[Samba] Unable to rejoin domain, LDAP error 50
lingpanda101 at gmail.com
Tue Apr 3 12:14:08 UTC 2018
On 4/2/2018 3:56 PM, Krzysztof Paszkowski via samba wrote:
> I'm trying to use the same hostname.
> The meta cleanup - I can't see the demoted controller in ADUC nor in Active Directory Sites and Services.
> Shall I try via ntdsutil?
> -----Original Message-----
> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of lingpanda101 via samba
> Sent: Monday, April 2, 2018 9:09 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Unable to rejoin domain, LDAP error 50
> On 4/2/2018 1:47 PM, Krzysztof Paszkowski via samba wrote:
>> Hi all,
>> After demoting one of AD DCs, I’m unable to join the domain again.
>> Demoting was fine.
>> OS is Centos 6
>> Samba 4.7.6 (with 4.7.4 doesn’t work either) built from sources.
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: administrator at DOMAIN.NET.PL
>> Valid starting Expires Service principal
>> 04/02/18 18:44:33 04/03/18 04:44:33 krbtgt/DOMAIN.NET.PL at DOMAIN.NET.PL
>> renew until 04/03/18 18:44:27 [root at konc-serwer samba-4.7.4]#
>> [root at konc-serwer samba-4.7.4]# samba-tool domain join domain.net.pl
>> DC -U"domain\administrator" --dns-backend=SAMBA_INTERNAL Finding a writeable DC for domain 'domain.net.pl'
>> Found DC dc.domain.net.pl
>> Password for [domain\administrator]:
>> workgroup is domain
>> realm is domain.net.pl
>> Adding CN=KONC-SERWER,OU=Domain Controllers,DC=domain,DC=net,DC=pl
>> Join failed - cleaning up
>> ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <Failed to add CN=KONC-SERWER,OU=Domain Controllers,DC=domain,DC=net,DC=pl: Updating the UF_TRUSTED_FOR_DELEGATION bit in userAccountControl is not permitted without the SeEnableDelegationPrivilege> <>
>> File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 176, in _run
>> return self.run(*args, **kwargs)
>> File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 661, in run
>> machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
>> File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line 1474, in join_DC
>> File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line 1375, in do_join
>> File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line 611, in join_add_objects
>> Firstly I had error:
>> ERROR(<class 'samba.join.DCJoinException'>): uncaught exception -
>> Can't join, error: Not removing account KONC-SERWER$ which looks like
>> a Samba DC account maching the password we already have. To override,
>> remove secrets.ldb and secrets.tdb
>> I have moved that files, cleared private folder. I’ve run make install again - still the same.
>> What can I do to rejoin the domain again?
> When you demoted the DC did you perform a meta cleanup? Are you reusing the same hostname?
Samba has improved in removing all entries relating to a demoted DC.
However my last attempt I still noticed a few lingering DNS entries.
Verify you do not have any SRV or A records associated with your demoted
DC prior to the join. Verify this with all DC's in your forest.
More information about the samba