeDebugPrivilege
> Privilege[ 12]: SeSystemEnvironmentPrivilege
> Privilege[ 13]: SeSystemProfilePrivilege
> Privilege[ 14]: SeProfileSingleProcessPrivilege
> Privilege[ 15]: SeIncreaseBasePriorityPrivilege
> Privilege[ 16]: SeLoadDriverPrivilege
> Privilege[ 17]: SeCreatePagefilePrivilege
> Privilege[ 18]: SeIncreaseQuotaPrivilege
> Privilege[ 19]: SeChangeNotifyPrivilege
> Privilege[ 20]: SeUndockPrivilege
> Privilege[ 21]: SeManageVolumePrivilege
> Privilege[ 22]: SeImpersonatePrivilege
> Privilege[ 23]: SeCreateGlobalPrivilege
> Privilege[ 24]: SeEnableDelegationPrivilege
> Rights (0x 0):
> lpcfg_servicenumber: couldn't find ldb
> added interface eth0 ip=192.168.200.210 bcast=192.168.200.255
> netmask=255.255.255.0
> added interface eth0 ip=192.168.200.210 bcast=192.168.200.255
> netmask=255.255.255.0
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism gssapi_krb5
> Password for [INTRANET\admin]:
> Received smb_krb5 packet of length 164
> Received smb_krb5 packet of length 1326
> Received smb_krb5 packet of length 117
> Received smb_krb5 packet of length 1300
> gensec_gssapi: credentials were delegated
> GSSAPI Connection will be cryptographically sealed
> workgroup is INTRANET
> realm is intranet.DOMAIN.de
> checking sAMAccountName
> Adding CN=SAMBA-DC1,OU=Domain Controllers,DC=intranet,DC=DOMAIN,DC=de
> Join failed - cleaning up
> checking sAMAccountName
> ERROR(ldb): uncaught exception - LDAP error 50
> LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00000522: SecErr: DSID-031A0F44,
> problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
>> <>
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
> 552, in run
> machinepass=machinepass, use_ntvfs=use_ntvfs,
> dns_backend=dns_backend)
> File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1104, in
> join_DC
> ctx.do_join()
> File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1007, in
> do_join
> ctx.join_add_objects()
> File "/usr/lib/python2.7/dist-packages/samba/join.py", line 499, in
> join_add_objects
> ctx.samdb.add(rec)
> root at samba-dc1:/#
>
> </code>
>
>
> Axel schrieb:
>> Hi folks,
>>
>> big problem with my testint environment... my windows 2003-domain
>> exists since 2004 and the credentials are correct, guaranteed.
>> This problem is actually same on Ubuntu 12.04.3 and Debian 7...
>>
>> <code>
>> root at pa-lnxd-04:~# /usr/local/samba/bin/samba-tool domain join
>> INTRANET.DOMAIN.DE DC -Uintranet/admin --realm=intranet.DOMAIN.de
>>
>> Finding a writeable DC for domain 'INTRANET.DOMAIN.DE'
>> Found DC wi-pas01.intranet.DOMAIN.de
>> Password for [INTRANET\admin]:
>> workgroup is INTRANET
>> realm is intranet.DOMAIN.de
>> checking sAMAccountName
>> Adding CN=PA-LNXD-04,OU=Domain Controllers,DC=intranet,DC=DOMAIN,DC=de
>> Join failed - cleaning up
>> checking sAMAccountName
>> ERROR(ldb): uncaught exception - LDAP error 50
>> LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00000522: SecErr: DSID-031A0F44,
>> problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
>>> <>
>> File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>> line 175, in _run
>> return self.run(*args, **kwargs)
>> File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line
>> 552, in run
>> machinepass=machinepass, use_ntvfs=use_ntvfs,
>> dns_backend=dns_backend)
>> File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
>> line 1104, in join_DC
>> ctx.do_join()
>> File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
>> line 1007, in do_join
>> ctx.join_add_objects()
>> File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
>> line 499, in join_add_objects
>> ctx.samdb.add(rec)
>> </code>
>>
>> It seems to be, that all prerequisites fine. DNS, ACL etc., ping
>> works fine... also resolutions of fqdn's
>>
>> Can someone help?
>>
>> Thanks & Cheers
>> axel
>>
Well I think this:
ERROR(ldb): uncaught exception - LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00000522: SecErr: DSID-031A0F44,
problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
says it all.
Does user intranet/admin exist and if so, do they have the right to add
a machine to the domain, also have you tried replacing intranet/admin
with Administrator?
Rowland
More information about the samba
mailing list