[Samba] Unable to rejoin domain, LDAP error 50

Krzysztof Paszkowski kylo at kimpa.pl
Tue Apr 3 16:09:18 UTC 2018

There was lack of membership in Administrators domain/Builtin group.
I had only:
Domain Users
Group Policy Creator Owners
Enterprise Admins
Schema Admins
Domain Admins

I've added and I'll try. Thank you.

Any hint with the recreation of keytab file?


-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny via samba
Sent: Tuesday, April 3, 2018 5:53 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Unable to rejoin domain, LDAP error 50

On Tue, 3 Apr 2018 17:36:35 +0200
Krzysztof Paszkowski via samba <samba at lists.samba.org> wrote:

> I'm sorry, you're absolutely right. I'm not sure why I didn't follow 
> your hint. My fault.
> Now, it seems I have exactly the same output as you:
> [root at dc private]# net rpc rights list accounts -U Administrator
> BUILTIN\Administrators
> SeSecurityPrivilege
> SeBackupPrivilege
> SeRestorePrivilege
> SeSystemtimePrivilege
> SeShutdownPrivilege
> SeRemoteShutdownPrivilege
> SeTakeOwnershipPrivilege
> SeDebugPrivilege
> SeSystemEnvironmentPrivilege
> SeSystemProfilePrivilege
> SeProfileSingleProcessPrivilege
> SeIncreaseBasePriorityPrivilege
> SeLoadDriverPrivilege
> SeCreatePagefilePrivilege
> SeIncreaseQuotaPrivilege
> SeChangeNotifyPrivilege
> SeUndockPrivilege
> SeManageVolumePrivilege
> SeImpersonatePrivilege
> SeCreateGlobalPrivilege
> SeEnableDelegationPrivilege
> SeInteractiveLogonRight
> SeNetworkLogonRight
> SeRemoteInteractiveLogonRight

The above is the relevant set of rights for the Administrator.

Administrator is a member of the following groups:

memberOf: CN=Domain Admins,CN=Users,DC=samdom,DC=example,DC=com
memberOf: CN=Administrators,CN=Builtin,DC=samdom,DC=example,DC=com
memberOf: CN=Enterprise Admins,CN=Users,DC=samdom,DC=example,DC=com
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=samdom,DC=example,DC=com
memberOf: CN=Schema Admins,CN=Users,DC=samdom,DC=example,DC=com

Amongst which is 'Administrators', so could (for whatever reason) Administrator have been removed from the 'Administrators' group ?

Another thought, have you given 'Administrator' a uidNumber attribute ?
Or has 'Administrator' been removed from idmap.ldb ?


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list