I found the following in the logs:
[2023/02/23 16:41:40.016934,? 1]
../../lib/crypto/gnutls_error.c:114(_gnutls_error_to_werror)
? drsuapi_encrypt_attribute_value: GNUTLS ERROR:
GNUTLS_E_UNWANTED_ALGORITHM, WERROR: WERR_INTERNAL_ERROR at
../../libcli/drsuapi/repl_decrypt.c:268
[2023/02/23 16:41:40.016952,? 0]
../../source4/rpc_server/drsuapi/getncchanges.c:705(get_nc_changes_build_object)
? Unable to encrypt unicodePwd on
CN=krbtgt,CN=Users,DC=privatedomain,DC=com in DRS object -
WERR_INTERNAL_ERROR
Both machines had "fips-mode-setup --enable", so I turned that off and
rebooted both of them, and the join operation completed successfully.
Started samba-ad-dc on the new DC and it ran, albeit with a number of
TSIG verify failure errors and an exit code of 26, but that's a
completely different issue I can work on.
So it looks like, at least with that setup, trying the join with FIPS
mode enabled fails.
