I'm unable to join a new DC to our existing domain after following the
instructions on the wiki:
# samba-tool domain join company.net DC -U"COMPANY\Administrator"
INFO 2025-04-21 18:54:27,655 pid:1090
/usr/local/lib/python3.11/site-packages/samba/join.py #106: Finding a
writeable DC for domain 'company.net'
INFO 2025-04-21 18:54:27,664 pid:1090
/usr/local/lib/python3.11/site-packages/samba/join.py #108: Found DC
dc4.company.net
ERROR(<class 'samba.join.DCJoinException'>): uncaught exception -
Can't
join, error: 00002020: Operation unavailable without authentication
I get the same error when trying to pass the password using
--password=<password>. I'm also getting that same error when trying to
perform an online backup from the existing DC:
# samba-tool domain backup online --server=dc4
--targetdir=/home/admin/dc4 -U administrator
ERROR(<class 'samba.join.DCJoinException'>): uncaught exception -
Can't
join, error: 00002020: Operation unavailable without authentication
I have tried different syntaxes for providing the username, but they all
produce the same error.
DC4 is our only DC at the moment and has all FSMO roles. The rest of the
domain appears to be working fine as clients can authenticate, I can
access DC4 using the RCAT tools, and I can join clients/members to the
domain using the same credentials. We have previously demoted an offline
AD DC following the guide on the wiki, which I'm wondering if that's
related, but I didn't find any traces of the old DC left in AD.
Samba 4.19_5 on FreeBSD 14.2-p2.
smb4.conf:
[global]
??? ad dc functional level = 2016
??? allow dns updates = nonsecure and secure
??? bind interfaces only = Yes
??? deadtime = 5
??? disable spoolss = Yes
??? dns forwarder = 8.8.8.8
??? dns update command = /usr/local/sbin/samba_dnsupdate
??? dns zone transfer clients allow = 192.168.50.5 192.168.10.4
??? interfaces = em0
??? log level = 1
??? max log size = 1000
??? netbios name = DC4
??? nsupdate command = /usr/local/bin/samba-nsupdate -g
??? panic action = /usr/local/etc/rc.d/samba_server restart
??? printcap name = /dev/null
??? realm = company.net
??? server role = active directory domain controller
??? server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate, dns
??? template homedir = /home/%U
??? template shell = /bin/tcsh
??? tls cafile ??? tls certfile =
/etc/letsencrypt/live/dc4.company.net/fullchain.pem
??? tls keyfile = /etc/letsencrypt/live/dc4.company.net/privkey.pem
??? tls verify peer = ca_and_name
??? workgroup = COMPANY
??? aio read size = 16384
??? aio write size = 16384
??? csc policy = disable
??? delete veto files = Yes
??? ea support = Yes
??? inherit acls = Yes
??? store dos attributes = Yes
??? veto files =
/Thumbs.db/.DS_Store/.TemporaryItems/._.TemporaryItems/._.apdisk/.apdisk/Network
Trash Folder/
[netlogon]
??? inherit permissions = Yes
??? path = /var/db/samba4/sysvol/company.net/scripts
??? read only = No
??? vfs objects = zfsacl
??? nfs4:chown = yes
??? nfs4:acedup = merge
??? nfs4:mode = simple
[sysvol]
??? inherit permissions = Yes
??? path = /var/db/samba4/sysvol
??? read only = No
??? vfs objects = zfsacl
??? nfs4:chown = yes
??? nfs4:acedup = merge
??? nfs4:mode = simple
Any guidance or advice would be greatly appreciated.
Thanks!