[Samba] 4.05 stable - domain join attempt failing with "NO DNS zone information found in source domain, not replicating DNS", followed by LDAP error 50

Phil Quesinberry philq at qsystemsengineering.com
Wed May 1 08:59:14 MDT 2013

I've been trying to join Samba 4.05 stable to an existing Windows 2000
domain but keep getting an LDAP error 50 - LDAP_INSUFFICIENT_ACCESS_RIGHTS
despite attempting to joining with the Windows administrator account.  I did
a capture of the network traffic generated by the failure for more
information on what's going on and discovered the following:

First Samba does an LDAP ROOT bind request to the existing PDC as
administrator (NTLMSSP_AUTH, user: DOMAIN\administratorsasl) which succeeds,
so Samba's error message is somewhat misleading (to me), I was interpreting
that as an error connecting to LDAP.
But then I see a bunch of LDAP SASL GSS-API Integrity request/response
packets Wireshark is apparently unable to decode so it gives the following:
GSS-API>SPNEGO>BER error: Wrong tag in tagged type - expected class
APPLICATION(1) tag:0 ('end of content') but found class:UNIVERSAL(0) tag:1

Finally, the exchange ends with a timestamp and timestamp echo reply
exchange.  I'm guessing this is Kerberos related:
Samba --> PDC - LDAP (FIN, ACK) Seq=.....TSV=55321631 TSER=722686
PDC --> Samba - TSV=722686 TSER=55321631
PDC --> SAMBA - TSV=722686 TSER=55321631
SAMBA --> PDC - TSV=55321632 TSER = 722686

Could this be a compatibility problem with Samba and the old Win2K server or
is there some other problem?  The "NO DNS zone information found in source
domain, not replicating DNS" error concerns me.  I'd really like to
understand why this isn't working.

I can provide additional info/screenshots/PCAP data if desired.  CLI output
follows, SERVER.HERSCHLAUREN is the current Win2K DC, SERVER1 is the joining
Samba server:

[root at Server1 hldata]# samba-tool domain join HERSCHLAUREN DC -U
Finding a writeable DC for domain 'HERSCHLAUREN'
Password for [HERSCHLAUREN\administrator]:
NO DNS zone information found in source domain, not replicating DNS
workgroup is HERSCHLAUREN
checking sAMAccountName
Adding CN=SERVER1,OU=Domain Controllers,DC=HERSCHLAUREN
Join failed - cleaning up
checking sAMAccountName
ERROR(ldb): uncaught exception - LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <00000522: SecErr: DSID-031A0ADA, problem
> <>
line 175, in _run
    return self.run(*args, **kwargs)
line 552, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line
1104, in join_DC
  File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line
1007, in do_join
  File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line
499, in join_add_objects

Phil Quesinberry
Q Systems Engineering, Inc.
Embedded Systems Hardware/Software Development and VoIP Business Telephone
Improve your business telephone services and save money
(410) 969-8002

More information about the samba mailing list