Hi all,
After demoting one of AD DCs, I’m unable to join the domain again.
Demoting was fine.
OS is Centos 6
Samba 4.7.6 (with 4.7.4 doesn’t work either) built from sources.
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at DOMAIN.NET.PL
Valid starting Expires Service principal
04/02/18 18:44:33 04/03/18 04:44:33 krbtgt/DOMAIN.NET.PL at DOMAIN.NET.PL
renew until 04/03/18 18:44:27
[root at konc-serwer samba-4.7.4]#
[root at konc-serwer samba-4.7.4]# samba-tool domain join domain.net.pl DC
-U"domain\administrator" --dns-backend=SAMBA_INTERNAL
Finding a writeable DC for domain 'domain.net.pl'
Found DC dc.domain.net.pl
Password for [domain\administrator]:
workgroup is domain
realm is domain.net.pl
Adding CN=KONC-SERWER,OU=Domain Controllers,DC=domain,DC=net,DC=pl
Join failed - cleaning up
ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS -
<Failed to add CN=KONC-SERWER,OU=Domain Controllers,DC=domain,DC=net,DC=pl:
Updating the UF_TRUSTED_FOR_DELEGATION bit in userAccountControl is not
permitted without the SeEnableDelegationPrivilege> <>
File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
line 661, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
line 1474, in join_DC
ctx.do_join()
File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
line 1375, in do_join
ctx.join_add_objects()
File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
line 611, in join_add_objects
ctx.samdb.add(rec)
Firstly I had error:
ERROR(<class 'samba.join.DCJoinException'>): uncaught exception -
Can't join, error: Not removing account KONC-SERWER$ which looks like a
Samba DC account maching the password we already have. To override, remove
secrets.ldb and secrets.tdb
I have moved that files, cleared private folder. I’ve run make install again -
still the same.
What can I do to rejoin the domain again?
Regards,
Kris
On Mon, 2 Apr 2018 19:47:11 +0200 Krzysztof Paszkowski via samba <samba at lists.samba.org> wrote:> Hi all, > > After demoting one of AD DCs, I’m unable to join the domain again. > Demoting was fine. > > OS is Centos 6 > Samba 4.7.6 (with 4.7.4 doesn’t work either) built from sources. > > > klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: administrator at DOMAIN.NET.PL > > Valid starting Expires Service principal > 04/02/18 18:44:33 04/03/18 04:44:33 > krbtgt/DOMAIN.NET.PL at DOMAIN.NET.PL renew until 04/03/18 18:44:27 > [root at konc-serwer samba-4.7.4]# > [root at konc-serwer samba-4.7.4]# samba-tool domain join domain.net.pl > DC -U"domain\administrator" --dns-backend=SAMBA_INTERNALTry running the command like this: samba-tool domain join domain.net.pl DC -U Administrator --password=<Administrators password> If that doesn't work, try adding '--verbose' to the command and see if anything pops out. At first sight, it looks like 'Administrator' doesn't have the right permissions to join a DC to the domain, so you might want to check just what rights the Administrator has. Rowland
Hi,
Thanks for the answer.
Unfortunally verbose option didn't get anything new.
[root at konc-serwer samba-4.7.6]# samba-tool domain join domain.net.pl DC
--verbose -U Administrator --password='mypasswordwashere'
Finding a writeable DC for domain 'domain.net.pl'
Found DC dc.domain.net.pl
workgroup is DOMAIN
realm is domain.net.pl
Adding CN=KONC-SERWER,OU=Domain Controllers,DC=domain,DC=net,DC=pl
Join failed - cleaning up
ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS -
<Failed to add CN=KONC-SERWER,OU=Domain Controllers,DC=domain,DC=net,DC=pl:
Updating the UF_TRUSTED_FOR_DELEGATION bit in userAccountControl is not
permitted without the SeEnableDelegationPrivilege> <>
File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
line 661, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
line 1474, in join_DC
ctx.do_join()
File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
line 1375, in do_join
ctx.join_add_objects()
File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
line 611, in join_add_objects
ctx.samdb.add(rec)
Administrator should have all rights.
I was trying different account (member of Domain Admins), also with no luck.
What else can I do?
Regards,
Kris
-----Original Message-----
From: Rowland Penny [mailto:rpenny at samba.org]
Sent: Monday, April 2, 2018 8:27 PM
To: samba at lists.samba.org
Cc: Krzysztof Paszkowski
Subject: Re: [Samba] Unable to rejoin domain, LDAP error 50
On Mon, 2 Apr 2018 19:47:11 +0200
Krzysztof Paszkowski via samba <samba at lists.samba.org> wrote:
> Hi all,
>
> After demoting one of AD DCs, I’m unable to join the domain again.
> Demoting was fine.
>
> OS is Centos 6
> Samba 4.7.6 (with 4.7.4 doesn’t work either) built from sources.
