Web lists-archives.com

Re: [Samba] Convert Member Server to DC




On 12/30/2017 05:22 PM, Paul R. Ganci via samba wrote:
1.) net ads leave -U administrator
2.) Remove the machine entry on the 1st DC (used ldbedit)
3.) mv /var/lib/samba /var/lib/samba-client
4.) mv /etc/krb5.keytab /etc/krb5.keytab-client
5.) samba-tool domain join 2nd DC
I tried this procedure and it just doesn't want to work. I have this error:

>samba-tool domain join mydc.mydom.com DC -U"MYDC\administrator" --dns-backend=SAMBA_INTERNAL
Password for [MYDC\administrator]:
workgroup is MYDC
realm is mydc.mydom.com
Deleted CN=DC2,CN=Computers,DC=mydc,DC=mydom,DC=com
Adding CN=DC2,OU=Domain Controllers,DC=mydc,DC=mydom,DC=com
Adding CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydc,DC=mydom,DC=com Adding CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydc,DC=mydom,DC=com
Adding SPNs to CN=DC2,OU=Domain Controllers,DC=mydc,DC=mydom,DC=com
Setting account password for DC2$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
Join failed - cleaning up
Deleted CN=DC2,OU=Domain Controllers,DC=mydc,DC=mydom,DC=com
Deleted CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydc,DC=mydom,DC=com Deleted CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydc,DC=mydom,DC=com ERROR(ldb): uncaught exception - Failed to setup krb5_context: Invalid argument   File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 661, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1474, in join_DC
    ctx.do_join()
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1376, in do_join
    ctx.join_provision()
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 840, in join_provision
    use_ntvfs=ctx.use_ntvfs, dns_backend=ctx.dns_backend)
  File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 2199, in provision
    secrets_ldb.transaction_commit()

The kerberos setup is per the wiki and seems to be correct:

> kinit administrator
Password for administrator@xxxxxxxxxxxxxx:
> klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@xxxxxxxxxxxxxx

Valid starting       Expires              Service principal
12/30/2017 19:43:53  12/31/2017 05:43:53 krbtgt/MYDC>MYDOM.COM@xxxxxxxxxxxxxx

I don't have a clue as to why this join would have failed. I put back the member server setup and have no problems joining the domain. Any clues as to what else I have to remove in order to turn this member server into a DC? Should I just delete everything including the Sernet samba distro and re-install from scratch?

--
Paul (ganci@xxxxxxxxxx)
Cell: (303)257-5208

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba