[Samba] Unable to rejoin domain, LDAP error 50
Krzysztof Paszkowski
kylo at kimpa.pl
Mon Apr 2 19:56:23 UTC 2018
I'm trying to use the same hostname.
The meta cleanup - I can't see the demoted controller in ADUC nor in Active Directory Sites and Services.
Shall I try via ntdsutil?
Regards,
Kris
-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of lingpanda101 via samba
Sent: Monday, April 2, 2018 9:09 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Unable to rejoin domain, LDAP error 50
On 4/2/2018 1:47 PM, Krzysztof Paszkowski via samba wrote:
> Hi all,
>
> After demoting one of AD DCs, I’m unable to join the domain again.
> Demoting was fine.
>
> OS is Centos 6
> Samba 4.7.6 (with 4.7.4 doesn’t work either) built from sources.
>
>
> klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administrator at DOMAIN.NET.PL
>
> Valid starting Expires Service principal
> 04/02/18 18:44:33 04/03/18 04:44:33 krbtgt/DOMAIN.NET.PL at DOMAIN.NET.PL
> renew until 04/03/18 18:44:27 [root at konc-serwer samba-4.7.4]#
> [root at konc-serwer samba-4.7.4]# samba-tool domain join domain.net.pl
> DC -U"domain\administrator" --dns-backend=SAMBA_INTERNAL Finding a writeable DC for domain 'domain.net.pl'
> Found DC dc.domain.net.pl
> Password for [domain\administrator]:
> workgroup is domain
> realm is domain.net.pl
> Adding CN=KONC-SERWER,OU=Domain Controllers,DC=domain,DC=net,DC=pl
> Join failed - cleaning up
> ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <Failed to add CN=KONC-SERWER,OU=Domain Controllers,DC=domain,DC=net,DC=pl: Updating the UF_TRUSTED_FOR_DELEGATION bit in userAccountControl is not permitted without the SeEnableDelegationPrivilege> <>
> File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 176, in _run
> return self.run(*args, **kwargs)
> File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 661, in run
> machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
> File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line 1474, in join_DC
> ctx.do_join()
> File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line 1375, in do_join
> ctx.join_add_objects()
> File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line 611, in join_add_objects
> ctx.samdb.add(rec)
>
> Firstly I had error:
> ERROR(<class 'samba.join.DCJoinException'>): uncaught exception -
> Can't join, error: Not removing account KONC-SERWER$ which looks like
> a Samba DC account maching the password we already have. To override,
> remove secrets.ldb and secrets.tdb
>
> I have moved that files, cleared private folder. I’ve run make install again - still the same.
>
> What can I do to rejoin the domain again?
>
>
> Regards,
> Kris
When you demoted the DC did you perform a meta cleanup? Are you reusing the same hostname?
--
--
James
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list