>
>
> klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administrator at DOMAIN.NET.PL
>
> Valid starting Expires Service principal
> 04/02/18 18:44:33 04/03/18 04:44:33
> krbtgt/DOMAIN.NET.PL at DOMAIN.NET.PL renew until 04/03/18 18:44:27
> [root at konc-serwer samba-4.7.4]# [root at konc-serwer samba-4.7.4]#
> samba-tool domain join domain.net.pl DC -U"domain\administrator"
> --dns-backend=SAMBA_INTERNAL
Try running the command like this:
samba-tool domain join domain.net.pl DC -U Administrator
--password=<Administrators password>
If that doesn't work, try adding '--verbose' to the command and see
if anything pops out.
At first sight, it looks like 'Administrator' doesn't have the right
permissions to join a DC to the domain, so you might want to check just what
rights the Administrator has.
Rowland
On 4/2/2018 1:47 PM, Krzysztof Paszkowski via samba wrote:> Hi all, > > After demoting one of AD DCs, I’m unable to join the domain again. > Demoting was fine. > > OS is Centos 6 > Samba 4.7.6 (with 4.7.4 doesn’t work either) built from sources. > > > klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: administrator at DOMAIN.NET.PL > > Valid starting Expires Service principal > 04/02/18 18:44:33 04/03/18 04:44:33 krbtgt/DOMAIN.NET.PL at DOMAIN.NET.PL > renew until 04/03/18 18:44:27 > [root at konc-serwer samba-4.7.4]# > [root at konc-serwer samba-4.7.4]# samba-tool domain join domain.net.pl DC -U"domain\administrator" --dns-backend=SAMBA_INTERNAL > Finding a writeable DC for domain 'domain.net.pl' > Found DC dc.domain.net.pl > Password for [domain\administrator]: > workgroup is domain > realm is domain.net.pl > Adding CN=KONC-SERWER,OU=Domain Controllers,DC=domain,DC=net,DC=pl > Join failed - cleaning up > ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <Failed to add CN=KONC-SERWER,OU=Domain Controllers,DC=domain,DC=net,DC=pl: Updating the UF_TRUSTED_FOR_DELEGATION bit in userAccountControl is not permitted without the SeEnableDelegationPrivilege> <> > File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 176, in _run > return self.run(*args, **kwargs) > File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 661, in run > machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) > File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line 1474, in join_DC > ctx.do_join() > File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line 1375, in do_join > ctx.join_add_objects() > File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line 611, in join_add_objects > ctx.samdb.add(rec) > > Firstly I had error: > ERROR(<class 'samba.join.DCJoinException'>): uncaught exception - Can't join, error: Not removing account KONC-SERWER$ which looks like a Samba DC account maching the password we already have. To override, remove secrets.ldb and secrets.tdb > > I have moved that files, cleared private folder. I’ve run make install again - still the same. > > What can I do to rejoin the domain again? > > > Regards, > KrisWhen you demoted the DC did you perform a meta cleanup? Are you reusing the same hostname? -- -- James
I'm trying to use the same hostname. The meta cleanup - I can't see the demoted controller in ADUC nor in Active Directory Sites and Services. Shall I try via ntdsutil? Regards, Kris -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of lingpanda101 via samba Sent: Monday, April 2, 2018 9:09 PM To: samba at lists.samba.org Subject: Re: [Samba] Unable to rejoin domain, LDAP error 50 On 4/2/2018 1:47 PM, Krzysztof Paszkowski via samba wrote:> Hi all, > > After demoting one of AD DCs, I’m unable to join the domain again. > Demoting was fine. > > OS is Centos 6 > Samba 4.7.6 (with 4.7.4 doesn’t work either) built from sources. > > > klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: administrator at DOMAIN.NET.PL > > Valid starting Expires Service principal > 04/02/18 18:44:33 04/03/18 04:44:33 krbtgt/DOMAIN.NET.PL at DOMAIN.NET.PL > renew until 04/03/18 18:44:27 [root at konc-serwer samba-4.7.4]# > [root at konc-serwer samba-4.7.4]# samba-tool domain join domain.net.pl > DC -U"domain\administrator" --dns-backend=SAMBA_INTERNAL Finding a writeable DC for domain 'domain.net.pl' > Found DC dc.domain.net.pl > Password for [domain\administrator]: > workgroup is domain > realm is domain.net.pl > Adding CN=KONC-SERWER,OU=Domain Controllers,DC=domain,DC=net,DC=pl > Join failed - cleaning up > ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <Failed to add CN=KONC-SERWER,OU=Domain Controllers,DC=domain,DC=net,DC=pl: Updating the UF_TRUSTED_FOR_DELEGATION bit in userAccountControl is not permitted without the SeEnableDelegationPrivilege> <> > File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 176, in _run > return self.run(*args, **kwargs) > File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 661, in run > machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) > File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line 1474, in join_DC > ctx.do_join() > File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line 1375, in do_join > ctx.join_add_objects() > File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line 611, in join_add_objects > ctx.samdb.add(rec) > > Firstly I had error: > ERROR(<class 'samba.join.DCJoinException'>): uncaught exception - > Can't join, error: Not removing account KONC-SERWER$ which looks like > a Samba DC account maching the password we already have. To override, > remove secrets.ldb and secrets.tdb > > I have moved that files, cleared private folder. I’ve run make install again - still the same. > > What can I do to rejoin the domain again? > > > Regards, > KrisWhen you demoted the DC did you perform a meta cleanup? Are you reusing the same hostname? -- -- James -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba