[Samba] samba join failed: LDAP_INSUFFICIENT_ACCESS_RIGHTS -- SeEnableDelegationPrivilege
Sami Hulkko
sahulkko at gmail.com
Wed Apr 23 09:58:57 UTC 2025
Hi,
One can in samba DC system add Administrator to sudo group if like
Rowland Penny mentioned has the uid, gid, home folder and default shell
settings set and therefore capable to login to samba system. samba-tool
if I recollect right can add these attributes to user and with Windows
11 RSAT tools in 'Active directory Users and Computers' one needs to
enable 'Advanced Features' from view menu to have access to 'Atribute
Editor' where one can add them too. With sudo rights the Administrator
can run commands with ease and no folder rights problems.
Yours,
SH
On 23/04/2025 11.25, Rowland Penny via samba wrote:
> On Wed, 23 Apr 2025 09:32:20 +0200
> PaLi via samba <samba at lists.samba.org> wrote:
>
>> Hello
>>
>> I have samba4 domain running in production with 2 DC.
>> 4.19.5-Ubuntu
>> no SElinux
>> apparmour for named, chronyd
>>
>> When I want to add 3th DC I'm getting this error:
>>
>> localadmin at dc03:~$ sudo samba-tool domain join office.company.com DC
>> - -server=192.168.10.1 --site=hk --dns-backend=BIND9_DLZ --option="dns
>> forwarder=127.0.0.53" --option='server services=-dns' --
>> option='idmap_ldb:use rfc2307 = yes' --option="interfaces=lo enp1s0"
>> -- option="bind interfaces only=yes" --username="OFFICE\Administrator"
>> Password for [OFFICE\Administrator]:
>>
>>
>> INFO 2025-04-23 09:16:58,137 pid:25203 /usr/lib/python3/dist-
>> packages/samba/join.py #1614: workgroup is OFFICE
>> INFO 2025-04-23 09:16:58,137 pid:25203 /usr/lib/python3/dist-
>> packages/samba/join.py #1617: realm is office.company.com
>> Adding CN=DC03,OU=Domain Controllers,DC=office,DC=company,DC=com
>> Join failed - cleaning up
>> ERROR(ldb): uncaught exception - LDAP error 50
>> LDAP_INSUFFICIENT_ACCESS_RIGHTS - <Failed to add CN=DC03,OU=Domain
>> Controllers,DC=office,DC=company,DC=com: Updating the
>> UF_TRUSTED_FOR_DELEGATION bit in userAccountControl is not permitted
>> without the SeEnableDelegationPrivilege> <>
>>
> It normally just works, so it is probably something on that potential
> DC.
>
> First though, You shouldn't (in my opinion) be using these options:
>
> --server=192.168.10.1
>
> You should let Samba find the best DC to use.
>
> --option="dns forwarder=127.0.0.53"
>
> This will very probably lead the DC to forwarding to itself, not a good
> idea.
>
> --option='server services=-dns'
>
> This should be added for you by using the '--dns-backend=BIND9_DLZ'
> option
>
> You also have "--option='idmap_ldb:use rfc2307 = yes'", if you are not
> using the rfc2307 attributes, you do not require that
> option.
>
> Administrator is the super user and should be able to do anything on
> Linux by being mapped to 'root', unless you are using rfc2307
> attributes anf have give Administrator a uidNumber, when, as far as
> Linux is concerned, it becomes just another user.
>
> Rowland
>
--
Sami Hulkko
+358 45 8569 319
sahulkko at gmail.com
sahulkko at icloud.com
More information about the samba
mailing list