[Samba] Unable to rejoin domain, LDAP error 50
Krzysztof Paszkowski
kylo at kimpa.pl
Wed Apr 4 08:54:22 UTC 2018
Hi,
This is strange what you are writing. Are you saying, that if Administrator is in Domain Users group = ALL my users have admins rights? Hard to believe.
Moreover, I'm unable to delete Administrator from Domain Users group, as this is my basic group (I received such an info).
I believe the keytab is needed to sth, cause without it I keep receiving:
[2018/04/03 17:32:39.331938, 1] ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal)
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): keytab /usr/local/samba/private/secrets.keytab open failed: No such file or directory
About previous errors according: " Decrypt integrity check failed " - I just needed to wait (I believe the ticket time). Now it seems to be fine.
I have two more errors to resolve:
1. Two my DCs: Centos 7, Samba 4.7.6, built from sources with
./configure --disable-cups
samba-tool domain join domain.net.pl DC -U"DOMAIN\administrator" --dns-backend=SAMBA_INTERNAL
I do not use bind, only DNS build-in samba.
The errors in log.samba (all the time):
[2018/04/04 09:46:58.532467, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
/usr/sbin/rndc: Failed to exec child - No such file or directory
[2018/04/04 09:46:58.535167, 0] ../source4/dsdb/dns/dns_update.c:91(dnsupdate_rndc_done)
../source4/dsdb/dns/dns_update.c:91: Failed rndc update - NT_STATUS_UNSUCCESSFUL
I saw such a problem in mailing lists, almost 2 years ago. Then it ended up as a bug. What does it mean now?
On one of these DCs I've installed bind and now the error is:
[2018/04/04 10:25:57.313345, 0] ../source4/dsdb/dns/dns_update.c:91(dnsupdate_rndc_done)
../source4/dsdb/dns/dns_update.c:91: Failed rndc update - NT_STATUS_ACCESS_DENIED
[2018/04/04 10:26:57.344688, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
/usr/sbin/rndc: rndc: neither /etc/rndc.conf nor /etc/rndc.key was found
2. KVNO mismatch - on the main DC
[2018/04/03 14:36:46.822531, 1] ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit)
SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
[2018/04/03 14:36:46.968728, 1] ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal)
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Failed to find DC$@DOMAIN.NET.PL(kvno 2) in keytab FILE:/usr/local/samba/private/secrets.keytab (aes256-cts-hmac-sha1-96)
kvno DC
DC at DOMAIN.NET.PL: kvno = 1
Is there any other way to increase the key version to 2 than demote dc and rejoin domain?
I was trying with the command:
ktutil: add_entry -password -p DC$@DOMAIN.NET.PL -k 2 -e aes256-cts-hmac-sha1-96
but then I'm asking to enter password (or key with -key option in add_entry) - can I leave it empty, just hit enter key?
Any help appreciated.
Regards,
Kris
-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny via samba
Sent: Tuesday, April 3, 2018 6:27 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Unable to rejoin domain, LDAP error 50
On Tue, 3 Apr 2018 18:09:18 +0200
Krzysztof Paszkowski via samba <samba at lists.samba.org> wrote:
> There was lack of membership in Administrators domain/Builtin group.
> I had only:
> Domain Users
> Group Policy Creator Owners
> Enterprise Admins
> Schema Admins
> Domain Admins
You should only have:
Domain Admins
Administrator
Enterprise Admins
You definitely shouldn't have Domain Users, this make ALL your domain users into admins and I don't think you want that ;-)
>
> Any hint with the recreation of keytab file?
>
Do you actually need the keytab ? It is only required if something like Dovecot needs to auth to AD.
If you do need the keytab, you can create it with samba-tool:
samba-tool domain exportkeytab
This will create a keytab with all the keytabs in it, if you just want one keytab, add '--principal=PRINCIPAL'.
Add '--help' to the command above for more info
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list