[Samba] samba join failed: LDAP_INSUFFICIENT_ACCESS_RIGHTS -- SeEnableDelegationPrivilege

Rowland Penny rpenny at samba.org
Wed Apr 23 08:25:42 UTC 2025 

On Wed, 23 Apr 2025 09:32:20 +0200
PaLi via samba <samba at lists.samba.org> wrote:

> Hello
> 
> I have samba4 domain running in production with 2 DC. 
> 4.19.5-Ubuntu
> no SElinux
> apparmour for named, chronyd
> 
> When I want to add 3th DC I'm getting this error:
> 
> localadmin at dc03:~$ sudo samba-tool domain join office.company.com  DC
> - -server=192.168.10.1 --site=hk --dns-backend=BIND9_DLZ --option="dns
> forwarder=127.0.0.53" --option='server services=-dns' --
> option='idmap_ldb:use rfc2307 = yes' --option="interfaces=lo enp1s0"
> -- option="bind interfaces only=yes" --username="OFFICE\Administrator"
> Password for [OFFICE\Administrator]:
> 
> 
> INFO 2025-04-23 09:16:58,137 pid:25203 /usr/lib/python3/dist-
> packages/samba/join.py #1614: workgroup is OFFICE
> INFO 2025-04-23 09:16:58,137 pid:25203 /usr/lib/python3/dist-
> packages/samba/join.py #1617: realm is office.company.com
> Adding CN=DC03,OU=Domain Controllers,DC=office,DC=company,DC=com
> Join failed - cleaning up
> ERROR(ldb): uncaught exception - LDAP error 50
> LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <Failed to add CN=DC03,OU=Domain
> Controllers,DC=office,DC=company,DC=com: Updating the
> UF_TRUSTED_FOR_DELEGATION bit in userAccountControl is not permitted
> without the SeEnableDelegationPrivilege> <>
>  

It normally just works, so it is probably something on that potential
DC.

First though, You shouldn't (in my opinion) be using these options:

--server=192.168.10.1

You should let Samba find the best DC to use.

--option="dns forwarder=127.0.0.53"

This will very probably lead the DC to forwarding to itself, not a good
idea.

--option='server services=-dns'

This should be added for you by using the '--dns-backend=BIND9_DLZ'
option

You also have "--option='idmap_ldb:use rfc2307 = yes'", if you are not
using the rfc2307 attributes, you do not require that
option.

Administrator is the super user and should be able to do anything on
Linux by being mapped to 'root', unless you are using rfc2307
attributes anf have give Administrator a uidNumber, when, as far as
Linux is concerned, it becomes just another user. 

Rowland

More information about the samba mailing list