samba - May 2024 - LDAP error 53 LDAP_UNWILLING_TO_PERFORM

good afternoon, when entering into the domain an error occurs, the
administrator has all the rights, but for some reason it is not possible to
enter this server into the domain, samba 4.19.0, the log is attached
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'ncalrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
added interface ens192 ip=192.168.237.100 bcast=192.168.237.255
netmask=255.255.255.0
added interface ens192 ip=192.168.237.100 bcast=192.168.237.255
netmask=255.255.255.0
added interface ens192 ip=192.168.237.100 bcast=192.168.237.255
netmask=255.255.255.0
added interface ens192 ip=192.168.237.100 bcast=192.168.237.255
netmask=255.255.255.0
added interface ens192 ip=192.168.237.100 bcast=192.168.237.255
netmask=255.255.255.0
added interface ens192 ip=192.168.237.100 bcast=192.168.237.255
netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name dc1.domain.local<0x20>
startlmhosts: Can't open lmhosts file /opt/reddc/etc/lmhosts. Error was No
such file or directory
finddcs: response 0 at '192.168.237.150'
finddcs: performing CLDAP query on 192.168.237.150
     &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
        command                  : LOGON_SAM_LOGON_RESPONSE_EX (23)
        sbz                      : 0x0000 (0)
        server_type              : 0x0003f3fd (259069)
               1: NBT_SERVER_PDC
               1: NBT_SERVER_GC
               1: NBT_SERVER_LDAP
               1: NBT_SERVER_DS
               1: NBT_SERVER_KDC
               1: NBT_SERVER_TIMESERV
               1: NBT_SERVER_CLOSEST
               1: NBT_SERVER_WRITABLE
               1: NBT_SERVER_GOOD_TIMESERV
               0: NBT_SERVER_NDNC
               0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
               1: NBT_SERVER_FULL_SECRET_DOMAIN_6
               1: NBT_SERVER_ADS_WEB_SERVICE
               1: NBT_SERVER_DS_8
               1: NBT_SERVER_DS_9
               1: NBT_SERVER_DS_10
               0: NBT_SERVER_HAS_DNS_NAME
               0: NBT_SERVER_IS_DEFAULT_NC
               0: NBT_SERVER_FOREST_ROOT
        domain_uuid              : eac1ac7e-5bd4-4f8d-9ae6-cef06fcf2ee0
        forest                   : 'domain.local'
        dns_domain               : 'domain.local'
        pdc_dns_name             : 'DC1.domain.local'
        domain_name              : 'domain'
        pdc_name                 : 'DC1'
        user_name                : ''
        server_site              : 'Default-First-Site-Name'
        client_site              : 'Default-First-Site-Name'
        sockaddr_size            : 0x00 (0)
        sockaddr: struct nbt_sockaddr
            sockaddr_family          : 0x00000000 (0)
            pdc_ip                   : (null)
            remaining                : DATA_BLOB length=0
        next_closest_site        : NULL
        nt_version               : 0x00000005 (5)
               1: NETLOGON_NT_VERSION_1
               0: NETLOGON_NT_VERSION_5
               1: NETLOGON_NT_VERSION_5EX
               0: NETLOGON_NT_VERSION_5EX_WITH_IP
               0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
               0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
               0: NETLOGON_NT_VERSION_PDC
               0: NETLOGON_NT_VERSION_IP
               0: NETLOGON_NT_VERSION_LOCAL
               0: NETLOGON_NT_VERSION_GC
        lmnt_token               : 0xffff (65535)
        lm20_token               : 0xffff (65535)
finddcs: Found matching DC 192.168.237.150 with server_type=0x0003f3fd
Security token SIDs (1):
  SID[  0]: S-1-5-18
 Privileges (0xFFFFFFFFFFFFFFFF):
  Privilege[  0]: SeMachineAccountPrivilege
  Privilege[  1]: SeTakeOwnershipPrivilege
  Privilege[  2]: SeBackupPrivilege
  Privilege[  3]: SeRestorePrivilege
  Privilege[  4]: SeRemoteShutdownPrivilege
  Privilege[  5]: SePrintOperatorPrivilege
  Privilege[  6]: SeAddUsersPrivilege
  Privilege[  7]: SeDiskOperatorPrivilege
  Privilege[  8]: SeSecurityPrivilege
  Privilege[  9]: SeSystemtimePrivilege
  Privilege[ 10]: SeShutdownPrivilege
  Privilege[ 11]: SeDebugPrivilege
  Privilege[ 12]: SeSystemEnvironmentPrivilege
  Privilege[ 13]: SeSystemProfilePrivilege
  Privilege[ 14]: SeProfileSingleProcessPrivilege
  Privilege[ 15]: SeIncreaseBasePriorityPrivilege
  Privilege[ 16]: SeLoadDriverPrivilege
  Privilege[ 17]: SeCreatePagefilePrivilege
  Privilege[ 18]: SeIncreaseQuotaPrivilege
  Privilege[ 19]: SeChangeNotifyPrivilege
  Privilege[ 20]: SeUndockPrivilege
  Privilege[ 21]: SeManageVolumePrivilege
  Privilege[ 22]: SeImpersonatePrivilege
  Privilege[ 23]: SeCreateGlobalPrivilege
  Privilege[ 24]: SeEnableDelegationPrivilege
 Rights (0x               0):
added interface ens192 ip=192.168.237.100 bcast=192.168.237.255
netmask=255.255.255.0
added interface ens192 ip=192.168.237.100 bcast=192.168.237.255
netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name dc1.domain.local<0x20>
startlmhosts: Can't open lmhosts file /opt/reddc/etc/lmhosts. Error was No
such file or directory
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Password for [WORKGROUP\Administrator]:Received smb_krb5 packet of length
196
Received smb_krb5 packet of length 98
kinit for Administrator at DOMAIN.LOCAL succeeded
gensec_update_send: gssapi_krb5[0x5630126c7020]: subreq: 0x563012674660
gensec_update_send: spnego[0x5630126c8410]: subreq: 0x5630126c01f0
gensec_update_done: gssapi_krb5[0x5630126c7020]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x563012674660/../../source4/auth/gensec/gensec_gssapi.c:1059]:
state[2] error[0 (0x0)]  state[struct gensec_gssapi_update_state
(0x563012674840)] timer[(nil)]
finish[../../source4/auth/gensec/gensec_gssapi.c:1070]
gensec_update_done: spnego[0x5630126c8410]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x5630126c01f0/../../auth/gensec/spnego.c:1631]: state[2]
error[0 (0x0)]  state[struct gensec_spnego_update_state (0x5630126c03d0)]
timer[(nil)] finish[../../auth/gensec/spnego.c:2116]
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically sealed
gensec_update_send: gssapi_krb5[0x5630126c7020]: subreq: 0x563012674660
gensec_update_send: spnego[0x5630126c8410]: subreq: 0x5630126c01f0
gensec_update_done: gssapi_krb5[0x5630126c7020]: NT_STATUS_OK
tevent_req[0x563012674660/../../source4/auth/gensec/gensec_gssapi.c:1059]:
state[2] error[0 (0x0)]  state[struct gensec_gssapi_update_state
(0x563012674840)] timer[(nil)]
finish[../../source4/auth/gensec/gensec_gssapi.c:1077]
gensec_update_done: spnego[0x5630126c8410]: NT_STATUS_OK
tevent_req[0x5630126c01f0/../../auth/gensec/spnego.c:1631]: state[2]
error[0 (0x0)]  state[struct gensec_spnego_update_state (0x5630126c03d0)]
timer[(nil)] finish[../../auth/gensec/spnego.c:2116]
INFO 2024-05-24 17:23:00,320 pid:73718
/opt/reddc/lib/python3.8/site-packages/samba/netcmd/main.py #91: workgroup
is DOMAIN
INFO 2024-05-24 17:23:00,320 pid:73718
/opt/reddc/lib/python3.8/site-packages/samba/netcmd/main.py #91: realm is
doamin.local
ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM -
 <00002010: SvcErr: DSID-031A124C, problem 5003 (WILL_NOT_PERFORM), data
0
> <>
  File "samba/netcmd/__init__.py", line 279, in
samba.netcmd.Command._run
  File "samba/netcmd/domain/join.py", line 130, in
samba.netcmd.domain.join.cmd_domain_join.run
  File "samba/join.py", line 1683, in samba.join.join_DC
  File "samba/join.py", line 1590, in samba.join.DCJoinContext.do_join
  File "samba/join.py", line 1563, in samba.join.DCJoinContext.do_join
  File "samba/join.py", line 649, in
samba.join.DCJoinContext.join_add_objects
Adding CN=DCRED,OU=Domain Controllers,DC=domain,DC=local
Join failed - cleaning up

On Fri, 24 May 2024 16:22:33 +0300
Omnis ludis - games via samba <samba at lists.samba.org> wrote:
> good afternoon, when entering into the domain an error occurs, the
> administrator has all the rights, but for some reason it is not
> possible to enter this server into the domain, samba 4.19.0, the log
> is attached 
>
> INFO 2024-05-24 17:23:00,320
> pid:73718 /opt/reddc/lib/python3.8/site-packages/samba/netcmd/main.py
> #91: workgroup is DOMAIN INFO 2024-05-24 17:23:00,320 pid:73718
> /opt/reddc/lib/python3.8/site-packages/samba/netcmd/main.py #91:
> realm is doamin.local
I do hope that 'domain.local' is sanitisation for your real dns domain.
> ERROR(ldb): uncaught exception - LDAP error 53
> LDAP_UNWILLING_TO_PERFORM - <00002010: SvcErr: DSID-031A124C, problem
> 5003 (WILL_NOT_PERFORM), data 0
> > <>
>   File "samba/netcmd/__init__.py", line 279, in
> samba.netcmd.Command._run File "samba/netcmd/domain/join.py",
line
> 130, in samba.netcmd.domain.join.cmd_domain_join.run
>   File "samba/join.py", line 1683, in samba.join.join_DC
>   File "samba/join.py", line 1590, in
samba.join.DCJoinContext.do_join
>   File "samba/join.py", line 1563, in
samba.join.DCJoinContext.do_join
>   File "samba/join.py", line 649, in
> samba.join.DCJoinContext.join_add_objects
> Adding CN=DCRED,OU=Domain Controllers,DC=domain,DC=local
> Join failed - cleaning up
What OS is this ?

Can you confirm the Samba version is 4.19.0 ?

It seems that you are trying to join an RODC, is this correct ?

What was the actual command you used to join the domain ? 

Rowland