[Samba] samba-tool join domain fails
Axel
ako77 at arcor.de
Wed Sep 25 05:37:02 MDT 2013
Anyone?
This is from log-level 10:
<code>
root at samba-dc1:/# samba-tool domain join intranet.DOMAIN.de DC
-Uintranet/admin --realm=intranet.DOMAIN.de
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'sasl-DIGEST-MD5' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
added interface eth0 ip=192.168.200.210 bcast=192.168.200.255
netmask=255.255.255.0
added interface eth0 ip=192.168.200.210 bcast=192.168.200.255
netmask=255.255.255.0
added interface eth0 ip=192.168.200.210 bcast=192.168.200.255
netmask=255.255.255.0
added interface eth0 ip=192.168.200.210 bcast=192.168.200.255
netmask=255.255.255.0
Finding a writeable DC for domain 'intranet.DOMAIN.de'
added interface eth0 ip=192.168.200.210 bcast=192.168.200.255
netmask=255.255.255.0
added interface eth0 ip=192.168.200.210 bcast=192.168.200.255
netmask=255.255.255.0
finddcs: searching for a DC by DNS domain intranet.DOMAIN.de
finddcs: looking for SRV records for _ldap._tcp.intranet.DOMAIN.de
ads_dns_lookup_srv: 2 records returned in the answer section.
ads_dns_parse_rr_srv: Parsed wi-pas04.intranet.DOMAIN.de [0, 100, 389]
ads_dns_parse_rr_srv: Parsed wi-pas01.intranet.DOMAIN.de [0, 100, 389]
finddcs: DNS SRV response 0 at '192.168.200.14'
finddcs: DNS SRV response 1 at '10.8.0.1'
finddcs: DNS SRV response 2 at '192.168.200.10'
finddcs: performing CLDAP query on 192.168.200.14
&response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
command : LOGON_SAM_LOGON_RESPONSE_EX (23)
sbz : 0x0000 (0)
server_type : 0x000001fc (508)
0: NBT_SERVER_PDC
1: NBT_SERVER_GC
1: NBT_SERVER_LDAP
1: NBT_SERVER_DS
1: NBT_SERVER_KDC
1: NBT_SERVER_TIMESERV
1: NBT_SERVER_CLOSEST
1: NBT_SERVER_WRITABLE
0: NBT_SERVER_GOOD_TIMESERV
0: NBT_SERVER_NDNC
0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
0: NBT_SERVER_FULL_SECRET_DOMAIN_6
0: NBT_SERVER_ADS_WEB_SERVICE
0: NBT_SERVER_HAS_DNS_NAME
0: NBT_SERVER_IS_DEFAULT_NC
0: NBT_SERVER_FOREST_ROOT
domain_uuid : d4836b14-2bf0-4c30-812a-aa7113035d1e
forest : 'intranet.DOMAIN.de'
dns_domain : 'intranet.DOMAIN.de'
pdc_dns_name : 'wi-pas04.intranet.DOMAIN.de'
domain_name : 'INTRANET'
pdc_name : 'WI-PAS04'
user_name : ''
server_site : 'Standardname-des-ersten-Standorts'
client_site : 'Standardname-des-ersten-Standorts'
sockaddr_size : 0x00 (0)
sockaddr: struct nbt_sockaddr
sockaddr_family : 0x00000000 (0)
pdc_ip : (null)
remaining : DATA_BLOB length=0
next_closest_site : NULL
nt_version : 0x00000005 (5)
1: NETLOGON_NT_VERSION_1
0: NETLOGON_NT_VERSION_5
1: NETLOGON_NT_VERSION_5EX
0: NETLOGON_NT_VERSION_5EX_WITH_IP
0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
0: NETLOGON_NT_VERSION_PDC
0: NETLOGON_NT_VERSION_IP
0: NETLOGON_NT_VERSION_LOCAL
0: NETLOGON_NT_VERSION_GC
lmnt_token : 0xffff (65535)
lm20_token : 0xffff (65535)
finddcs: Found matching DC 192.168.200.14 with server_type=0x000001fc
Found DC wi-pas04.intranet.DOMAIN.de
Security token SIDs (1):
SID[ 0]: S-1-5-18
Privileges (0xFFFFFFFFFFFFFFFF):
Privilege[ 0]: SeMachineAccountPrivilege
Privilege[ 1]: SeTakeOwnershipPrivilege
Privilege[ 2]: SeBackupPrivilege
Privilege[ 3]: SeRestorePrivilege
Privilege[ 4]: SeRemoteShutdownPrivilege
Privilege[ 5]: SePrintOperatorPrivilege
Privilege[ 6]: SeAddUsersPrivilege
Privilege[ 7]: SeDiskOperatorPrivilege
Privilege[ 8]: SeSecurityPrivilege
Privilege[ 9]: SeSystemtimePrivilege
Privilege[ 10]: SeShutdownPrivilege
Privilege[ 11]: SeDebugPrivilege
