Re: [Samba] Problem joining a samba Dc to a winbdows domain

Hi Rowland,

On Thu, 21 Jun 2018, Rowland Penny via samba wrote:

On Thu, 21 Jun 2018 12:02:41 -0400 (EDT)
Tom Diehl via samba <samba@xxxxxxxxxxxxxxx> wrote:


I am trying to join a self compiled samba 4.8.2 DC to an existing
Windows domain using
as instructions.

The smb.conf looks like the following:

     netbios name = PHT-VDC1
     realm = EXAMPLE.COM
     server role = active directory domain controller
     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = EXAMPLE

     path = /usr/local/samba/var/locks/sysvol/example.com/scripts
     read only = No

     path = /usr/local/samba/var/locks/sysvol
     read only = No

The above was generated by the following samba-tool command line:
samba-tool domain join example.com DC -U"example\admin"

When I run samba-tool I get the following output:
(pht-vdc1 pts10) # samba-tool domain join example.com DC
-U"example\admin" --dns-backend=BIND9_DLZ Finding a writeable DC for
domain 'example.com' Found DC PHT1.example.com
Password for [EXAMPLE\admin]:
workgroup is EXAMPLE
realm is example.com
Adding CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com
Adding CN=NTDS
Adding SPNs to CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com
Setting account password for PHT-VDC1$ Enabling account Adding DNS
account CN=dns-PHT-VDC1,CN=Users,DC=example,DC=com with dns/ SPN
Setting account password for dns-PHT-VDC1 Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness
constraint on local domainSIDs

A Kerberos configuration suitable for Samba AD has been generated
at /usr/local/samba/private/krb5.conf Merge the contents of this file
with your system krb5.conf or replace it with this one. Do not create
a symlink! Provision OK for domain DN DC=example,DC=com Starting
replication Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com]
objects[402/4383] linked_values[0/0]
objects[804/4383] linked_values[0/0]
objects[1206/4383] linked_values[0/0]
objects[1608/4383] linked_values[0/0]
objects[2010/4383] linked_values[0/0]
objects[2412/4383] linked_values[0/0]
objects[2814/4383] linked_values[0/0]
objects[3216/4383] linked_values[0/0]
objects[3618/4383] linked_values[0/0]
objects[3735/4383] linked_values[0/0] Analyze and apply schema
objects Partition[CN=Configuration,DC=example,DC=com]
objects[402/7722] linked_values[0/355]
Partition[CN=Configuration,DC=example,DC=com] objects[804/7722]
linked_values[0/355] ...
Partition[CN=Configuration,DC=example,DC=com] objects[6376/7722]
linked_values[0/355] Partition[CN=Configuration,DC=example,DC=com]
objects[6510/7722] linked_values[12/355] Replicating critical objects
from the base DN of the domain Partition[DC=example,DC=com]
objects[105/156] linked_values[42/388] Partition[DC=example,DC=com]
objects[296/7902] linked_values[1/388] Partition[DC=example,DC=com]
objects[466/7902] linked_values[72/388] Failed to commit objects: DOS
code 0x000021bf Join failed - cleaning up

This is where it seems to fail and 0x000021bf is this:

The replication operation failed because the target object referenced
by a link value is recycled.

So it might be an idea to check the DC you are trying to join to.

Check it for what? If I understand correctly the error is saying that the target
object is not there. The problem is I do not understand what the target
object is or how to find it. Assuming that the error is referring to Partition[DC=example,DC=com] objects[466/7952] linked_values[72/388]
How do I figure out what the error is referring to?

As I said in a separate message, I can successfully join using 4.7.7.
If this is a problem with the existing MS DC, why does 4.7.7 join without

To be clear I am not doubting your advice and I do appreciate it. I am just
trying to understand.


Tom			me@xxxxxxxxxx

