Web lists-archives.com

Re: [Samba] Problem joining a samba Dc to a winbdows domain


Sorry to reply to my own post but I have additional info.

I removed samba 4.8.2 and compiled samba 4.7.7 and the join succeeded
without error using the exact same configuration.

I am hesitant to upgrade to 4.8.2 for fear of breaking something and having
to forcibly remove the samba DC from the domain but I suppose now is the time
to do it since it is not really in production yet.



Tom			me@xxxxxxxxxx

On Thu, 21 Jun 2018, Tom Diehl via samba wrote:


I am trying to join a self compiled samba 4.8.2 DC to an existing Windows domain using https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller
as instructions.

The smb.conf looks like the following:

    netbios name = PHT-VDC1
    realm = EXAMPLE.COM
    server role = active directory domain controller
    server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
    winbindd, ntp_signd, kcc, dnsupdate
    workgroup = EXAMPLE

    path = /usr/local/samba/var/locks/sysvol/example.com/scripts
    read only = No

    path = /usr/local/samba/var/locks/sysvol
    read only = No

The above was generated by the following samba-tool command line:
samba-tool domain join example.com DC -U"example\admin" --dns-backend=BIND9_DLZ

When I run samba-tool I get the following output:
(pht-vdc1 pts10) # samba-tool domain join example.com DC -U"example\admin" --dns-backend=BIND9_DLZ
Finding a writeable DC for domain 'example.com'
Found DC PHT1.example.com
Password for [EXAMPLE\admin]:
workgroup is EXAMPLE
realm is example.com
Adding CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com
Adding CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com Adding CN=NTDS Settings,CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
Adding SPNs to CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com
Setting account password for PHT-VDC1$
Enabling account
Adding DNS account CN=dns-PHT-VDC1,CN=Users,DC=example,DC=com with dns/ SPN
Setting account password for dns-PHT-VDC1
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs

A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba/private/krb5.conf Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
Provision OK for domain DN DC=example,DC=com
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[402/4383] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[804/4383] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[1206/4383] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[1608/4383] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[2010/4383] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[2412/4383] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[2814/4383] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[3216/4383] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[3618/4383] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[3735/4383] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=example,DC=com] objects[402/7722] linked_values[0/355] Partition[CN=Configuration,DC=example,DC=com] objects[804/7722] linked_values[0/355]
Partition[CN=Configuration,DC=example,DC=com] objects[6376/7722] linked_values[0/355] Partition[CN=Configuration,DC=example,DC=com] objects[6510/7722] linked_values[12/355]
Replicating critical objects from the base DN of the domain
Partition[DC=example,DC=com] objects[105/156] linked_values[42/388]
Partition[DC=example,DC=com] objects[296/7902] linked_values[1/388]
Partition[DC=example,DC=com] objects[466/7902] linked_values[72/388]
Failed to commit objects: DOS code 0x000021bf
Join failed - cleaning up
Deleted CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com
Deleted CN=dns-PHT-VDC1,CN=Users,DC=example,DC=com
Deleted CN=NTDS Settings,CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com Deleted CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com ERROR(<type 'exceptions.AttributeError'>): uncaught exception - 'drsuapi.DsGetNCChangesRequest8' object has no attribute 'more_flags'
  line 176, in _run
    return self.run(*args, **kwargs)
  line 706, in run
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
  1482, in join_DC
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
  1383, in do_join
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
  942, in join_replicate
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py",
  line 322, in replicate
    if self._should_retry_with_get_tgt(e[0], req):
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py",
  line 213, in _should_retry_with_get_tgt
    (req.more_flags & drsuapi.DRSUAPI_DRS_GET_TGT) == 0 and

As can be seen from above there is an error that says "Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs"
and then of course the join fails.

In case anyone is wondering yes, the domain is really in the form of
example.com. This domain was created over 10 years ago and upgraded several
times using MS based DC's. We are trying to move away from MS DC's but would
like to be spared the pain of creating a whole new domain.

Anyone have any idea how to fix this?

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba