[Samba] Unable to rejoin domain, LDAP error 50

lingpanda101 lingpanda101 at gmail.com
Tue Apr 3 12:14:08 UTC 2018 

On 4/2/2018 3:56 PM, Krzysztof Paszkowski via samba wrote:
> I'm trying to use the same hostname.
> The meta cleanup - I can't see the demoted controller in ADUC nor in Active Directory Sites and Services.
> Shall I try via ntdsutil?
>
> Regards,
> Kris
>
> -----Original Message-----
> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of lingpanda101 via samba
> Sent: Monday, April 2, 2018 9:09 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Unable to rejoin domain, LDAP error 50
>
> On 4/2/2018 1:47 PM, Krzysztof Paszkowski via samba wrote:
>> Hi all,
>>
>> After demoting one of AD DCs, I’m unable to join the domain again.
>> Demoting was fine.
>>
>> OS is Centos 6
>> Samba 4.7.6 (with 4.7.4 doesn’t work either) built from sources.
>>
>>
>> klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: administrator at DOMAIN.NET.PL
>>
>> Valid starting     Expires            Service principal
>> 04/02/18 18:44:33  04/03/18 04:44:33  krbtgt/DOMAIN.NET.PL at DOMAIN.NET.PL
>>           renew until 04/03/18 18:44:27 [root at konc-serwer samba-4.7.4]#
>> [root at konc-serwer samba-4.7.4]#  samba-tool domain join domain.net.pl
>> DC -U"domain\administrator" --dns-backend=SAMBA_INTERNAL Finding a writeable DC for domain 'domain.net.pl'
>> Found DC dc.domain.net.pl
>> Password for [domain\administrator]:
>> workgroup is domain
>> realm is domain.net.pl
>> Adding CN=KONC-SERWER,OU=Domain Controllers,DC=domain,DC=net,DC=pl
>> Join failed - cleaning up
>> ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <Failed to add CN=KONC-SERWER,OU=Domain Controllers,DC=domain,DC=net,DC=pl: Updating the UF_TRUSTED_FOR_DELEGATION bit in userAccountControl is not permitted without the SeEnableDelegationPrivilege> <>
>>     File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 176, in _run
>>       return self.run(*args, **kwargs)
>>     File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 661, in run
>>       machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
>>     File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line 1474, in join_DC
>>       ctx.do_join()
>>     File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line 1375, in do_join
>>       ctx.join_add_objects()
>>     File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line 611, in join_add_objects
>>       ctx.samdb.add(rec)
>>
>> Firstly I had error:
>> ERROR(<class 'samba.join.DCJoinException'>): uncaught exception -
>> Can't join, error: Not removing account KONC-SERWER$ which looks like
>> a Samba DC account maching the password we already have.  To override,
>> remove secrets.ldb and secrets.tdb
>>
>> I have moved that files, cleared private folder. I’ve run make install again - still the same.
>>
>> What can I do to rejoin the domain again?
>>
>>
>> Regards,
>> Kris
> When you demoted the DC did you perform a meta cleanup? Are you reusing the same hostname?
>
> --
> --
> James
>
>
Samba has improved in removing all entries relating to a demoted DC. 
However my last attempt I still noticed a few lingering DNS entries. 
Verify you do not have any SRV or A records associated with your demoted 
DC prior to the join. Verify this with all DC's in your forest.

-- 
--
James

More information about the samba mailing list