[Samba] Unable to rejoin domain, LDAP error 50

Krzysztof Paszkowski kylo at kimpa.pl
Tue Apr 3 13:13:58 UTC 2018 

I've cleared all DNS records (indeed, they were still there).
I'm not sure if that was the issue, cause I've discovered that the real problem is related to insufficient Administrator rights.
I was able to join that DC to domain using credentials of my second user (member of domain admins group). The first one had to get out from Domain admins. Can this be related to fixing the attributes during update process (samba-tool dbcheck --cross-ncs --fix)? How to check admin's privileges?

That's the first problem.

The second one - I keep getting now the same error in log.samba

  GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see text): Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
[2018/04/03 15:08:05.924388,  1] ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal)


Can this be related to the new key of host in keytab?
I've renamed /usr/local/samba and made "make install" to create all paths.

Regards,
Kris

-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of lingpanda101 via samba
Sent: Tuesday, April 3, 2018 2:14 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Unable to rejoin domain, LDAP error 50

On 4/2/2018 3:56 PM, Krzysztof Paszkowski via samba wrote:
> I'm trying to use the same hostname.
> The meta cleanup - I can't see the demoted controller in ADUC nor in Active Directory Sites and Services.
> Shall I try via ntdsutil?
>
> Regards,
> Kris
>
> -----Original Message-----
> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of 
> lingpanda101 via samba
> Sent: Monday, April 2, 2018 9:09 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Unable to rejoin domain, LDAP error 50
>
> On 4/2/2018 1:47 PM, Krzysztof Paszkowski via samba wrote:
>> Hi all,
>>
>> After demoting one of AD DCs, I’m unable to join the domain again.
>> Demoting was fine.
>>
>> OS is Centos 6
>> Samba 4.7.6 (with 4.7.4 doesn’t work either) built from sources.
>>
>>
>> klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: administrator at DOMAIN.NET.PL
>>
>> Valid starting     Expires            Service principal
>> 04/02/18 18:44:33  04/03/18 04:44:33  krbtgt/DOMAIN.NET.PL at DOMAIN.NET.PL
>>           renew until 04/03/18 18:44:27 [root at konc-serwer 
>> samba-4.7.4]# [root at konc-serwer samba-4.7.4]#  samba-tool domain join 
>> domain.net.pl DC -U"domain\administrator" --dns-backend=SAMBA_INTERNAL Finding a writeable DC for domain 'domain.net.pl'
>> Found DC dc.domain.net.pl
>> Password for [domain\administrator]:
>> workgroup is domain
>> realm is domain.net.pl
>> Adding CN=KONC-SERWER,OU=Domain Controllers,DC=domain,DC=net,DC=pl
>> Join failed - cleaning up
>> ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <Failed to add CN=KONC-SERWER,OU=Domain Controllers,DC=domain,DC=net,DC=pl: Updating the UF_TRUSTED_FOR_DELEGATION bit in userAccountControl is not permitted without the SeEnableDelegationPrivilege> <>
>>     File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 176, in _run
>>       return self.run(*args, **kwargs)
>>     File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 661, in run
>>       machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
>>     File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line 1474, in join_DC
>>       ctx.do_join()
>>     File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line 1375, in do_join
>>       ctx.join_add_objects()
>>     File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line 611, in join_add_objects
>>       ctx.samdb.add(rec)
>>
>> Firstly I had error:
>> ERROR(<class 'samba.join.DCJoinException'>): uncaught exception - 
>> Can't join, error: Not removing account KONC-SERWER$ which looks like 
>> a Samba DC account maching the password we already have.  To 
>> override, remove secrets.ldb and secrets.tdb
>>
>> I have moved that files, cleared private folder. I’ve run make install again - still the same.
>>
>> What can I do to rejoin the domain again?
>>
>>
>> Regards,
>> Kris
> When you demoted the DC did you perform a meta cleanup? Are you reusing the same hostname?
>
> --
> --
> James
>
>
Samba has improved in removing all entries relating to a demoted DC. 
However my last attempt I still noticed a few lingering DNS entries. 
Verify you do not have any SRV or A records associated with your demoted DC prior to the join. Verify this with all DC's in your forest.

--
--
James


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list