[Samba] samba join failed: LDAP_INSUFFICIENT_ACCESS_RIGHTS -- SeEnableDelegationPrivilege

pavel.lisy at gmail.com pavel.lisy at gmail.com
Wed Apr 23 07:32:20 UTC 2025 

Hello

I have samba4 domain running in production with 2 DC. 
4.19.5-Ubuntu
no SElinux
apparmour for named, chronyd

When I want to add 3th DC I'm getting this error:

localadmin at dc03:~$ sudo samba-tool domain join office.company.com  DC -
-server=192.168.10.1 --site=hk --dns-backend=BIND9_DLZ --option="dns
forwarder=127.0.0.53" --option='server services=-dns' --
option='idmap_ldb:use rfc2307 = yes' --option="interfaces=lo enp1s0" --
option="bind interfaces only=yes" --username="OFFICE\Administrator"
Password for [OFFICE\Administrator]:


INFO 2025-04-23 09:16:58,137 pid:25203 /usr/lib/python3/dist-
packages/samba/join.py #1614: workgroup is OFFICE
INFO 2025-04-23 09:16:58,137 pid:25203 /usr/lib/python3/dist-
packages/samba/join.py #1617: realm is office.company.com
Adding CN=DC03,OU=Domain Controllers,DC=office,DC=company,DC=com
Join failed - cleaning up
ERROR(ldb): uncaught exception - LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <Failed to add CN=DC03,OU=Domain
Controllers,DC=office,DC=company,DC=com: Updating the
UF_TRUSTED_FOR_DELEGATION bit in userAccountControl is not permitted
without the SeEnableDelegationPrivilege> <>
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
279, in _run
    return self.run(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/samba/netcmd/domain/join.py",
line 128, in run
    join_DC(logger=logger, server=server, creds=creds, lp=lp,
domain=domain,
  File "/usr/lib/python3/dist-packages/samba/join.py", line 1630, in
join_DC
    ctx.do_join()
  File "/usr/lib/python3/dist-packages/samba/join.py", line 1518, in
do_join
    ctx.join_add_objects()
  File "/usr/lib/python3/dist-packages/samba/join.py", line 645, in
join_add_objects
    ctx.samdb.add(rec, controls=controls)


Administrator password is correct, I suspect wrong filesystem rights in
/var/lib/samba, but I don't know how to find where it could be. 

Adding samba members to domain was working without problem. 

Do you have any idea how to debug this?

Pavel

More information about the samba mailing list