Web lists-archives.com

[Samba] Problem joining a samba Dc to a winbdows domain




Hi,

I am trying to join a self compiled samba 4.8.2 DC to an existing Windows domain
using https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller
as instructions.

The smb.conf looks like the following:

[global]
    netbios name = PHT-VDC1
    realm = EXAMPLE.COM
    server role = active directory domain controller
    server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
    workgroup = EXAMPLE

[netlogon]
    path = /usr/local/samba/var/locks/sysvol/example.com/scripts
    read only = No

[sysvol]
    path = /usr/local/samba/var/locks/sysvol
    read only = No

The above was generated by the following samba-tool command line:
samba-tool domain join example.com DC -U"example\admin" --dns-backend=BIND9_DLZ

When I run samba-tool I get the following output:
(pht-vdc1 pts10) # samba-tool domain join example.com DC -U"example\admin" --dns-backend=BIND9_DLZ
Finding a writeable DC for domain 'example.com'
Found DC PHT1.example.com
Password for [EXAMPLE\admin]:
workgroup is EXAMPLE
realm is example.com
Adding CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com
Adding CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
Adding CN=NTDS Settings,CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
Adding SPNs to CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com
Setting account password for PHT-VDC1$
Enabling account
Adding DNS account CN=dns-PHT-VDC1,CN=Users,DC=example,DC=com with dns/ SPN
Setting account password for dns-PHT-VDC1
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs

A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba/private/krb5.conf
Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
Provision OK for domain DN DC=example,DC=com
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[402/4383] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[804/4383] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[1206/4383] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[1608/4383] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[2010/4383] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[2412/4383] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[2814/4383] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[3216/4383] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[3618/4383] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[3735/4383] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=example,DC=com] objects[402/7722] linked_values[0/355]
Partition[CN=Configuration,DC=example,DC=com] objects[804/7722] linked_values[0/355]
...
Partition[CN=Configuration,DC=example,DC=com] objects[6376/7722] linked_values[0/355]
Partition[CN=Configuration,DC=example,DC=com] objects[6510/7722] linked_values[12/355]
Replicating critical objects from the base DN of the domain
Partition[DC=example,DC=com] objects[105/156] linked_values[42/388]
Partition[DC=example,DC=com] objects[296/7902] linked_values[1/388]
Partition[DC=example,DC=com] objects[466/7902] linked_values[72/388]
Failed to commit objects: DOS code 0x000021bf
Join failed - cleaning up
Deleted CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com
Deleted CN=dns-PHT-VDC1,CN=Users,DC=example,DC=com
Deleted CN=NTDS Settings,CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
Deleted CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
ERROR(<type 'exceptions.AttributeError'>): uncaught exception - 'drsuapi.DsGetNCChangesRequest8' object has no attribute 'more_flags'
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 706, in run
    plaintext_secrets=plaintext_secrets)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line 1482, in join_DC
    ctx.do_join()
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line 1383, in do_join
    ctx.join_replicate()
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line 942, in join_replicate
    replica_flags=ctx.domain_replica_flags)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py", line 322, in replicate
    if self._should_retry_with_get_tgt(e[0], req):
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py", line 213, in _should_retry_with_get_tgt
    (req.more_flags & drsuapi.DRSUAPI_DRS_GET_TGT) == 0 and

As can be seen from above there is an error that says "Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs"
and then of course the join fails.

In case anyone is wondering yes, the domain is really in the form of
example.com. This domain was created over 10 years ago and upgraded several
times using MS based DC's. We are trying to move away from MS DC's but would
like to be spared the pain of creating a whole new domain.

Anyone have any idea how to fix this?

Regards,

--
Tom			me@xxxxxxxxxx

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba