Web lists-archives.com

Re: [Samba] Unable to rejoin domain, LDAP error 50




On Wed, 4 Apr 2018 10:54:22 +0200
Krzysztof Paszkowski via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi,
> This is strange what you are writing. Are you saying, that if
> Administrator is in Domain Users group = ALL my users have admins
> rights? Hard to believe. Moreover, I'm unable to delete Administrator
> from Domain Users group, as this is my basic group (I received such
> an info).

No, you posted this:

There was lack of membership in Administrators domain/Builtin group.
I had only:
Domain Users
Group Policy Creator Owners
Enterprise Admins
Schema Admins
Domain Admins

Which seems to suggest that 'Domain Users' is a member of the
'Administrators' group, this is definitely not a good idea. All users
are members of 'Domain Users' and hence, if 'Domain Users' is a member
of 'Administrators', they are members of the 'Administrators' group.

> 
> I believe the keytab is needed to sth, cause without it I keep
> receiving: [2018/04/03 17:32:39.331938,
> 1] ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal)
> GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see
> text): keytab /usr/local/samba/private/secrets.keytab open failed: No
> such file or directory

Ah, that is a different keytab to the one I thought you were referring
to, you definitely need that one ;-)
> 
> About previous errors according: " Decrypt integrity check failed " -
> I just needed to wait (I believe the ticket time). Now it seems to be
> fine.
> 
> I have two more errors to resolve:
> 
> 1. Two my DCs: Centos 7, Samba 4.7.6, built from sources with
> ./configure --disable-cups
> samba-tool domain join domain.net.pl DC -U"DOMAIN\administrator"
> --dns-backend=SAMBA_INTERNAL
> 
> I do not use bind, only DNS build-in samba.
> 
> The errors in log.samba (all the time):
> [2018/04/04 09:46:58.532467,
> 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) /usr/sbin/rndc:
> Failed to exec child - No such file or directory [2018/04/04
> 09:46:58.535167,
> 0] ../source4/dsdb/dns/dns_update.c:91(dnsupdate_rndc_done) ../source4/dsdb/dns/dns_update.c:91:
> Failed rndc update - NT_STATUS_UNSUCCESSFUL
> 
> I saw such a problem in mailing lists, almost 2 years ago. Then it
> ended up as a bug. What does it mean now? On one of these DCs I've
> installed bind and now the error is: [2018/04/04 10:25:57.313345,
> 0] ../source4/dsdb/dns/dns_update.c:91(dnsupdate_rndc_done) ../source4/dsdb/dns/dns_update.c:91:
> Failed rndc update - NT_STATUS_ACCESS_DENIED [2018/04/04
> 10:26:57.344688,
> 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) /usr/sbin/rndc:
> rndc: neither /etc/rndc.conf nor /etc/rndc.key was found

Try adding this to smb.conf:

dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool

> 
> 
> 2. KVNO mismatch - on the main DC 
> 
> [2018/04/03 14:36:46.822531,
> 1] ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit)
> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> [2018/04/03 14:36:46.968728,
> 1] ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal)
> GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see
> text): Failed to find DC$@DOMAIN.NET.PL(kvno 2) in keytab
> FILE:/usr/local/samba/private/secrets.keytab (aes256-cts-hmac-sha1-96)
> 
> kvno DC
> DC@xxxxxxxxxxxxx: kvno = 1
> 
> Is there any other way to increase the key version to 2 than demote
> dc and rejoin domain? I was trying with the command:
> ktutil:  add_entry -password -p DC$@DOMAIN.NET.PL -k 2 -e
> aes256-cts-hmac-sha1-96 but then I'm asking to enter password (or key
> with -key option in add_entry) - can I leave it empty, just hit enter
> key?
> 
> 

You could try running 'samba_upgradeprovision', this will reset the
passwords:

samba_upgradeprovision --realm=<YOUR REALM> -U Administrator

NOTE: I have never had to do this, So I would urge you to backup
everything before trying it.

However, the errors could be coming from something that is using stale
passwords, they may go away if you wait long enough or reboot
everything.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba