samba - Jul 2020 - help for join AD domain failure troubleshooting

Thank you @Rowland,

I tried the new smb.conf file, still no luck with the same error
message, I also reboot Linux and try too.

-------
Failed to join domain: Failed to set machine spn: Operations error
Do you have sufficient permissions to create machine accounts?
return code = -1
Freed frame ../../source3/utils/net.c:942, expected
../../source3/libnet/libnet_join.c:506.
-------

Thank you @Andrew,

We never modified the "10" limit before, it really worked (maybe when
Ada is lad)... but about 2 months ago, it suddenly broke. I am
suspecting somebody modified security options on AD servers in our
team, but nobody claimed that, so we have to try to figure it out
painfully :(

Thanks

On Thu, 2020-07-02 at 05:44 +0800, rong zhao wrote:
> Thank you @Rowland,
> 
> I tried the new smb.conf file, still no luck with the same error
> message, I also reboot Linux and try too.
> 
> -------
> Failed to join domain: Failed to set machine spn: Operations error
> Do you have sufficient permissions to create machine accounts?
> return code = -1
> Freed frame ../../source3/utils/net.c:942, expected
> ../../source3/libnet/libnet_join.c:506.
> -------
> 
> Thank you @Andrew,
> 
> We never modified the "10" limit before, it really worked (maybe
when
> Ada is lad)... but about 2 months ago, it suddenly broke. 
This was never implemented in Samba, sorry.
> I am
> suspecting somebody modified security options on AD servers in our
> team, but nobody claimed that, so we have to try to figure it out
> painfully :(
My guess is you used a more privileged account in the past.

Some folks delegate rights on an OU, but I've never convinced myself
that is safe either.

Andrew Bartlett

-- 
Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          
https://catalyst.net.nz/services/samba

After I see " Do you have sufficient permissions to create machine
accounts? ", I checked my permission immediately, and even adding my
account in Domain Admin could not help.

"Failed to set machine spn" means  I cannot set servicePrincipalName,
then I login AD server, the machine has been created in ou=Computer, however,
not spn set really, so I tried to use command "setspn" on windows
server, it worked, so I should have permission on it.

Today, I noticed an error string: failed to find DC for domain
PROD-USA.MYCOMPANY.COM - A domain controller for this domain was not found.

Then did a check on DNS of AD server, looked good.. .so still missing ?

Thank you all for your kindly suggestions, I will try to dig more with Microsoft
support force, just want to see if I can get more clue from samba.

Not sure how I can make debug module and using GDB to debug "net ads
join" command..

Thanks.

Rong



?On 2020/7/2, 9:12 AM, "Andrew Bartlett" <abartlet at samba.org>
wrote:

    On Thu, 2020-07-02 at 05:44 +0800, rong zhao wrote:
    > Thank you @Rowland,
    > 
    > I tried the new smb.conf file, still no luck with the same error
    > message, I also reboot Linux and try too.
    > 
    > -------
    > Failed to join domain: Failed to set machine spn: Operations error
    > Do you have sufficient permissions to create machine accounts?
    > return code = -1
    > Freed frame ../../source3/utils/net.c:942, expected
    > ../../source3/libnet/libnet_join.c:506.
    > -------
    > 
    > Thank you @Andrew,
    > 
    > We never modified the "10" limit before, it really worked
(maybe when
    > Ada is lad)... but about 2 months ago, it suddenly broke. 
    
    This was never implemented in Samba, sorry.
    
    > I am
    > suspecting somebody modified security options on AD servers in our
    > team, but nobody claimed that, so we have to try to figure it out
    > painfully :(
    
    My guess is you used a more privileged account in the past.
    
    Some folks delegate rights on an OU, but I've never convinced myself
    that is safe either.
    
    Andrew Bartlett
    
    -- 
    Andrew Bartlett                       https://samba.org/~abartlet/
    Authentication Developer, Samba Team  https://samba.org
    Samba Developer, Catalyst IT          
    https://catalyst.net.nz/services/samba

Hi Andrew, Rowland, team,

    After checking the difference of our different AD forests'
configuration, we figured this issue out finally.

   There is an attribute "Do not require Kerberos preauthentication"
on AD users, someone in our team checked this option on all users,
after un-check this option, we can join AD domain normally.

   Appreciate all your suggestions!

Thanks.



On Thu, Jul 2, 2020 at 9:12 AM Andrew Bartlett <abartlet at samba.org>
wrote:
>
> On Thu, 2020-07-02 at 05:44 +0800, rong zhao wrote:
> > Thank you @Rowland,
> >
> > I tried the new smb.conf file, still no luck with the same error
> > message, I also reboot Linux and try too.
> >
> > -------
> > Failed to join domain: Failed to set machine spn: Operations error
> > Do you have sufficient permissions to create machine accounts?
> > return code = -1
> > Freed frame ../../source3/utils/net.c:942, expected
> > ../../source3/libnet/libnet_join.c:506.
> > -------
> >
> > Thank you @Andrew,
> >
> > We never modified the "10" limit before, it really worked
(maybe when
> > Ada is lad)... but about 2 months ago, it suddenly broke.
>
> This was never implemented in Samba, sorry.
>
> > I am
> > suspecting somebody modified security options on AD servers in our
> > team, but nobody claimed that, so we have to try to figure it out
> > painfully :(
>
> My guess is you used a more privileged account in the past.
>
> Some folks delegate rights on an OU, but I've never convinced myself
> that is safe either.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                       https://samba.org/~abartlet/
> Authentication Developer, Samba Team  https://samba.org
> Samba Developer, Catalyst IT
> https://catalyst.net.nz/services/samba
>
>
>