Privilege[ 12]: SeSystemEnvironmentPrivilege
Privilege[ 13]: SeSystemProfilePrivilege
Privilege[ 14]: SeProfileSingleProcessPrivilege
Privilege[ 15]: SeIncreaseBasePriorityPrivilege
Privilege[ 16]: SeLoadDriverPrivilege
Privilege[ 17]: SeCreatePagefilePrivilege
Privilege[ 18]: SeIncreaseQuotaPrivilege
Privilege[ 19]: SeChangeNotifyPrivilege
Privilege[ 20]: SeUndockPrivilege
Privilege[ 21]: SeManageVolumePrivilege
Privilege[ 22]: SeImpersonatePrivilege
Privilege[ 23]: SeCreateGlobalPrivilege
Privilege[ 24]: SeEnableDelegationPrivilege
Rights (0x 0):
lpcfg_servicenumber: couldn't find ldb
added interface eth0 ip=192.168.200.210 bcast=192.168.200.255
netmask=255.255.255.0
added interface eth0 ip=192.168.200.210 bcast=192.168.200.255
netmask=255.255.255.0
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Password for [INTRANET\admin]:
Received smb_krb5 packet of length 164
Received smb_krb5 packet of length 1326
Received smb_krb5 packet of length 117
Received smb_krb5 packet of length 1300
gensec_gssapi: credentials were delegated
GSSAPI Connection will be cryptographically sealed
workgroup is INTRANET
realm is intranet.DOMAIN.de
checking sAMAccountName
Adding CN=SAMBA-DC1,OU=Domain Controllers,DC=intranet,DC=DOMAIN,DC=de
Join failed - cleaning up
checking sAMAccountName
ERROR(ldb): uncaught exception - LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00000522: SecErr: DSID-031A0F44,
problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
> <>
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
552, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1104, in
join_DC
ctx.do_join()
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1007, in
do_join
ctx.join_add_objects()
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 499, in
join_add_objects
ctx.samdb.add(rec)
root at samba-dc1:/#
</code>
Axel schrieb:
> Hi folks,
>
> big problem with my testint environment... my windows 2003-domain
> exists since 2004 and the credentials are correct, guaranteed.
> This problem is actually same on Ubuntu 12.04.3 and Debian 7...
>
> <code>
> root at pa-lnxd-04:~# /usr/local/samba/bin/samba-tool domain join
> INTRANET.DOMAIN.DE DC -Uintranet/admin --realm=intranet.DOMAIN.de
>
> Finding a writeable DC for domain 'INTRANET.DOMAIN.DE'
> Found DC wi-pas01.intranet.DOMAIN.de
> Password for [INTRANET\admin]:
> workgroup is INTRANET
> realm is intranet.DOMAIN.de
> checking sAMAccountName
> Adding CN=PA-LNXD-04,OU=Domain Controllers,DC=intranet,DC=DOMAIN,DC=de
> Join failed - cleaning up
> checking sAMAccountName
> ERROR(ldb): uncaught exception - LDAP error 50
> LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00000522: SecErr: DSID-031A0F44,
> problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
>> <>
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
> line 552, in run
> machinepass=machinepass, use_ntvfs=use_ntvfs,
> dns_backend=dns_backend)
> File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
> line 1104, in join_DC
> ctx.do_join()
> File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
> line 1007, in do_join
> ctx.join_add_objects()
> File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
> line 499, in join_add_objects
> ctx.samdb.add(rec)
> </code>
>
> It seems to be, that all prerequisites fine. DNS, ACL etc., ping works
> fine... also resolutions of fqdn's
>
> Can someone help?
>
> Thanks & Cheers
> axel
>
More information about the samba
mailing list