[Samba] Unable to rejoin domain, LDAP error 50

Krzysztof Paszkowski kylo at kimpa.pl
Mon Apr 2 19:56:23 UTC 2018


I'm trying to use the same hostname.
The meta cleanup - I can't see the demoted controller in ADUC nor in Active Directory Sites and Services. 
Shall I try via ntdsutil?

Regards,
Kris

-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of lingpanda101 via samba
Sent: Monday, April 2, 2018 9:09 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Unable to rejoin domain, LDAP error 50

On 4/2/2018 1:47 PM, Krzysztof Paszkowski via samba wrote:
> Hi all,
>
> After demoting one of AD DCs, I’m unable to join the domain again.
> Demoting was fine.
>
> OS is Centos 6
> Samba 4.7.6 (with 4.7.4 doesn’t work either) built from sources.
>
>
> klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administrator at DOMAIN.NET.PL
>
> Valid starting     Expires            Service principal
> 04/02/18 18:44:33  04/03/18 04:44:33  krbtgt/DOMAIN.NET.PL at DOMAIN.NET.PL
>          renew until 04/03/18 18:44:27 [root at konc-serwer samba-4.7.4]# 
> [root at konc-serwer samba-4.7.4]#  samba-tool domain join domain.net.pl 
> DC -U"domain\administrator" --dns-backend=SAMBA_INTERNAL Finding a writeable DC for domain 'domain.net.pl'
> Found DC dc.domain.net.pl
> Password for [domain\administrator]:
> workgroup is domain
> realm is domain.net.pl
> Adding CN=KONC-SERWER,OU=Domain Controllers,DC=domain,DC=net,DC=pl
> Join failed - cleaning up
> ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <Failed to add CN=KONC-SERWER,OU=Domain Controllers,DC=domain,DC=net,DC=pl: Updating the UF_TRUSTED_FOR_DELEGATION bit in userAccountControl is not permitted without the SeEnableDelegationPrivilege> <>
>    File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 176, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 661, in run
>      machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
>    File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line 1474, in join_DC
>      ctx.do_join()
>    File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line 1375, in do_join
>      ctx.join_add_objects()
>    File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line 611, in join_add_objects
>      ctx.samdb.add(rec)
>
> Firstly I had error:
> ERROR(<class 'samba.join.DCJoinException'>): uncaught exception - 
> Can't join, error: Not removing account KONC-SERWER$ which looks like 
> a Samba DC account maching the password we already have.  To override, 
> remove secrets.ldb and secrets.tdb
>
> I have moved that files, cleared private folder. I’ve run make install again - still the same.
>
> What can I do to rejoin the domain again?
>
>
> Regards,
> Kris

When you demoted the DC did you perform a meta cleanup? Are you reusing the same hostname?

--
--
James


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba




More information about the samba mailing list