Rowland Penny
2025-Apr-23 08:25 UTC
[Samba] samba join failed: LDAP_INSUFFICIENT_ACCESS_RIGHTS -- SeEnableDelegationPrivilege
On Wed, 23 Apr 2025 09:32:20 +0200 PaLi via samba <samba at lists.samba.org> wrote:> Hello > > I have samba4 domain running in production with 2 DC. > 4.19.5-Ubuntu > no SElinux > apparmour for named, chronyd > > When I want to add 3th DC I'm getting this error: > > localadmin at dc03:~$ sudo samba-tool domain join office.company.com DC > - -server=192.168.10.1 --site=hk --dns-backend=BIND9_DLZ --option="dns > forwarder=127.0.0.53" --option='server services=-dns' -- > option='idmap_ldb:use rfc2307 = yes' --option="interfaces=lo enp1s0" > -- option="bind interfaces only=yes" --username="OFFICE\Administrator" > Password for [OFFICE\Administrator]: > > > INFO 2025-04-23 09:16:58,137 pid:25203 /usr/lib/python3/dist- > packages/samba/join.py #1614: workgroup is OFFICE > INFO 2025-04-23 09:16:58,137 pid:25203 /usr/lib/python3/dist- > packages/samba/join.py #1617: realm is office.company.com > Adding CN=DC03,OU=Domain Controllers,DC=office,DC=company,DC=com > Join failed - cleaning up > ERROR(ldb): uncaught exception - LDAP error 50 > LDAP_INSUFFICIENT_ACCESS_RIGHTS - <Failed to add CN=DC03,OU=Domain > Controllers,DC=office,DC=company,DC=com: Updating the > UF_TRUSTED_FOR_DELEGATION bit in userAccountControl is not permitted > without the SeEnableDelegationPrivilege> <> >It normally just works, so it is probably something on that potential DC. First though, You shouldn't (in my opinion) be using these options: --server=192.168.10.1 You should let Samba find the best DC to use. --option="dns forwarder=127.0.0.53" This will very probably lead the DC to forwarding to itself, not a good idea. --option='server services=-dns' This should be added for you by using the '--dns-backend=BIND9_DLZ' option You also have "--option='idmap_ldb:use rfc2307 = yes'", if you are not using the rfc2307 attributes, you do not require that option. Administrator is the super user and should be able to do anything on Linux by being mapped to 'root', unless you are using rfc2307 attributes anf have give Administrator a uidNumber, when, as far as Linux is concerned, it becomes just another user. Rowland
Sami Hulkko
2025-Apr-23 09:58 UTC
[Samba] samba join failed: LDAP_INSUFFICIENT_ACCESS_RIGHTS -- SeEnableDelegationPrivilege
Hi, One can in samba DC system add Administrator to sudo group if like Rowland Penny mentioned has the uid, gid, home folder and default shell settings set and therefore capable to login to samba system. samba-tool if I recollect right can add these attributes to user and with Windows 11 RSAT tools in 'Active directory Users and Computers' one needs to enable 'Advanced Features' from view menu to have access to 'Atribute Editor' where one can add them too. With sudo rights the Administrator can run commands with ease and no folder rights problems. Yours, SH On 23/04/2025 11.25, Rowland Penny via samba wrote:> On Wed, 23 Apr 2025 09:32:20 +0200 > PaLi via samba <samba at lists.samba.org> wrote: > >> Hello >> >> I have samba4 domain running in production with 2 DC. >> 4.19.5-Ubuntu >> no SElinux >> apparmour for named, chronyd >> >> When I want to add 3th DC I'm getting this error: >> >> localadmin at dc03:~$ sudo samba-tool domain join office.company.com DC >> - -server=192.168.10.1 --site=hk --dns-backend=BIND9_DLZ --option="dns >> forwarder=127.0.0.53" --option='server services=-dns' -- >> option='idmap_ldb:use rfc2307 = yes' --option="interfaces=lo enp1s0" >> -- option="bind interfaces only=yes" --username="OFFICE\Administrator" >> Password for [OFFICE\Administrator]: >> >> >> INFO 2025-04-23 09:16:58,137 pid:25203 /usr/lib/python3/dist- >> packages/samba/join.py #1614: workgroup is OFFICE >> INFO 2025-04-23 09:16:58,137 pid:25203 /usr/lib/python3/dist- >> packages/samba/join.py #1617: realm is office.company.com >> Adding CN=DC03,OU=Domain Controllers,DC=office,DC=company,DC=com >> Join failed - cleaning up >> ERROR(ldb): uncaught exception - LDAP error 50 >> LDAP_INSUFFICIENT_ACCESS_RIGHTS - <Failed to add CN=DC03,OU=Domain >> Controllers,DC=office,DC=company,DC=com: Updating the >> UF_TRUSTED_FOR_DELEGATION bit in userAccountControl is not permitted >> without the SeEnableDelegationPrivilege> <> >> > It normally just works, so it is probably something on that potential > DC. > > First though, You shouldn't (in my opinion) be using these options: > > --server=192.168.10.1 > > You should let Samba find the best DC to use. > > --option="dns forwarder=127.0.0.53" > > This will very probably lead the DC to forwarding to itself, not a good > idea. > > --option='server services=-dns' > > This should be added for you by using the '--dns-backend=BIND9_DLZ' > option > > You also have "--option='idmap_ldb:use rfc2307 = yes'", if you are not > using the rfc2307 attributes, you do not require that > option. > > Administrator is the super user and should be able to do anything on > Linux by being mapped to 'root', unless you are using rfc2307 > attributes anf have give Administrator a uidNumber, when, as far as > Linux is concerned, it becomes just another user. > > Rowland >-- Sami Hulkko +358 45 8569 319 sahulkko at gmail.com sahulkko at icloud.com