An account with the same name exists in Active Directory

UCS - Univention Corporate Server
, , , ,
#1

Hello all,

I’ve been experiencing a strange issue and need some assistance.

When attempting to join a Windows Server 2019 server to the UCS domain, I get an error saying “An account with the same name exists in Active Directory, Reusing the Account was blocked by security”. When I delete the entry in UCS and attempt to try joining the server to the domain again, I still get the same error.

It appears when I attempt to join the server to the domain, it will create the entry for the computer in UCS/OpenLDAP and Samba, but will tell the Windows server that the account already exists and will not join the server to the domain.

I confirmed the listeners and notifier are syncing and operational and the Active Directory Domain Compatible Controller is installed on the master UCS server.

Any suggestions? - Thanks

#2

What UCS Version do you use? And is that the same if you join another server/client with an other Hostname?

#3 
root@UCS:~# ucr search --brief ^version/
version/erratalevel: 783
version/patchlevel: 4
version/version: 5.0

Yes, I get the same error when I join another server/client with a different hostname. Also, I cannot login with a domain user to an already joined server and I get a error “The trust relationship between this workstation and the primary domain failed”.

#4

This is a stupid security fix MS did in late 2022
Basically there was an “exploit” that allowed you to by pass security.

now when a user binds a WS to an AD system , a special stamp gets added to the machine record in the LDAP
if the user is NOT “Administrator”, if you then try to “rijoin” the computer or teh security cert for AD & computer lapse or you change the name, this “magic string” blocks with the above errors.

I spend a week on this , when I renamed a UCS domain (i wanted to keep all the records), some workstations would rejoin the new domain with no problems , others would not…
you can go into the AD and delete the computer record, or you can go into teh SAMBA LDAP and just ship out the bad data field.
There are AD commands to force the workstation & server to rebind & reset the trust. (it’s always breaking even in real AD’s)

& it can rejoin.

Also note “administrator” is NOT the same as “Administrator”, from what i see in SAMBA & this MS AD “fix”…

1 Like
#5

When I execute the command samba-tool domain trust list, nothing is listed. It appears samba doesn’t have any trust setup for the domain.

#6

the “trust” is the AD function.
Basically when you create an object in the LDAP, it gets a SID with a kerbos

the computer joining also gets this sid & kerbos
if the sid matches & the kerbos does not , then there is an trust failure, you can regen these keys

also i said about the patch
in the LDAP record for the computer you will see:

localPolicyFlags
msDS-SupportedEncryptionTypes

IF you see:
localPolicyFlags
mS-DS-CreatorSID ←
msDS-SupportedEncryptionTypes

THAT is what messes up the “already exists” .The key in “mS-DS-CreatorSID” , is only there under specific situations & if the new “joiner admin” does not match that SID, then you get an error, related to already exists.

I know it is this flag, because if I delete this from the LDAP, magically the workstation then joins …
{i had to write a script to remove it, one of our now “EX” admins had been using his personal account with admin priv.}

I have also seen this flag go “bad” sometimes, containing nothing that looks like any SID, so even if you use the same Admin to rejoin the WS it still fails.

Mastodon