[Samba] Unable to rejoin domain, LDAP error 50

Krzysztof Paszkowski kylo at kimpa.pl
Mon Apr 2 17:47:11 UTC 2018 

Hi all,

After demoting one of AD DCs, I’m unable to join the domain again.
Demoting was fine.

OS is Centos 6
Samba 4.7.6 (with 4.7.4 doesn’t work either) built from sources.


klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at DOMAIN.NET.PL

Valid starting     Expires            Service principal
04/02/18 18:44:33  04/03/18 04:44:33  krbtgt/DOMAIN.NET.PL at DOMAIN.NET.PL
        renew until 04/03/18 18:44:27
[root at konc-serwer samba-4.7.4]#
[root at konc-serwer samba-4.7.4]#  samba-tool domain join domain.net.pl DC -U"domain\administrator" --dns-backend=SAMBA_INTERNAL
Finding a writeable DC for domain 'domain.net.pl'
Found DC dc.domain.net.pl
Password for [domain\administrator]:
workgroup is domain
realm is domain.net.pl
Adding CN=KONC-SERWER,OU=Domain Controllers,DC=domain,DC=net,DC=pl
Join failed - cleaning up
ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <Failed to add CN=KONC-SERWER,OU=Domain Controllers,DC=domain,DC=net,DC=pl: Updating the UF_TRUSTED_FOR_DELEGATION bit in userAccountControl is not permitted without the SeEnableDelegationPrivilege> <>
  File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 661, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line 1474, in join_DC
    ctx.do_join()
  File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line 1375, in do_join
    ctx.join_add_objects()
  File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line 611, in join_add_objects
    ctx.samdb.add(rec)

Firstly I had error:
ERROR(<class 'samba.join.DCJoinException'>): uncaught exception - Can't join, error: Not removing account KONC-SERWER$ which looks like a Samba DC account maching the password we already have.  To override, remove secrets.ldb and secrets.tdb

I have moved that files, cleared private folder. I’ve run make install again - still the same.

What can I do to rejoin the domain again?


Regards,
Kris

More information about the samba mailing list