Web lists-archives.com

Re: [Samba] Problem joining a samba Dc to a winbdows domain




On Thu, 21 Jun 2018 14:32:49 -0400 (EDT)
me@xxxxxxxxxx wrote:

> Hi Rowland,
> 
> On Thu, 21 Jun 2018, Rowland Penny via samba wrote:
> 
> > On Thu, 21 Jun 2018 12:02:41 -0400 (EDT)
> > Tom Diehl via samba <samba@xxxxxxxxxxxxxxx> wrote:
> >
> >> Hi,
> >>
> >> I am trying to join a self compiled samba 4.8.2 DC to an existing
> >> Windows domain using
> >> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller
> >> as instructions.
> >>
> >> The smb.conf looks like the following:
> >>
> >> [global]
> >>      netbios name = PHT-VDC1
> >>      realm = EXAMPLE.COM
> >>      server role = active directory domain controller
> >>      server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> >> drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = EXAMPLE
> >>
> >> [netlogon]
> >>      path = /usr/local/samba/var/locks/sysvol/example.com/scripts
> >>      read only = No
> >>
> >> [sysvol]
> >>      path = /usr/local/samba/var/locks/sysvol
> >>      read only = No
> >>
> >> The above was generated by the following samba-tool command line:
> >> samba-tool domain join example.com DC -U"example\admin"
> >> --dns-backend=BIND9_DLZ
> >>
> >> When I run samba-tool I get the following output:
> >> (pht-vdc1 pts10) # samba-tool domain join example.com DC
> >> -U"example\admin" --dns-backend=BIND9_DLZ Finding a writeable DC
> >> for domain 'example.com' Found DC PHT1.example.com
> >> Password for [EXAMPLE\admin]:
> >> workgroup is EXAMPLE
> >> realm is example.com
> >> Adding CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com
> >> Adding
> >> CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> >> Adding CN=NTDS
> >> Settings,CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> >> Adding SPNs to CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com
> >> Setting account password for PHT-VDC1$ Enabling account Adding DNS
> >> account CN=dns-PHT-VDC1,CN=Users,DC=example,DC=com with dns/ SPN
> >> Setting account password for dns-PHT-VDC1 Calling bare provision
> >> Looking up IPv4 addresses
> >> Looking up IPv6 addresses
> >> No IPv6 address will be assigned
> >> Setting up share.ldb
> >> Setting up secrets.ldb
> >> Setting up the registry
> >> Setting up the privileges database
> >> Setting up idmap db
> >> Setting up SAM db
> >> Setting up sam.ldb partitions and settings
> >> Setting up sam.ldb rootDSE
> >> Pre-loading the Samba 4 and AD schema
> >> Unable to determine the DomainSID, can not enforce uniqueness
> >> constraint on local domainSIDs
> >>
> >> A Kerberos configuration suitable for Samba AD has been generated
> >> at /usr/local/samba/private/krb5.conf Merge the contents of this
> >> file with your system krb5.conf or replace it with this one. Do
> >> not create a symlink! Provision OK for domain DN DC=example,DC=com
> >> Starting replication
> >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com]
> >> objects[402/4383] linked_values[0/0]
> >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com]
> >> objects[804/4383] linked_values[0/0]
> >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com]
> >> objects[1206/4383] linked_values[0/0]
> >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com]
> >> objects[1608/4383] linked_values[0/0]
> >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com]
> >> objects[2010/4383] linked_values[0/0]
> >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com]
> >> objects[2412/4383] linked_values[0/0]
> >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com]
> >> objects[2814/4383] linked_values[0/0]
> >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com]
> >> objects[3216/4383] linked_values[0/0]
> >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com]
> >> objects[3618/4383] linked_values[0/0]
> >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com]
> >> objects[3735/4383] linked_values[0/0] Analyze and apply schema
> >> objects Partition[CN=Configuration,DC=example,DC=com]
> >> objects[402/7722] linked_values[0/355]
> >> Partition[CN=Configuration,DC=example,DC=com] objects[804/7722]
> >> linked_values[0/355] ...
> >> Partition[CN=Configuration,DC=example,DC=com] objects[6376/7722]
> >> linked_values[0/355] Partition[CN=Configuration,DC=example,DC=com]
> >> objects[6510/7722] linked_values[12/355] Replicating critical
> >> objects from the base DN of the domain
> >> Partition[DC=example,DC=com] objects[105/156]
> >> linked_values[42/388] Partition[DC=example,DC=com]
> >> objects[296/7902] linked_values[1/388]
> >> Partition[DC=example,DC=com] objects[466/7902]
> >> linked_values[72/388] Failed to commit objects: DOS code
> >> 0x000021bf Join failed - cleaning up
> >
> > This is where it seems to fail and 0x000021bf is this:
> >
> > The replication operation failed because the target object
> > referenced by a link value is recycled.
> >
> > So it might be an idea to check the DC you are trying to join to.
> 
> Check it for what? If I understand correctly the error is saying that
> the target object is not there. The problem is I do not understand
> what the target object is or how to find it. Assuming that the error
> is referring to Partition[DC=example,DC=com] objects[466/7952]
> linked_values[72/388] How do I figure out what the error is referring
> to?
> 
> As I said in a separate message, I can successfully join using 4.7.7.
> If this is a problem with the existing MS DC, why does 4.7.7 join
> without error?
> 
> To be clear I am not doubting your advice and I do appreciate it. I
> am just trying to understand.
> 
> Regards,
> 

The index mode changed at 4.8.0, this might be more picky i.e. it wont
allow things that 4.7.x would.

If this was a Samba DC, I would suggest running 'samba-tool
dbcheck' on it, but is there a windows version of this tool ?

If 4.7.7 joins and works successfully, have you considered using this
as the main DC and try joining the 4.8.2 to it ?

Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba