[Samba] Unable to add additional domain controller - uncaught exception - LDAP error 10 on join
Rowland Penny
rpenny at samba.org
Wed Oct 3 09:49:49 UTC 2018
On Wed, 3 Oct 2018 11:33:04 +0200
Fabio Fantoni <fabio.fantoni at m2r.biz> wrote:
> > Hmm 'ERROR: incorrect DN SID component for member in object
> > CN=Domain Users,CN=Users,DC=m2r,DC=local '
> >
> > There shouldn't be any 'member' attributes in the 'Domain Users'
> > object, all users are automatically members of 'Domain Users'.
> > Have you done something strange, such as changing all (or some) of
> > your users primaryGroupID attributes ?
> >
> > Rowland
> >
> Yes, we had to change primarygroup of users that need 2 factor
> authentication with duo security or duo will and we had also to add
> windows 2008r2 dc for it because was impossible have duo active
> directory sync working connecting to samba4 dc.
>
> I don't know if duo issue is related to something not working in
> samba main controller but other windows/linux client seems ok with
> domain.
>
The error message is telling you it cannot fix a user problem because
it expects the user to be a member of Domain users, which it is, but
in the wrong way.
I have been saying for sometime 'Do not change a users primaryGroupID
attribute'. I now have proof it is definitely not a good idea.
Where to go from here ?
I suspect you are going to have to undo what you have done and find
another way of doing 2 factor authentication.
Rowland
More information about the samba
mailing list