Nikita Druba
2021-Nov-17 15:28 UTC
[Samba] 3-part SPN problem after update 4.13.8 to 4.13.14
17.11.2021 10:27, Andrew Bartlett via samba ?????:> On Wed, 2021-11-17 at 08:36 +0100, Nikita Druba via samba wrote: >> 16.11.2021 18:36, Andrew Bartlett ?????: >> >> I checked ldap base and for my DC$ account >> >> userAccountControl=69632 > This is your issue. Have you perhaps joined a FreeNAS server to your > DC at some point? It had a very confusing GUI that encouraged you to > wipe out the DC account. > > This userAccountControl is > UF_WORKSTATION_TRUST_ACCOUNT|UF_DONT_EXPIRE_PASSWD and is therefore not > a real Domain Controller.This domain was started from samba 4.0 and DC several time moved from one server to other by adding new DC and removing old. May be somewhere in this migration procedures was some failures. I see at one of my new domain, that there userAccountControl=532480 I need just to set this value to userAccountControl? Or this task not so easy? I will try to run tests today's night.
Rowland Penny
2021-Nov-17 15:42 UTC
[Samba] 3-part SPN problem after update 4.13.8 to 4.13.14
On Wed, 2021-11-17 at 16:28 +0100, Nikita Druba via samba wrote:> 17.11.2021 10:27, Andrew Bartlett via samba ?????: > > On Wed, 2021-11-17 at 08:36 +0100, Nikita Druba via samba wrote: > > > 16.11.2021 18:36, Andrew Bartlett ?????: > > > > > > I checked ldap base and for my DC$ account > > > > > > userAccountControl=69632 > > This is your issue. Have you perhaps joined a FreeNAS server to > > your > > DC at some point? It had a very confusing GUI that encouraged you > > to > > wipe out the DC account. > > > > This userAccountControl is > > UF_WORKSTATION_TRUST_ACCOUNT|UF_DONT_EXPIRE_PASSWD and is therefore > > not > > a real Domain Controller. > This domain was started from samba 4.0 and DC several time moved > from > one server to other by adding new DC and removing old. May be > somewhere > in this migration procedures was some failures. I see at one of my > new > domain, that there > > userAccountControl=532480That is: SERVER_TRUST_ACCOUNT|TRUSTED_FOR_DELEGATION> > I need just to set this value to userAccountControl? Or this task not > so > easy?Changing the userAccountControl attribute is fairly easy, but the question has to be asked, how did it get changed and did anything else get changed ?> > I will try to run tests today's night.I wouldn't. Is this the only DC in the domain ? If not, I would demote it (forcibly if required), then join a new DC to replace it. Rowland