I'm sorry, you're absolutely right. I'm not sure why I didn't follow your hint. My fault. Now, it seems I have exactly the same output as you: [root at dc private]# net rpc rights list accounts -U Administrator Enter Administrator's password: BUILTIN\Print Operators SeLoadDriverPrivilege SeShutdownPrivilege SeInteractiveLogonRight BUILTIN\Account Operators SeInteractiveLogonRight BUILTIN\Backup Operators SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeInteractiveLogonRight BUILTIN\Administrators SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeSystemtimePrivilege SeShutdownPrivilege SeRemoteShutdownPrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeSystemProfilePrivilege SeProfileSingleProcessPrivilege SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege SeUndockPrivilege SeManageVolumePrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege SeEnableDelegationPrivilege SeInteractiveLogonRight SeNetworkLogonRight SeRemoteInteractiveLogonRight BUILTIN\Server Operators SeBackupPrivilege SeSystemtimePrivilege SeRemoteShutdownPrivilege SeRestorePrivilege SeShutdownPrivilege SeInteractiveLogonRight BUILTIN\Pre-Windows 2000 Compatible Access SeRemoteInteractiveLogonRight SeChangeNotifyPrivilege What can be the reason of DC joining failure? Keytab. My is /usr/local/samba/private/secrets.keytab - it is created during domain joining. I'm now aware hot to create it by myself. I saw utils like: kutils, kadmin and ktpass (in Windows). Can this be done easier? Regards, Kris -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny via samba Sent: Tuesday, April 3, 2018 3:36 PM To: samba at lists.samba.org Cc: Krzysztof Paszkowski <kylo at kimpa.pl> Subject: Re: [Samba] Unable to rejoin domain, LDAP error 50 On Tue, 3 Apr 2018 15:13:58 +0200 Krzysztof Paszkowski via samba <samba at lists.samba.org> wrote:> I've cleared all DNS records (indeed, they were still there). > I'm not sure if that was the issue, cause I've discovered that the > real problem is related to insufficient Administrator rights.Funny, if I had thought of that, I would have written something like: At first sight, it looks like 'Administrator' doesn't have the right permissions to join a DC to the domain, so you might want to check just what rights the Administrator has. Wait a minute, I DID!> I was > able to join that DC to domain using credentials of my second user > (member of domain admins group). The first one had to get out from > Domain admins. Can this be related to fixing the attributes during > update process (samba-tool dbcheck --cross-ncs --fix)? How to check > admin's privileges? > > That's the first problem.Try: net rpc rights list accounts -U Administrator It should ask you for the Administrator password and then print something like this: BUILTIN\Print Operators SeLoadDriverPrivilege SeShutdownPrivilege SeInteractiveLogonRight BUILTIN\Account Operators SeInteractiveLogonRight BUILTIN\Backup Operators SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeInteractiveLogonRight BUILTIN\Administrators SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeSystemtimePrivilege SeShutdownPrivilege SeRemoteShutdownPrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeSystemProfilePrivilege SeProfileSingleProcessPrivilege SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege SeUndockPrivilege SeManageVolumePrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege SeEnableDelegationPrivilege SeInteractiveLogonRight SeNetworkLogonRight SeRemoteInteractiveLogonRight BUILTIN\Server Operators SeBackupPrivilege SeSystemtimePrivilege SeRemoteShutdownPrivilege SeRestorePrivilege SeShutdownPrivilege SeInteractiveLogonRight BUILTIN\Pre-Windows 2000 Compatible Access SeRemoteInteractiveLogonRight SeChangeNotifyPrivilege> > The second one - I keep getting now the same error in log.samba > > GSS server Update(krb5)(1) Update failed: Miscellaneous failure > (see text): Decrypt integrity check failed for checksum type > hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96 [2018/04/03 > 15:08:05.924388, 1] > ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_intern > al) > > > Can this be related to the new key of host in keytab?Do you have 'etc/krb5.keytab' (or similar), if so try deleting it and then create a new one. