Web lists-archives.com

Re: [Samba] Unable to rejoin domain, LDAP error 50




I'm sorry, you're absolutely right. I'm not sure why I didn't follow your hint. My fault.

Now, it seems I have exactly the same output as you:

[root@dc private]# net rpc rights list accounts -U Administrator
Enter Administrator's password:
BUILTIN\Print Operators
SeLoadDriverPrivilege
SeShutdownPrivilege
SeInteractiveLogonRight

BUILTIN\Account Operators
SeInteractiveLogonRight

BUILTIN\Backup Operators
SeBackupPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeInteractiveLogonRight

BUILTIN\Administrators
SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeRemoteShutdownPrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege
SeInteractiveLogonRight
SeNetworkLogonRight
SeRemoteInteractiveLogonRight

BUILTIN\Server Operators
SeBackupPrivilege
SeSystemtimePrivilege
SeRemoteShutdownPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeInteractiveLogonRight

BUILTIN\Pre-Windows 2000 Compatible Access
SeRemoteInteractiveLogonRight
SeChangeNotifyPrivilege


What can be the reason of DC joining failure?


Keytab. My is /usr/local/samba/private/secrets.keytab - it is created during domain joining. I'm now aware hot to create it by myself. I saw utils like: kutils, kadmin and ktpass (in Windows). Can this be done easier? 

Regards,
Kris

-----Original Message-----
From: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] On Behalf Of Rowland Penny via samba
Sent: Tuesday, April 3, 2018 3:36 PM
To: samba@xxxxxxxxxxxxxxx
Cc: Krzysztof Paszkowski <kylo@xxxxxxxx>
Subject: Re: [Samba] Unable to rejoin domain, LDAP error 50

On Tue, 3 Apr 2018 15:13:58 +0200
Krzysztof Paszkowski via samba <samba@xxxxxxxxxxxxxxx> wrote:

> I've cleared all DNS records (indeed, they were still there).
> I'm not sure if that was the issue, cause I've discovered that the 
> real problem is related to insufficient Administrator rights.

Funny, if I had thought of that, I would have written something
like:

At first sight, it looks like 'Administrator' doesn't have the right permissions to join a DC to the domain, so you might want to check just what rights the Administrator has.

Wait a minute, I DID!

> I was
> able to join that DC to domain using credentials of my second user 
> (member of domain admins group). The first one had to get out from 
> Domain admins. Can this be related to fixing the attributes during 
> update process (samba-tool dbcheck --cross-ncs --fix)? How to check 
> admin's privileges?
> 
> That's the first problem.

Try: net rpc rights list accounts -U Administrator

It should ask you for the Administrator password and then print something like this:

BUILTIN\Print Operators
SeLoadDriverPrivilege
SeShutdownPrivilege
SeInteractiveLogonRight

BUILTIN\Account Operators
SeInteractiveLogonRight

BUILTIN\Backup Operators
SeBackupPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeInteractiveLogonRight

BUILTIN\Administrators
SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeRemoteShutdownPrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege
SeInteractiveLogonRight
SeNetworkLogonRight
SeRemoteInteractiveLogonRight

BUILTIN\Server Operators
SeBackupPrivilege
SeSystemtimePrivilege
SeRemoteShutdownPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeInteractiveLogonRight

BUILTIN\Pre-Windows 2000 Compatible Access SeRemoteInteractiveLogonRight SeChangeNotifyPrivilege

> 
> The second one - I keep getting now the same error in log.samba
> 
>   GSS server Update(krb5)(1) Update failed:  Miscellaneous failure 
> (see text): Decrypt integrity check failed for checksum type 
> hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96 [2018/04/03 
> 15:08:05.924388, 1] 
> ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_intern
> al)
> 
> 
> Can this be related to the new key of host in keytab?

Do you have 'etc/krb5.keytab' (or similar), if so try deleting it and then create a new one.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba