Phil Quesinberry
2013-May-01 14:59 UTC
[Samba] 4.05 stable - domain join attempt failing with "NO DNS zone information found in source domain, not replicating DNS", followed by LDAP error 50
I've been trying to join Samba 4.05 stable to an existing Windows 2000
domain but keep getting an LDAP error 50 - LDAP_INSUFFICIENT_ACCESS_RIGHTS
despite attempting to joining with the Windows administrator account. I did
a capture of the network traffic generated by the failure for more
information on what's going on and discovered the following:
First Samba does an LDAP ROOT bind request to the existing PDC as
administrator (NTLMSSP_AUTH, user: DOMAIN\administratorsasl) which succeeds,
so Samba's error message is somewhat misleading (to me), I was interpreting
that as an error connecting to LDAP.
But then I see a bunch of LDAP SASL GSS-API Integrity request/response
packets Wireshark is apparently unable to decode so it gives the following:
GSS-API>SPNEGO>BER error: Wrong tag in tagged type - expected class
APPLICATION(1) tag:0 ('end of content') but found class:UNIVERSAL(0)
tag:1
Finally, the exchange ends with a timestamp and timestamp echo reply
exchange. I'm guessing this is Kerberos related:
Samba --> PDC - LDAP (FIN, ACK) Seq=.....TSV=55321631 TSER=722686
PDC --> Samba - TSV=722686 TSER=55321631
PDC --> SAMBA - TSV=722686 TSER=55321631
SAMBA --> PDC - TSV=55321632 TSER = 722686
Could this be a compatibility problem with Samba and the old Win2K server or
is there some other problem? The "NO DNS zone information found in source
domain, not replicating DNS" error concerns me. I'd really like to
understand why this isn't working.
I can provide additional info/screenshots/PCAP data if desired. CLI output
follows, SERVER.HERSCHLAUREN is the current Win2K DC, SERVER1 is the joining
Samba server:
[root at Server1 hldata]# samba-tool domain join HERSCHLAUREN DC -U
herschlauren/administrator
Finding a writeable DC for domain 'HERSCHLAUREN'
Found DC SERVER.HERSCHLAUREN
Password for [HERSCHLAUREN\administrator]:
NO DNS zone information found in source domain, not replicating DNS
workgroup is HERSCHLAUREN
realm is HERSCHLAUREN
checking sAMAccountName
Adding CN=SERVER1,OU=Domain Controllers,DC=HERSCHLAUREN
Join failed - cleaning up
checking sAMAccountName
ERROR(ldb): uncaught exception - LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00000522: SecErr: DSID-031A0ADA, problem
4003 (INSUFF_ACCESS_RIGHTS), data 0> <>
File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
line 552, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
line
1104, in join_DC
ctx.do_join()
File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
line
1007, in do_join
ctx.join_add_objects()
File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
line
499, in join_add_objects
ctx.samdb.add(rec)
Phil Quesinberry
Q Systems Engineering, Inc.
Embedded Systems Hardware/Software Development and VoIP Business Telephone
Hosting
Improve your business telephone services and save money
(410) 969-8002
http://www.qsystemsengineering.com
Maybe Matching Threads
- Apparent bug remains in v4.0.7 - Hosts allow parameter causing errors and vey slow MS Office document access
- [Bug 443] New: 2.6 kernel failing in NAT with significant outbound traffic
- Windows 2008R2 AD, kerberos, NFSv4
- Strange behavior when using 'hosts allow' parameter
- AD authentication almost but not quite
Wisdom of the Ancients