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On Tue, 3 Apr 2018 17:36:35 +0200 Krzysztof Paszkowski via samba <samba at lists.samba.org> wrote:> I'm sorry, you're absolutely right. I'm not sure why I didn't follow > your hint. My fault. > > Now, it seems I have exactly the same output as you: > > [root at dc private]# net rpc rights list accounts -U Administrator > > BUILTIN\Administrators > SeSecurityPrivilege > SeBackupPrivilege > SeRestorePrivilege > SeSystemtimePrivilege > SeShutdownPrivilege > SeRemoteShutdownPrivilege > SeTakeOwnershipPrivilege > SeDebugPrivilege > SeSystemEnvironmentPrivilege > SeSystemProfilePrivilege > SeProfileSingleProcessPrivilege > SeIncreaseBasePriorityPrivilege > SeLoadDriverPrivilege > SeCreatePagefilePrivilege > SeIncreaseQuotaPrivilege > SeChangeNotifyPrivilege > SeUndockPrivilege > SeManageVolumePrivilege > SeImpersonatePrivilege > SeCreateGlobalPrivilege > SeEnableDelegationPrivilege > SeInteractiveLogonRight > SeNetworkLogonRight > SeRemoteInteractiveLogonRight >The above is the relevant set of rights for the Administrator. Administrator is a member of the following groups: memberOf: CN=Domain Admins,CN=Users,DC=samdom,DC=example,DC=com memberOf: CN=Administrators,CN=Builtin,DC=samdom,DC=example,DC=com memberOf: CN=Enterprise Admins,CN=Users,DC=samdom,DC=example,DC=com memberOf: CN=Group Policy Creator Owners,CN=Users,DC=samdom,DC=example,DC=com memberOf: CN=Schema Admins,CN=Users,DC=samdom,DC=example,DC=com Amongst which is 'Administrators', so could (for whatever reason) Administrator have been removed from the 'Administrators' group ? Another thought, have you given 'Administrator' a uidNumber attribute ? Or has 'Administrator' been removed from idmap.ldb ? Rowland
There was lack of membership in Administrators domain/Builtin group. I had only: Domain Users Group Policy Creator Owners Enterprise Admins Schema Admins Domain Admins I've added and I'll try. Thank you. Any hint with the recreation of keytab file? Regards, Kris -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny via samba Sent: Tuesday, April 3, 2018 5:53 PM To: samba at lists.samba.org Subject: Re: [Samba] Unable to rejoin domain, LDAP error 50 On Tue, 3 Apr 2018 17:36:35 +0200 Krzysztof Paszkowski via samba <samba at lists.samba.org> wrote:> I'm sorry, you're absolutely right. I'm not sure why I didn't follow > your hint. My fault. > > Now, it seems I have exactly the same output as you: > > [root at dc private]# net rpc rights list accounts -U Administrator > > BUILTIN\Administrators > SeSecurityPrivilege > SeBackupPrivilege > SeRestorePrivilege > SeSystemtimePrivilege > SeShutdownPrivilege > SeRemoteShutdownPrivilege > SeTakeOwnershipPrivilege > SeDebugPrivilege > SeSystemEnvironmentPrivilege > SeSystemProfilePrivilege > SeProfileSingleProcessPrivilege > SeIncreaseBasePriorityPrivilege > SeLoadDriverPrivilege > SeCreatePagefilePrivilege > SeIncreaseQuotaPrivilege > SeChangeNotifyPrivilege > SeUndockPrivilege > SeManageVolumePrivilege > SeImpersonatePrivilege > SeCreateGlobalPrivilege > SeEnableDelegationPrivilege > SeInteractiveLogonRight > SeNetworkLogonRight > SeRemoteInteractiveLogonRight >The above is the relevant set of rights for the Administrator. Administrator is a member of the following groups: memberOf: CN=Domain Admins,CN=Users,DC=samdom,DC=example,DC=com memberOf: CN=Administrators,CN=Builtin,DC=samdom,DC=example,DC=com memberOf: CN=Enterprise Admins,CN=Users,DC=samdom,DC=example,DC=com memberOf: CN=Group Policy Creator Owners,CN=Users,DC=samdom,DC=example,DC=com memberOf: CN=Schema Admins,CN=Users,DC=samdom,DC=example,DC=com Amongst which is 'Administrators', so could (for whatever reason) Administrator have been removed from the 'Administrators' group ? Another thought, have you given 'Administrator' a uidNumber attribute ? Or has 'Administrator' been removed from idmap.ldb ? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba