There was lack of membership in Administrators domain/Builtin group. I had only: Domain Users Group Policy Creator Owners Enterprise Admins Schema Admins Domain Admins I've added and I'll try. Thank you. Any hint with the recreation of keytab file? Regards, Kris -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny via samba Sent: Tuesday, April 3, 2018 5:53 PM To: samba at lists.samba.org Subject: Re: [Samba] Unable to rejoin domain, LDAP error 50 On Tue, 3 Apr 2018 17:36:35 +0200 Krzysztof Paszkowski via samba <samba at lists.samba.org> wrote:> I'm sorry, you're absolutely right. I'm not sure why I didn't follow > your hint. My fault. > > Now, it seems I have exactly the same output as you: > > [root at dc private]# net rpc rights list accounts -U Administrator > > BUILTIN\Administrators > SeSecurityPrivilege > SeBackupPrivilege > SeRestorePrivilege > SeSystemtimePrivilege > SeShutdownPrivilege > SeRemoteShutdownPrivilege > SeTakeOwnershipPrivilege > SeDebugPrivilege > SeSystemEnvironmentPrivilege > SeSystemProfilePrivilege > SeProfileSingleProcessPrivilege > SeIncreaseBasePriorityPrivilege > SeLoadDriverPrivilege > SeCreatePagefilePrivilege > SeIncreaseQuotaPrivilege > SeChangeNotifyPrivilege > SeUndockPrivilege > SeManageVolumePrivilege > SeImpersonatePrivilege > SeCreateGlobalPrivilege > SeEnableDelegationPrivilege > SeInteractiveLogonRight > SeNetworkLogonRight > SeRemoteInteractiveLogonRight >The above is the relevant set of rights for the Administrator. Administrator is a member of the following groups: memberOf: CN=Domain Admins,CN=Users,DC=samdom,DC=example,DC=com memberOf: CN=Administrators,CN=Builtin,DC=samdom,DC=example,DC=com memberOf: CN=Enterprise Admins,CN=Users,DC=samdom,DC=example,DC=com memberOf: CN=Group Policy Creator Owners,CN=Users,DC=samdom,DC=example,DC=com memberOf: CN=Schema Admins,CN=Users,DC=samdom,DC=example,DC=com Amongst which is 'Administrators', so could (for whatever reason) Administrator have been removed from the 'Administrators' group ? Another thought, have you given 'Administrator' a uidNumber attribute ? Or has 'Administrator' been removed from idmap.ldb ? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On Tue, 3 Apr 2018 18:09:18 +0200 Krzysztof Paszkowski via samba <samba at lists.samba.org> wrote:> There was lack of membership in Administrators domain/Builtin group. > I had only: > Domain Users > Group Policy Creator Owners > Enterprise Admins > Schema Admins > Domain AdminsYou should only have: Domain Admins Administrator Enterprise Admins You definitely shouldn't have Domain Users, this make ALL your domain users into admins and I don't think you want that ;-)> > Any hint with the recreation of keytab file? >Do you actually need the keytab ? It is only required if something like Dovecot needs to auth to AD. If you do need the keytab, you can create it with samba-tool: samba-tool domain exportkeytab This will create a keytab with all the keytabs in it, if you just want one keytab, add '--principal=PRINCIPAL'. Add '--help' to the command above for more info Rowland
Hi, This is strange what you are writing. Are you saying, that if Administrator is in Domain Users group = ALL my users have admins rights? Hard to believe. Moreover, I'm unable to delete Administrator from Domain Users group, as this is my basic group (I received such an info). I believe the keytab is needed to sth, cause without it I keep receiving: [2018/04/03 17:32:39.331938, 1] ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal) GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): keytab /usr/local/samba/private/secrets.keytab open failed: No such file or directory About previous errors according: " Decrypt integrity check failed " - I just needed to wait (I believe the ticket time). Now it seems to be fine. I have two more errors to resolve: 1. Two my DCs: Centos 7, Samba 4.7.6, built from sources with ./configure --disable-cups samba-tool domain join domain.net.pl DC -U"DOMAIN\administrator" --dns-backend=SAMBA_INTERNAL I do not use bind, only DNS build-in samba. The errors in log.samba (all the time): [2018/04/04 09:46:58.532467, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) /usr/sbin/rndc: Failed to exec child - No such file or directory [2018/04/04 09:46:58.535167, 0] ../source4/dsdb/dns/dns_update.c:91(dnsupdate_rndc_done) ../source4/dsdb/dns/dns_update.c:91: Failed rndc update - NT_STATUS_UNSUCCESSFUL I saw such a problem in mailing lists, almost 2 years ago. Then it ended up as a bug. What does it mean now? On one of these DCs I've installed bind and now the error is: [2018/04/04 10:25:57.313345, 0] ../source4/dsdb/dns/dns_update.c:91(dnsupdate_rndc_done) ../source4/dsdb/dns/dns_update.c:91: Failed rndc update - NT_STATUS_ACCESS_DENIED [2018/04/04 10:26:57.344688, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) /usr/sbin/rndc: rndc: neither /etc/rndc.conf nor /etc/rndc.key was found 2. KVNO mismatch - on the main DC [2018/04/03 14:36:46.822531, 1] ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit) SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE [2018/04/03 14:36:46.968728, 1] ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal) GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Failed to find DC$@DOMAIN.NET.PL(kvno 2) in keytab FILE:/usr/local/samba/private/secrets.keytab (aes256-cts-hmac-sha1-96) kvno DC DC at DOMAIN.NET.PL: kvno = 1 Is there any other way to increase the key version to 2 than demote dc and rejoin domain? I was trying with the command: ktutil: add_entry -password -p DC$@DOMAIN.NET.PL -k 2 -e aes256-cts-hmac-sha1-96 but then I'm asking to enter password (or key with -key option in add_entry) - can I leave it empty, just hit enter key? Any help appreciated. Regards, Kris -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny via samba Sent: Tuesday, April 3, 2018 6:27 PM To: samba at lists.samba.org Subject: Re: [Samba] Unable to rejoin domain, LDAP error 50 On Tue, 3 Apr 2018 18:09:18 +0200 Krzysztof Paszkowski via samba <samba at lists.samba.org> wrote:> There was lack of membership in Administrators domain/Builtin group. > I had only: > Domain Users > Group Policy Creator Owners > Enterprise Admins > Schema Admins > Domain AdminsYou should only have: Domain Admins Administrator Enterprise Admins You definitely shouldn't have Domain Users, this make ALL your domain users into admins and I don't think you want that ;-)> > Any hint with the recreation of keytab file? >Do you actually need the keytab ? It is only required if something like Dovecot needs to auth to AD. If you do need the keytab, you can create it with samba-tool: samba-tool domain exportkeytab This will create a keytab with all the keytabs in it, if you just want one keytab, add '--principal=PRINCIPAL'. Add '--help' to the command above for more info Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba