[Samba] Unable to rejoin domain, LDAP error 50
Krzysztof Paszkowski
kylo at kimpa.pl
Mon Apr 2 18:36:26 UTC 2018
Hi,
Thanks for the answer.
Unfortunally verbose option didn't get anything new.
[root at konc-serwer samba-4.7.6]# samba-tool domain join domain.net.pl DC --verbose -U Administrator --password='mypasswordwashere'
Finding a writeable DC for domain 'domain.net.pl'
Found DC dc.domain.net.pl
workgroup is DOMAIN
realm is domain.net.pl
Adding CN=KONC-SERWER,OU=Domain Controllers,DC=domain,DC=net,DC=pl
Join failed - cleaning up
ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <Failed to add CN=KONC-SERWER,OU=Domain Controllers,DC=domain,DC=net,DC=pl: Updating the UF_TRUSTED_FOR_DELEGATION bit in userAccountControl is not permitted without the SeEnableDelegationPrivilege> <>
File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 661, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line 1474, in join_DC
ctx.do_join()
File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line 1375, in do_join
ctx.join_add_objects()
File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line 611, in join_add_objects
ctx.samdb.add(rec)
Administrator should have all rights.
I was trying different account (member of Domain Admins), also with no luck.
What else can I do?
Regards,
Kris
-----Original Message-----
From: Rowland Penny [mailto:rpenny at samba.org]
Sent: Monday, April 2, 2018 8:27 PM
To: samba at lists.samba.org
Cc: Krzysztof Paszkowski
Subject: Re: [Samba] Unable to rejoin domain, LDAP error 50
On Mon, 2 Apr 2018 19:47:11 +0200
Krzysztof Paszkowski via samba <samba at lists.samba.org> wrote:
> Hi all,
>
> After demoting one of AD DCs, I’m unable to join the domain again.
> Demoting was fine.
>
> OS is Centos 6
> Samba 4.7.6 (with 4.7.4 doesn’t work either) built from sources.
>
>
> klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administrator at DOMAIN.NET.PL
>
> Valid starting Expires Service principal
> 04/02/18 18:44:33 04/03/18 04:44:33
> krbtgt/DOMAIN.NET.PL at DOMAIN.NET.PL renew until 04/03/18 18:44:27
> [root at konc-serwer samba-4.7.4]# [root at konc-serwer samba-4.7.4]#
> samba-tool domain join domain.net.pl DC -U"domain\administrator"
> --dns-backend=SAMBA_INTERNAL
Try running the command like this:
samba-tool domain join domain.net.pl DC -U Administrator --password=<Administrators password>
If that doesn't work, try adding '--verbose' to the command and see if anything pops out.
At first sight, it looks like 'Administrator' doesn't have the right permissions to join a DC to the domain, so you might want to check just what rights the Administrator has.
Rowland
More information about the samba
mailing list