Web lists-archives.com

Re: [Samba] Error joining Samba 4.7.4 DC to existing Win2008R2 domain




Thanks for your attention
You are always receiving these:

Adding DNS A record SRVAD-NEW.SAMDOM.LOCAL for IPv4 IP: 10.0.3.100
Join failed - cleaning up
Yes, but the DNS record is created and it persists after the failure.
Another thing I've noticed using RSAT "Active Directory Users and Computers" is that the new DC computer account SRVAD-NEW$@SAMDOM.LOCAL is created at the start of "samba-tool join" run (under "Domain Controllers" folder), it persists till the end (it runs about 15 seconds before failure) then it's removed upon failure.

Questions:

1) Prior to the join, dos a kinit -V5 ADMINISTRATOR@SAMDOM.LOCAL works?
Yes, it does. Here's the log:

root@srvad-new:~# kinit -V5 ADMINISTRATOR@SAMDOM.LOCAL
Using default cache: /tmp/krb5cc_0
Using principal: ADMINISTRATOR@SAMDOM.LOCAL
Password for ADMINISTRATOR@SAMDOM.LOCAL:
Authenticated to Kerberos v5

root@srvad-new:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ADMINISTRATOR@SAMDOM.LOCAL

Valid starting       Expires              Service principal
03/02/2018 08:56:52  03/02/2018 18:56:52 krbtgt/SAMDOM.LOCAL@SAMDOM.LOCAL
        renew until 03/03/2018 08:56:47

2) Can you create DNS entries without issues with your administrator account?
If you mean create them with samba-tool yes I can, no errors:

root@srvad-new:~# samba-tool dns add srvad-old.samdom.local samdom.local foo A 1.2.3.4
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:srvad-old.samdom.local[,sign]
resolve_lmhosts: Attempting lmhosts lookup for name srvad-old.samdom.local<0x20> resolve_lmhosts: Attempting lmhosts lookup for name srvad-old.samdom.local<0x20>
Record added successfully

The new DNS record is visible with RSAT on SRVAD-OLD.

3) Can you do a test and join your samba server as a normal computer? Does it work?

Yes it does, it joins immediately, no errors (thanks to VBox virtual machines I can easily go back to snapshots). This was one of the test I've already did but didn't mentioned here to avoid confusion.

I'm still focusing on log lines after the failure:

--- no SRVAD-OLD address in /etc/hosts ---
Join failed - cleaning up
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch machine account password for SAMDOM from both secrets.ldb (Could not find entry to match filter: '(&(flatname=SAMDOM)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4636) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
---

--- SRVAD-OLD address in /etc/hosts ---
Join failed - cleaning up
ldb_wrap open of secrets.ldb
resolve_lmhosts: Attempting lmhosts lookup for name SRVAD-OLD.SAMDOM.LOCAL<0x20> Wrong username or password: kinit for SRVAD-NEW$@SAMDOM.LOCAL failed (Preauthentication failed) SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/SRVAD-OLD.SAMDOM.LOCAL failed (next[ntlmssp]): NT_STATUS_LOGON_FAILURE
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C0904D0, comment: AcceptSecurityContext error, data 52e, v1db0> <> Failed to connect to 'ldap://SRVAD-OLD.SAMDOM.LOCAL' with backend 'ldap': LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C0904D0, comment: AcceptSecurityContext error, data 52e, v1db0> <>
---

Don't know how an authentication error could occur after being able to create DNS records, DC computer account...


Em 01/03/2018 10:05, Claudio Nicora via samba escreveu:
It seems I'm talking to myself... anyway another test here:

Added the existing DC IP config to /etc/hosts and the join now shows a more explicit LDAP error:

---
Wrong username or password: kinit for SRVAD-NEW$@SAMDOM.LOCAL failed (Preauthentication failed) SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/SRVAD-OLD.SAMDOM.LOCAL failed (next[ntlmssp]): NT_STATUS_LOGON_FAILURE
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C0904D0, comment: AcceptSecurityContext error, data 52e, v1db0> <> Failed to connect to 'ldap://SRVAD-OLD.SAMDOM.LOCAL' with backend 'ldap': LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C0904D0, comment: AcceptSecurityContext error, data 52e, v1db0> <>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba