Web lists-archives.com

Re: [Samba] Unable to Join the Active Directory as a Domain Controller




Hi Marc-Henri Pamiseux,

I am trying to use Samba in version 4.7.0 as a replication of an Active
Directory running on Windows 2012-R2.

For that, I execute the process described on this page:
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory

When I run the command to join the domain controller, samba-tool returns
the following error:
DsAddEntry failed with status WERR_ACCESS_DENIED info (8567,
'WERR_DS_INCOMPATIBLE_VERSION')

I read the documentation that specifies which version of Samba is
compatible with the version of the Active Directory schema:
https://wiki.samba.org/index.php/AD_Schema_Version_Support

I was able to check on the Windows 2012-R2 server that the Active
Directory schema is in version 69, so theoretically compatible with
Samba 4.7.

in the small prints, one can read "69 :* Experimental support. To report problems, click https://bugzilla.samba.org";. With such warning I wouldn't put that in production...

User "MYDOMAIN\marcori" is a domain admin.
Do you have a way to explore further?

I think you can explore the page https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD

TL;DR : with current samba releases, it is not possible to join a win2k12 or above Active Directory to a Samba AD. Stick to 2k8r2 or wait for Gaming/Douglas work on that subject.

Cheers,

Denis


Respectfully,

Marc-Henri Pamiseux

PS: Here is the command invoked and its error message:

# samba-tool domain join example.com DC -U"MYDOMAIN\marcori"
--dns-backend=SAMBA_INTERNAL --realm=EXAMPLE.COM -W MYDOMAIN
Finding a writeable DC for domain 'example.com'
Found DC SRV-ADM1.example.com
Password for [MYDOMAIN\marcori]:
workgroup is MYDOMAIN
realm is example.com
Adding CN=SRVSMB-DC1,OU=Domain Controllers,DC=example,DC=com
Adding
CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
Adding CN=NTDS
Settings,CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
DsAddEntry failed with status WERR_ACCESS_DENIED info (8567,
'WERR_DS_INCOMPATIBLE_VERSION')
Join failed - cleaning up
Deleted CN=SRVSMB-DC1,OU=Domain Controllers,DC=example,DC=com
Deleted
CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
ERROR(runtime): uncaught exception - DsAddEntry failed
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
661, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in
join_DC
    ctx.do_join()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in
do_join
    ctx.join_add_objects()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 639, in
join_add_objects
    ctx.join_add_ntdsdsa()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 570, in
join_add_ntdsdsa
    ctx.DsAddEntry([rec])
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 521, in
DsAddEntry
    raise RuntimeError("DsAddEntry failed")

# samba -V
Version 4.7.0-Debian


--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba