[Samba] Unable to rejoin domain, LDAP error 50

Krzysztof Paszkowski kylo at kimpa.pl
Wed Apr 4 08:54:22 UTC 2018 

Hi,
This is strange what you are writing. Are you saying, that if Administrator is in Domain Users group = ALL my users have admins rights? Hard to believe.
Moreover, I'm unable to delete Administrator from Domain Users group, as this is my basic group (I received such an info).

I believe the keytab is needed to sth, cause without it I keep receiving:
[2018/04/03 17:32:39.331938,  1] ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal)
  GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see text): keytab /usr/local/samba/private/secrets.keytab open failed: No such file or directory

About previous errors according: " Decrypt integrity check failed " - I just needed to wait (I believe the ticket time). Now it seems to be fine.

I have two more errors to resolve:

1. Two my DCs: Centos 7, Samba 4.7.6, built from sources with
./configure --disable-cups
samba-tool domain join domain.net.pl DC -U"DOMAIN\administrator" --dns-backend=SAMBA_INTERNAL

I do not use bind, only DNS build-in samba.

The errors in log.samba (all the time):
[2018/04/04 09:46:58.532467,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
  /usr/sbin/rndc: Failed to exec child - No such file or directory
[2018/04/04 09:46:58.535167,  0] ../source4/dsdb/dns/dns_update.c:91(dnsupdate_rndc_done)
  ../source4/dsdb/dns/dns_update.c:91: Failed rndc update - NT_STATUS_UNSUCCESSFUL

I saw such a problem in mailing lists, almost 2 years ago. Then it ended up as a bug. What does it mean now?
On one of these DCs I've installed bind and now the error is:
[2018/04/04 10:25:57.313345,  0] ../source4/dsdb/dns/dns_update.c:91(dnsupdate_rndc_done)
  ../source4/dsdb/dns/dns_update.c:91: Failed rndc update - NT_STATUS_ACCESS_DENIED
[2018/04/04 10:26:57.344688,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
  /usr/sbin/rndc: rndc: neither /etc/rndc.conf nor /etc/rndc.key was found


2. KVNO mismatch - on the main DC 

[2018/04/03 14:36:46.822531,  1] ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit)
  SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
[2018/04/03 14:36:46.968728,  1] ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal)
  GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see text): Failed to find DC$@DOMAIN.NET.PL(kvno 2) in keytab FILE:/usr/local/samba/private/secrets.keytab (aes256-cts-hmac-sha1-96)

kvno DC
DC at DOMAIN.NET.PL: kvno = 1

Is there any other way to increase the key version to 2 than demote dc and rejoin domain?
I was trying with the command:
ktutil:  add_entry -password -p DC$@DOMAIN.NET.PL -k 2 -e aes256-cts-hmac-sha1-96
but then I'm asking to enter password (or key with -key option in add_entry) - can I leave it empty, just hit enter key?


Any help appreciated.

Regards,
Kris

-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny via samba
Sent: Tuesday, April 3, 2018 6:27 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Unable to rejoin domain, LDAP error 50

On Tue, 3 Apr 2018 18:09:18 +0200
Krzysztof Paszkowski via samba <samba at lists.samba.org> wrote:

> There was lack of membership in Administrators domain/Builtin group.
> I had only:
> Domain Users
> Group Policy Creator Owners
> Enterprise Admins
> Schema Admins
> Domain Admins

You should only have:

Domain Admins
Administrator
Enterprise Admins

You definitely shouldn't have Domain Users, this make ALL your domain users into admins and I don't think you want that ;-)

> 
> Any hint with the recreation of keytab file?
> 

Do you actually need the keytab ? It is only required if something like Dovecot needs to auth to AD.

If you do need the keytab, you can create it with samba-tool:

samba-tool domain exportkeytab

This will create a keytab with all the keytabs in it, if you just want one keytab, add '--principal=PRINCIPAL'.

Add '--help' to the command above for more info

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list