[Samba] Unable to rejoin domain, LDAP error 50

Krzysztof Paszkowski kylo at kimpa.pl
Mon Apr 2 18:36:26 UTC 2018

Thanks for the answer.
Unfortunally verbose option didn't get anything new.

[root at konc-serwer samba-4.7.6]# samba-tool domain join domain.net.pl DC --verbose -U Administrator --password='mypasswordwashere'
Finding a writeable DC for domain 'domain.net.pl'
Found DC dc.domain.net.pl
workgroup is DOMAIN
realm is domain.net.pl
Adding CN=KONC-SERWER,OU=Domain Controllers,DC=domain,DC=net,DC=pl
Join failed - cleaning up
ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <Failed to add CN=KONC-SERWER,OU=Domain Controllers,DC=domain,DC=net,DC=pl: Updating the UF_TRUSTED_FOR_DELEGATION bit in userAccountControl is not permitted without the SeEnableDelegationPrivilege> <>
  File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 661, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line 1474, in join_DC
  File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line 1375, in do_join
  File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line 611, in join_add_objects

Administrator should have all rights.
I was trying different account (member of Domain Admins), also with no luck.

What else can I do?


-----Original Message-----
From: Rowland Penny [mailto:rpenny at samba.org] 
Sent: Monday, April 2, 2018 8:27 PM
To: samba at lists.samba.org
Cc: Krzysztof Paszkowski
Subject: Re: [Samba] Unable to rejoin domain, LDAP error 50

On Mon, 2 Apr 2018 19:47:11 +0200
Krzysztof Paszkowski via samba <samba at lists.samba.org> wrote:

> Hi all,
> After demoting one of AD DCs, I’m unable to join the domain again.
> Demoting was fine.
> OS is Centos 6
> Samba 4.7.6 (with 4.7.4 doesn’t work either) built from sources.
> klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administrator at DOMAIN.NET.PL
> Valid starting     Expires            Service principal
> 04/02/18 18:44:33  04/03/18 04:44:33
> krbtgt/DOMAIN.NET.PL at DOMAIN.NET.PL renew until 04/03/18 18:44:27 
> [root at konc-serwer samba-4.7.4]# [root at konc-serwer samba-4.7.4]#  
> samba-tool domain join domain.net.pl DC -U"domain\administrator" 
> --dns-backend=SAMBA_INTERNAL

Try running the command like this:

samba-tool domain join domain.net.pl DC -U Administrator --password=<Administrators password>

If that doesn't work, try adding '--verbose' to the command and see if anything pops out.

At first sight, it looks like 'Administrator' doesn't have the right permissions to join a DC to the domain, so you might want to check just what rights the Administrator has.


More information about the samba mailing list