[Samba] help for join AD domain failure troubleshooting

rong zhao zhaorbox at gmail.com
Sat Jul 11 23:08:41 UTC 2020


  Hi Andrew, Rowland, team,

    After checking the difference of our different AD forests'
configuration, we figured this issue out finally.

   There is an attribute "Do not require Kerberos preauthentication"
on AD users, someone in our team checked this option on all users,
after un-check this option, we can join AD domain normally.

   Appreciate all your suggestions!

Thanks.



On Thu, Jul 2, 2020 at 9:12 AM Andrew Bartlett <abartlet at samba.org> wrote:
>
> On Thu, 2020-07-02 at 05:44 +0800, rong zhao wrote:
> > Thank you @Rowland,
> >
> > I tried the new smb.conf file, still no luck with the same error
> > message, I also reboot Linux and try too.
> >
> > -------
> > Failed to join domain: Failed to set machine spn: Operations error
> > Do you have sufficient permissions to create machine accounts?
> > return code = -1
> > Freed frame ../../source3/utils/net.c:942, expected
> > ../../source3/libnet/libnet_join.c:506.
> > -------
> >
> > Thank you @Andrew,
> >
> > We never modified the "10" limit before, it really worked (maybe when
> > Ada is lad)... but about 2 months ago, it suddenly broke.
>
> This was never implemented in Samba, sorry.
>
> > I am
> > suspecting somebody modified security options on AD servers in our
> > team, but nobody claimed that, so we have to try to figure it out
> > painfully :(
>
> My guess is you used a more privileged account in the past.
>
> Some folks delegate rights on an OU, but I've never convinced myself
> that is safe either.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                       https://samba.org/~abartlet/
> Authentication Developer, Samba Team  https://samba.org
> Samba Developer, Catalyst IT
> https://catalyst.net.nz/services/samba
>
>
>



More information about the samba mailing list