samba - Apr 2025 - samba join failed: LDAP_INSUFFICIENT_ACCESS_RIGHTS -- SeEnableDelegationPrivilege

Hello

I have samba4 domain running in production with 2 DC. 
4.19.5-Ubuntu
no SElinux
apparmour for named, chronyd

When I want to add 3th DC I'm getting this error:

localadmin at dc03:~$ sudo samba-tool domain join office.company.com  DC -
-server=192.168.10.1 --site=hk --dns-backend=BIND9_DLZ --option="dns
forwarder=127.0.0.53" --option='server services=-dns' --
option='idmap_ldb:use rfc2307 = yes' --option="interfaces=lo
enp1s0" --
option="bind interfaces only=yes"
--username="OFFICE\Administrator"
Password for [OFFICE\Administrator]:


INFO 2025-04-23 09:16:58,137 pid:25203 /usr/lib/python3/dist-
packages/samba/join.py #1614: workgroup is OFFICE
INFO 2025-04-23 09:16:58,137 pid:25203 /usr/lib/python3/dist-
packages/samba/join.py #1617: realm is office.company.com
Adding CN=DC03,OU=Domain Controllers,DC=office,DC=company,DC=com
Join failed - cleaning up
ERROR(ldb): uncaught exception - LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <Failed to add CN=DC03,OU=Domain
Controllers,DC=office,DC=company,DC=com: Updating the
UF_TRUSTED_FOR_DELEGATION bit in userAccountControl is not permitted
without the SeEnableDelegationPrivilege> <>
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
279, in _run
    return self.run(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/samba/netcmd/domain/join.py",
line 128, in run
    join_DC(logger=logger, server=server, creds=creds, lp=lp,
domain=domain,
  File "/usr/lib/python3/dist-packages/samba/join.py", line 1630, in
join_DC
    ctx.do_join()
  File "/usr/lib/python3/dist-packages/samba/join.py", line 1518, in
do_join
    ctx.join_add_objects()
  File "/usr/lib/python3/dist-packages/samba/join.py", line 645, in
join_add_objects
    ctx.samdb.add(rec, controls=controls)


Administrator password is correct, I suspect wrong filesystem rights in
/var/lib/samba, but I don't know how to find where it could be. 

Adding samba members to domain was working without problem. 

Do you have any idea how to debug this?

Pavel

On Wed, 23 Apr 2025 09:32:20 +0200
PaLi via samba <samba at lists.samba.org> wrote:
> Hello
> 
> I have samba4 domain running in production with 2 DC. 
> 4.19.5-Ubuntu
> no SElinux
> apparmour for named, chronyd
> 
> When I want to add 3th DC I'm getting this error:
> 
> localadmin at dc03:~$ sudo samba-tool domain join office.company.com  DC
> - -server=192.168.10.1 --site=hk --dns-backend=BIND9_DLZ --option="dns
> forwarder=127.0.0.53" --option='server services=-dns' --
> option='idmap_ldb:use rfc2307 = yes' --option="interfaces=lo
enp1s0"
> -- option="bind interfaces only=yes"
--username="OFFICE\Administrator"
> Password for [OFFICE\Administrator]:
> 
> 
> INFO 2025-04-23 09:16:58,137 pid:25203 /usr/lib/python3/dist-
> packages/samba/join.py #1614: workgroup is OFFICE
> INFO 2025-04-23 09:16:58,137 pid:25203 /usr/lib/python3/dist-
> packages/samba/join.py #1617: realm is office.company.com
> Adding CN=DC03,OU=Domain Controllers,DC=office,DC=company,DC=com
> Join failed - cleaning up
> ERROR(ldb): uncaught exception - LDAP error 50
> LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <Failed to add CN=DC03,OU=Domain
> Controllers,DC=office,DC=company,DC=com: Updating the
> UF_TRUSTED_FOR_DELEGATION bit in userAccountControl is not permitted
> without the SeEnableDelegationPrivilege> <>
>  
It normally just works, so it is probably something on that potential
DC.

First though, You shouldn't (in my opinion) be using these options:

--server=192.168.10.1

You should let Samba find the best DC to use.

--option="dns forwarder=127.0.0.53"

This will very probably lead the DC to forwarding to itself, not a good
idea.

--option='server services=-dns'

This should be added for you by using the '--dns-backend=BIND9_DLZ'
option

You also have "--option='idmap_ldb:use rfc2307 = yes'", if you
are not
using the rfc2307 attributes, you do not require that
option.

Administrator is the super user and should be able to do anything on
Linux by being mapped to 'root', unless you are using rfc2307
attributes anf have give Administrator a uidNumber, when, as far as
Linux is concerned, it becomes just another user. 

Rowland