Web lists-archives.com

Re: [Samba] WERR_DS_DRA_MISSING_PARENT while Joining Samba4 DC to Samba4 Domain




OK, we're getting closer here I think. I repeated with -d 2 without much help. Here is -d 3, which may point us in the right direction. As I suspected, it seems to point to some corruption in the DNS still, perhaps?

The key line seems to be here:
Missing parent while attempting to apply records: No parent with GUID 60e25dda-6d35-4aab-bfa5-6137cb271e27 found for object remotely known as CN=MicrosoftDNS,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
Failed to commit objects: WERR_DS_DRA_MISSING_PARENT

Here is the full output in context:

$ sudo samba-tool domain join redacted.domain.local DC -U"REDACTED\my.domain.admin"  --dns-backend=SAMBA_INTERNAL -d 3
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Finding a writeable DC for domain 'redacted.domain.local'
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.redacted.domain.local<0x0>
Found DC samba4dom.redacted.domain.local
resolve_lmhosts: Attempting lmhosts lookup for name samba4dom.redacted.domain.local<0x20>
cli_credentials(REDACTED\my.domain.admin) without realm, cannot use kerberos for this connection ldap/samba4dom.redacted.domain.local
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
Password for [REDACTED\my.domain.admin]:
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NO DNS zone information found in source domain, not replicating DNS
workgroup is REDACTED
realm is redacted.domain.local
Adding CN=SAMBA4DC2,OU=Domain Controllers,DC=redacted,DC=domain,DC=local
Adding CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
Adding CN=NTDS Settings,CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
Using binding ncacn_ip_tcp:samba4dom.redacted.domain.local[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name samba4dom.redacted.domain.local<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name samba4dom.redacted.domain.local<0x20>
cli_credentials(REDACTED\my.domain.admin) without realm, cannot use kerberos for this connection ldap/SAMBA4DOM.REDACTED.DOMAIN.LOCAL
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
Adding SPNs to CN=SAMBA4DC2,OU=Domain Controllers,DC=redacted,DC=domain,DC=local
Setting account password for SAMBA4DC2$
Enabling account
Calling bare provision
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
ldb_wrap open of hklm.ldb
Key 'key=SOFTWARE,hive=NONE' not found
key added: key=SOFTWARE,hive=NONE
Key 'key=Microsoft,key=SOFTWARE,hive=NONE' not found
key added: key=Microsoft,key=SOFTWARE,hive=NONE
Key 'key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found
key added: key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE
Key 'key=CurrentVersion,key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found
key added: key=CurrentVersion,key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE
Key 'key=SYSTEM,hive=NONE' not found
key added: key=SYSTEM,hive=NONE
Key 'key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=Terminal Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=Terminal Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
partition_metadata: Migrating partition metadata: open of metadata.tdb gave: (null)
A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
Provision OK for domain DN DC=redacted,DC=domain,DC=local
Starting replication
Using binding ncacn_ip_tcp:samba4dom.redacted.domain.local[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name samba4dom.redacted.domain.local<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name samba4dom.redacted.domain.local<0x20>
cli_credentials(REDACTED\my.domain.admin) without realm, cannot use kerberos for this connection ldap/SAMBA4DOM.REDACTED.DOMAIN.LOCAL
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Replicated 1550 objects (0 linked attributes) for CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local
Partition[CN=Configuration,DC=redacted,DC=domain,DC=local] objects[402/1610] linked_values[0/0]
Replicated 402 objects (0 linked attributes) for CN=Configuration,DC=redacted,DC=domain,DC=local
Partition[CN=Configuration,DC=redacted,DC=domain,DC=local] objects[804/1610] linked_values[0/0]
Replicated 402 objects (0 linked attributes) for CN=Configuration,DC=redacted,DC=domain,DC=local
Partition[CN=Configuration,DC=redacted,DC=domain,DC=local] objects[1206/1610] linked_values[0/0]
Replicated 402 objects (0 linked attributes) for CN=Configuration,DC=redacted,DC=domain,DC=local
Partition[CN=Configuration,DC=redacted,DC=domain,DC=local] objects[1608/1610] linked_values[0/15]
Replicated 402 objects (0 linked attributes) for CN=Configuration,DC=redacted,DC=domain,DC=local
Partition[CN=Configuration,DC=redacted,DC=domain,DC=local] objects[1609/1610] linked_values[22/22]
Replicated 1 objects (22 linked attributes) for CN=Configuration,DC=redacted,DC=domain,DC=local
Replicating critical objects from the base DN of the domain
Partition[DC=redacted,DC=domain,DC=local] objects[76/74] linked_values[21/21]
Replicated 76 objects (21 linked attributes) for DC=redacted,DC=domain,DC=local
Partition[DC=redacted,DC=domain,DC=local] objects[478/19962] linked_values[0/0]
Missing parent while attempting to apply records: No parent with GUID 60e25dda-6d35-4aab-bfa5-6137cb271e27 found for object remotely known as CN=MicrosoftDNS,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
Failed to commit objects: WERR_DS_DRA_MISSING_PARENT
Join failed - cleaning up
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch machine account password for REDACTED from both secrets.ldb (Could not find entry to match filter: '(&(flatname=REDACTED)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4636) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Deleted CN=SAMBA4DC2,OU=Domain Controllers,DC=redacted,DC=domain,DC=local
Deleted CN=NTDS Settings,CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
Deleted CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
ERROR(runtime): uncaught exception - (8460, "Failed to process 'chunk' of DRS replicated objects: WERR_DS_DRA_MISSING_PARENT")
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in join_DC
    ctx.do_join()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1377, in do_join
    ctx.join_replicate()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 936, in join_replicate
    replica_flags=ctx.domain_replica_flags)
  File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 295, in replicate
    schema=schema, req_level=req_level, req=req)
$




