[Samba] Unable to join DC to existing AD domain

Mat samba at aceserv.net
Tue Apr 22 01:21:51 UTC 2025 

I'm unable to join a new DC to our existing domain after following the 
instructions on the wiki:

# samba-tool domain join company.net DC -U"COMPANY\Administrator"
INFO 2025-04-21 18:54:27,655 pid:1090 
/usr/local/lib/python3.11/site-packages/samba/join.py #106: Finding a 
writeable DC for domain 'company.net'
INFO 2025-04-21 18:54:27,664 pid:1090 
/usr/local/lib/python3.11/site-packages/samba/join.py #108: Found DC 
dc4.company.net
ERROR(<class 'samba.join.DCJoinException'>): uncaught exception - Can't 
join, error: 00002020: Operation unavailable without authentication

I get the same error when trying to pass the password using 
--password=<password>. I'm also getting that same error when trying to 
perform an online backup from the existing DC:

# samba-tool domain backup online --server=dc4 
--targetdir=/home/admin/dc4 -U administrator
ERROR(<class 'samba.join.DCJoinException'>): uncaught exception - Can't 
join, error: 00002020: Operation unavailable without authentication

I have tried different syntaxes for providing the username, but they all 
produce the same error.

DC4 is our only DC at the moment and has all FSMO roles. The rest of the 
domain appears to be working fine as clients can authenticate, I can 
access DC4 using the RCAT tools, and I can join clients/members to the 
domain using the same credentials. We have previously demoted an offline 
AD DC following the guide on the wiki, which I'm wondering if that's 
related, but I didn't find any traces of the old DC left in AD.

Samba 4.19_5 on FreeBSD 14.2-p2.

smb4.conf:

[global]
     ad dc functional level = 2016
     allow dns updates = nonsecure and secure
     bind interfaces only = Yes
     deadtime = 5
     disable spoolss = Yes
     dns forwarder = 8.8.8.8
     dns update command = /usr/local/sbin/samba_dnsupdate
     dns zone transfer clients allow = 192.168.50.5 192.168.10.4
     interfaces = em0
     log level = 1
     max log size = 1000
     netbios name = DC4
     nsupdate command = /usr/local/bin/samba-nsupdate -g
     panic action = /usr/local/etc/rc.d/samba_server restart
     printcap name = /dev/null
     realm = company.net
     server role = active directory domain controller
     server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, 
winbindd, ntp_signd, kcc, dnsupdate, dns
     template homedir = /home/%U
     template shell = /bin/tcsh
     tls cafile =
     tls certfile = /etc/letsencrypt/live/dc4.company.net/fullchain.pem
     tls keyfile = /etc/letsencrypt/live/dc4.company.net/privkey.pem
     tls verify peer = ca_and_name
     workgroup = COMPANY
     aio read size = 16384
     aio write size = 16384
     csc policy = disable
     delete veto files = Yes
     ea support = Yes
     inherit acls = Yes
     store dos attributes = Yes
     veto files = 
/Thumbs.db/.DS_Store/.TemporaryItems/._.TemporaryItems/._.apdisk/.apdisk/Network 
Trash Folder/

[netlogon]
     inherit permissions = Yes
     path = /var/db/samba4/sysvol/company.net/scripts
     read only = No
     vfs objects = zfsacl
     nfs4:chown = yes
     nfs4:acedup = merge
     nfs4:mode = simple

[sysvol]
     inherit permissions = Yes
     path = /var/db/samba4/sysvol
     read only = No
     vfs objects = zfsacl
     nfs4:chown = yes
     nfs4:acedup = merge
     nfs4:mode = simple

Any guidance or advice would be greatly appreciated.

Thanks!

More information about the samba mailing list