[Samba] help for join AD domain failure troubleshooting

zhao rong zhaorbox at gmail.com
Thu Jul 2 09:47:32 UTC 2020

After I see " Do you have sufficient permissions to create machine accounts? ", I checked my permission immediately, and even adding my account in Domain Admin could not help.

"Failed to set machine spn" means  I cannot set servicePrincipalName, then I login AD server, the machine has been created in ou=Computer, however, not spn set really, so I tried to use command "setspn" on windows server, it worked, so I should have permission on it.

Today, I noticed an error string: failed to find DC for domain PROD-USA.MYCOMPANY.COM - A domain controller for this domain was not found.

Then did a check on DNS of AD server, looked good.. .so still missing ☹

Thank you all for your kindly suggestions, I will try to dig more with Microsoft support force, just want to see if I can get more clue from samba.

Not sure how I can make debug module and using GDB to debug "net ads join" command..



On 2020/7/2, 9:12 AM, "Andrew Bartlett" <abartlet at samba.org> wrote:

    On Thu, 2020-07-02 at 05:44 +0800, rong zhao wrote:
    > Thank you @Rowland,
    > I tried the new smb.conf file, still no luck with the same error
    > message, I also reboot Linux and try too.
    > -------
    > Failed to join domain: Failed to set machine spn: Operations error
    > Do you have sufficient permissions to create machine accounts?
    > return code = -1
    > Freed frame ../../source3/utils/net.c:942, expected
    > ../../source3/libnet/libnet_join.c:506.
    > -------
    > Thank you @Andrew,
    > We never modified the "10" limit before, it really worked (maybe when
    > Ada is lad)... but about 2 months ago, it suddenly broke. 
    This was never implemented in Samba, sorry.
    > I am
    > suspecting somebody modified security options on AD servers in our
    > team, but nobody claimed that, so we have to try to figure it out
    > painfully :(
    My guess is you used a more privileged account in the past.
    Some folks delegate rights on an OU, but I've never convinced myself
    that is safe either.
    Andrew Bartlett
    Andrew Bartlett                       https://samba.org/~abartlet/
    Authentication Developer, Samba Team  https://samba.org
    Samba Developer, Catalyst IT          

More information about the samba mailing list