[Samba] help for join AD domain failure troubleshooting
zhao rong
zhaorbox at gmail.com
Thu Jul 2 09:47:32 UTC 2020
After I see " Do you have sufficient permissions to create machine accounts? ", I checked my permission immediately, and even adding my account in Domain Admin could not help.
"Failed to set machine spn" means I cannot set servicePrincipalName, then I login AD server, the machine has been created in ou=Computer, however, not spn set really, so I tried to use command "setspn" on windows server, it worked, so I should have permission on it.
Today, I noticed an error string: failed to find DC for domain PROD-USA.MYCOMPANY.COM - A domain controller for this domain was not found.
Then did a check on DNS of AD server, looked good.. .so still missing ☹
Thank you all for your kindly suggestions, I will try to dig more with Microsoft support force, just want to see if I can get more clue from samba.
Not sure how I can make debug module and using GDB to debug "net ads join" command..
Thanks.
Rong
On 2020/7/2, 9:12 AM, "Andrew Bartlett" <abartlet at samba.org> wrote:
On Thu, 2020-07-02 at 05:44 +0800, rong zhao wrote:
> Thank you @Rowland,
>
> I tried the new smb.conf file, still no luck with the same error
> message, I also reboot Linux and try too.
>
> -------
> Failed to join domain: Failed to set machine spn: Operations error
> Do you have sufficient permissions to create machine accounts?
> return code = -1
> Freed frame ../../source3/utils/net.c:942, expected
> ../../source3/libnet/libnet_join.c:506.
> -------
>
> Thank you @Andrew,
>
> We never modified the "10" limit before, it really worked (maybe when
> Ada is lad)... but about 2 months ago, it suddenly broke.
This was never implemented in Samba, sorry.
> I am
> suspecting somebody modified security options on AD servers in our
> team, but nobody claimed that, so we have to try to figure it out
> painfully :(
My guess is you used a more privileged account in the past.
Some folks delegate rights on an OU, but I've never convinced myself
that is safe either.
Andrew Bartlett
--
Andrew Bartlett https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Developer, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba
mailing list