Daniel McFeeters 

----- Original Message -----
> From: "samba" <samba@xxxxxxxxxxxxxxx>
> To: "Daniel McFeeters" <danielj.mcfeeters@xxxxxxxxx>, "Andrew Bartlett" <abartlet@xxxxxxxxx>
> Cc: "samba" <samba@xxxxxxxxxxxxxxx>
> Sent: Thursday, December 21, 2017 4:47:46 PM
> Subject: Re: [Samba] WERR_DS_DRA_MISSING_PARENT while Joining Samba4 DC to Samba4 Domain

> Hi,

> If you slowly turn up the debug level for the join, there may be some
> clues as to which object is causing the issues. Do note, that these logs
> can contain sensitive data.

> Cheers,

> Garming

> On 22/12/17 08:51, Daniel McFeeters via samba wrote:
>> Yes, I am running 4.7.3 on both servers. One has been upgraded (many times). The
> > new one, obviously, is freshly installed.

>> I am running DNS on the domain controller. In fact, I'm running all the default
>> "server services". As I said, I have had some problems in the past, and for a
>> while the DNS was not working (perhaps due to some database corruption) and I
>> had to switch it off in smb.conf. DNS seems to be working fine now. However, I
>> am wondering if there are still some inconsistencies in the database which
> > would cause this?

> > Here is my smb.conf file:

> > [global]
> > workgroup = REDACTED
> > realm = redacted.domain.local
> > netbios name = SAMBA4DOM
> > server role = active directory domain controller
> > log level = 2
> > allow dns updates = signed
> > encrypt passwords = yes
> > lanman auth = No
> > client ntlmv2 auth = Yes
> > ntlm auth = Yes
> > client lanman auth = No
> > client plaintext auth = No
> > client min protocol = SMB2
> > client signing = mandatory
> > server signing = mandatory

> > [netlogon]
> > path = /var/lib/samba/sysvol/redacted.domain.local/scripts
> > read only = No

> > [sysvol]
> > path = /var/lib/samba/sysvol
> > read only = No


> > Daniel McFeeters

> > ----- Original Message -----
> >> From: "samba" <samba@xxxxxxxxxxxxxxx>
>>> To: "Daniel McFeeters" <danielj.mcfeeters@xxxxxxxxx>, "samba"
> >> <samba@xxxxxxxxxxxxxxx>
> >> Sent: Thursday, December 21, 2017 1:44:41 PM
>>> Subject: Re: [Samba] WERR_DS_DRA_MISSING_PARENT while Joining Samba4 DC to
> >> Samba4 Domain
> >> On Thu, 2017-12-21 at 11:04 -0500, Daniel McFeeters via samba wrote:
> >>> I have a Samba4 Domain Controller, which we have run in production since ~2009
> >>> (early alpha). It's had a few issues over the years which we've managed to
> >>> recover from. I'm trying to join a second Samba4 DC to the domain, but having
> >>> trouble when I issue the join. I have run dbcheck on the existing DC, which
> >>> found and fixed some errors. There are still about 60+ errors like this:
> >>> # samba-tool dbcheck --cross-ncs
> >>> ...
> >>> ERROR: no target object found for GUID component for objectCategory in object
> >>> DC=...
> >>> Not removing dangling forward link
> >>> I'm running the same Samba version on both systems. Just upgraded to 4.7.3
> >>> (Ubuntu 18.04 beta) in attempting to resolve this problem. (I attempted with
> >>> earlier versions with the same problem.)
> >>> Any suggestions would be greatly appreciated!
> >>> Here is the output from the second DC when I attempt to join:
> >>> $ samba --version
> >>> Version 4.7.3-Ubuntu
> >> So both versions servers run Samba 4.7.3? I would normally expect this
> >> only if the existing server was much older.
> >> Thanks,
> >> Andrew Bartlett
> >> --
> >> Andrew Bartlett http://samba.org/~abartlet/
> >> Authentication Developer, Samba Team http://samba.org
> >> Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba

> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba