samba - Apr 2018 - Unable to rejoin domain, LDAP error 50

Hi,
This is strange what you are writing. Are you saying, that if Administrator is
in Domain Users group = ALL my users have admins rights? Hard to believe.
Moreover, I'm unable to delete Administrator from Domain Users group, as
this is my basic group (I received such an info).

I believe the keytab is needed to sth, cause without it I keep receiving:
[2018/04/03 17:32:39.331938,  1]
../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal)
  GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see text):
keytab /usr/local/samba/private/secrets.keytab open failed: No such file or
directory

About previous errors according: " Decrypt integrity check failed " -
I just needed to wait (I believe the ticket time). Now it seems to be fine.

I have two more errors to resolve:

1. Two my DCs: Centos 7, Samba 4.7.6, built from sources with
./configure --disable-cups
samba-tool domain join domain.net.pl DC -U"DOMAIN\administrator"
--dns-backend=SAMBA_INTERNAL

I do not use bind, only DNS build-in samba.

The errors in log.samba (all the time):
[2018/04/04 09:46:58.532467,  0]
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
  /usr/sbin/rndc: Failed to exec child - No such file or directory
[2018/04/04 09:46:58.535167,  0]
../source4/dsdb/dns/dns_update.c:91(dnsupdate_rndc_done)
  ../source4/dsdb/dns/dns_update.c:91: Failed rndc update -
NT_STATUS_UNSUCCESSFUL

I saw such a problem in mailing lists, almost 2 years ago. Then it ended up as a
bug. What does it mean now?
On one of these DCs I've installed bind and now the error is:
[2018/04/04 10:25:57.313345,  0]
../source4/dsdb/dns/dns_update.c:91(dnsupdate_rndc_done)
  ../source4/dsdb/dns/dns_update.c:91: Failed rndc update -
NT_STATUS_ACCESS_DENIED
[2018/04/04 10:26:57.344688,  0]
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
  /usr/sbin/rndc: rndc: neither /etc/rndc.conf nor /etc/rndc.key was found


2. KVNO mismatch - on the main DC 

[2018/04/03 14:36:46.822531,  1]
../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit)
  SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
[2018/04/03 14:36:46.968728,  1]
../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal)
  GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see text):
Failed to find DC$@DOMAIN.NET.PL(kvno 2) in keytab
FILE:/usr/local/samba/private/secrets.keytab (aes256-cts-hmac-sha1-96)

kvno DC
DC at DOMAIN.NET.PL: kvno = 1

Is there any other way to increase the key version to 2 than demote dc and
rejoin domain?
I was trying with the command:
ktutil:  add_entry -password -p DC$@DOMAIN.NET.PL -k 2 -e
aes256-cts-hmac-sha1-96
but then I'm asking to enter password (or key with -key option in add_entry)
- can I leave it empty, just hit enter key?


Any help appreciated.

Regards,
Kris

-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
via samba
Sent: Tuesday, April 3, 2018 6:27 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Unable to rejoin domain, LDAP error 50

On Tue, 3 Apr 2018 18:09:18 +0200
Krzysztof Paszkowski via samba <samba at lists.samba.org> wrote:
> There was lack of membership in Administrators domain/Builtin group.
> I had only:
> Domain Users
> Group Policy Creator Owners
> Enterprise Admins
> Schema Admins
> Domain Admins
You should only have:

Domain Admins
Administrator
Enterprise Admins

You definitely shouldn't have Domain Users, this make ALL your domain users
into admins and I don't think you want that ;-)
> 
> Any hint with the recreation of keytab file?
> 
Do you actually need the keytab ? It is only required if something like Dovecot
needs to auth to AD.

If you do need the keytab, you can create it with samba-tool:

samba-tool domain exportkeytab

This will create a keytab with all the keytabs in it, if you just want one
keytab, add '--principal=PRINCIPAL'.

Add '--help' to the command above for more info

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Wed, 4 Apr 2018 10:54:22 +0200
Krzysztof Paszkowski via samba <samba at lists.samba.org> wrote:
> Hi,
> This is strange what you are writing. Are you saying, that if
> Administrator is in Domain Users group = ALL my users have admins
> rights? Hard to believe. Moreover, I'm unable to delete Administrator
> from Domain Users group, as this is my basic group (I received such
> an info).
No, you posted this:

There was lack of membership in Administrators domain/Builtin group.
I had only:
Domain Users
Group Policy Creator Owners
Enterprise Admins
Schema Admins
Domain Admins

Which seems to suggest that 'Domain Users' is a member of the
'Administrators' group, this is definitely not a good idea. All users
are members of 'Domain Users' and hence, if 'Domain Users' is a
member
of 'Administrators', they are members of the 'Administrators'
group.
> 
> I believe the keytab is needed to sth, cause without it I keep
> receiving: [2018/04/03 17:32:39.331938,
> 1]
../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal)
> GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see
> text): keytab /usr/local/samba/private/secrets.keytab open failed: No
> such file or directory
Ah, that is a different keytab to the one I thought you were referring
to, you definitely need that one ;-)
> 
> About previous errors according: " Decrypt integrity check failed
" -
> I just needed to wait (I believe the ticket time). Now it seems to be
> fine.
> 
> I have two more errors to resolve:
> 
> 1. Two my DCs: Centos 7, Samba 4.7.6, built from sources with
> ./configure --disable-cups
> samba-tool domain join domain.net.pl DC -U"DOMAIN\administrator"
> --dns-backend=SAMBA_INTERNAL
> 
> I do not use bind, only DNS build-in samba.
> 
> The errors in log.samba (all the time):
> [2018/04/04 09:46:58.532467,
> 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) /usr/sbin/rndc:
> Failed to exec child - No such file or directory [2018/04/04
> 09:46:58.535167,
> 0] ../source4/dsdb/dns/dns_update.c:91(dnsupdate_rndc_done)
../source4/dsdb/dns/dns_update.c:91:
> Failed rndc update - NT_STATUS_UNSUCCESSFUL
> 
> I saw such a problem in mailing lists, almost 2 years ago. Then it
> ended up as a bug. What does it mean now? On one of these DCs I've
> installed bind and now the error is: [2018/04/04 10:25:57.313345,
> 0] ../source4/dsdb/dns/dns_update.c:91(dnsupdate_rndc_done)
../source4/dsdb/dns/dns_update.c:91:
> Failed rndc update - NT_STATUS_ACCESS_DENIED [2018/04/04
> 10:26:57.344688,
> 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) /usr/sbin/rndc:
> rndc: neither /etc/rndc.conf nor /etc/rndc.key was found
Try adding this to smb.conf:

dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
> 
> 
> 2. KVNO mismatch - on the main DC 
> 
> [2018/04/03 14:36:46.822531,
> 1] ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit)
> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> [2018/04/03 14:36:46.968728,
> 1]
../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal)
> GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see
> text): Failed to find DC$@DOMAIN.NET.PL(kvno 2) in keytab
> FILE:/usr/local/samba/private/secrets.keytab (aes256-cts-hmac-sha1-96)
> 
> kvno DC
> DC at DOMAIN.NET.PL: kvno = 1
> 
> Is there any other way to increase the key version to 2 than demote
> dc and rejoin domain? I was trying with the command:
> ktutil:  add_entry -password -p DC$@DOMAIN.NET.PL -k 2 -e
> aes256-cts-hmac-sha1-96 but then I'm asking to enter password (or key
> with -key option in add_entry) - can I leave it empty, just hit enter
> key?
> 
> 
You could try running 'samba_upgradeprovision', this will reset the
passwords:

samba_upgradeprovision --realm=<YOUR REALM> -U Administrator

NOTE: I have never had to do this, So I would urge you to backup
everything before trying it.

However, the errors could be coming from something that is using stale
passwords, they may go away if you wait long enough or reboot
everything.

Rowland

>>> 2. KVNO mismatch - on the main DC
>>> 
>>> [2018/04/03 14:36:46.822531,
>>> 1] ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit)
>>> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
>>> [2018/04/03 14:36:46.968728,
>>> 1] 
>>>
../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal)
>>> GSS server Update(krb5)(1) Update failed:  Miscellaneous failure
(see
>>> text): Failed to find DC$@DOMAIN.NET.PL(kvno 2) in keytab
>>> FILE:/usr/local/samba/private/secrets.keytab 
>>> (aes256-cts-hmac-sha1-96)
>>> 
>>> kvno DC
>>> DC at DOMAIN.NET.PL: kvno = 1
>>> 
>>> Is there any other way to increase the key version to 2 than demote
>>> dc and rejoin domain? I was trying with the command:
>>> ktutil:  add_entry -password -p DC$@DOMAIN.NET.PL -k 2 -e
>>> aes256-cts-hmac-sha1-96 but then I'm asking to enter password
(or key
>>> with -key option in add_entry) - can I leave it empty, just hit
enter
>>> key?
>>> 
>>> 
>> 
>> You could try running 'samba_upgradeprovision', this will reset
the
>> passwords:
>> 
>> samba_upgradeprovision --realm=<YOUR REALM> -U Administrator
>> 
>> NOTE: I have never had to do this, So I would urge you to backup
>> everything before trying it.
>> 
>> However, the errors could be coming from something that is using stale
>> passwords, they may go away if you wait long enough or reboot
>> everything.
>> 
>> Rowland
> 
> I'll try it this weekend, making before full backup of my DC. I'm
> facing this error about KVNO mismatch at least three weeks (and I'm
> not sure where did it get from).
> 
> Thank you for your assistance, I'll give you a feedback about
> samba_upgradeprovision.
> 
> Regards,
> Kris
I should try this command sooner. Now I have made full backup and 
something is missing:

[root at dc ~]# cd /opt/samba-4.7.6/bin
[root at dc bin]# ./samba_upgradeprovision --realm=DOMAIN.NET.PL -U 
Administrator
Traceback (most recent call last):
   File "./samba_upgradeprovision", line 36, in <module>
     import ldb

I have the same output running the script from 
/opt/samba-4.7.6/source4/scripting/bin/ directory.
OS is CentOS 6. Google returns nothing really special about it.

Any hint?

Regards,
Kris

On Sun, 08 Apr 2018 12:31:26 +0200
Kris via samba <samba at lists.samba.org> wrote:
> I should try this command sooner. Now I have made full backup and 
> something is missing:
> 
> [root at dc ~]# cd /opt/samba-4.7.6/bin
> [root at dc bin]# ./samba_upgradeprovision --realm=DOMAIN.NET.PL -U 
> Administrator
> Traceback (most recent call last):
>    File "./samba_upgradeprovision", line 36, in <module>
>      import ldb
> 
> I have the same output running the script from 
> /opt/samba-4.7.6/source4/scripting/bin/ directory.
> OS is CentOS 6. Google returns nothing really special about it.
> 
> Any hint?
> 
Have you got python-ldb installed ?
I think it is called pyldb on Centos.

Rowland