Web lists-archives.com

Re: [Samba] Problem joining a samba Dc to a winbdows domain




On Thu, 21 Jun 2018, Rowland Penny via samba wrote:

On Thu, 21 Jun 2018 14:32:49 -0400 (EDT)
me@xxxxxxxxxx wrote:

Hi Rowland,

On Thu, 21 Jun 2018, Rowland Penny via samba wrote:

On Thu, 21 Jun 2018 12:02:41 -0400 (EDT)
Tom Diehl via samba <samba@xxxxxxxxxxxxxxx> wrote:

Hi,

I am trying to join a self compiled samba 4.8.2 DC to an existing
Windows domain using
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller
as instructions.

The smb.conf looks like the following:

[global]
     netbios name = PHT-VDC1
     realm = EXAMPLE.COM
     server role = active directory domain controller
     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = EXAMPLE

[netlogon]
     path = /usr/local/samba/var/locks/sysvol/example.com/scripts
     read only = No

[sysvol]
     path = /usr/local/samba/var/locks/sysvol
     read only = No

The above was generated by the following samba-tool command line:
samba-tool domain join example.com DC -U"example\admin"
--dns-backend=BIND9_DLZ

When I run samba-tool I get the following output:
(pht-vdc1 pts10) # samba-tool domain join example.com DC
-U"example\admin" --dns-backend=BIND9_DLZ Finding a writeable DC
for domain 'example.com' Found DC PHT1.example.com
Password for [EXAMPLE\admin]:
workgroup is EXAMPLE
realm is example.com
Adding CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com
Adding
CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
Adding CN=NTDS
Settings,CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
Adding SPNs to CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com
Setting account password for PHT-VDC1$ Enabling account Adding DNS
account CN=dns-PHT-VDC1,CN=Users,DC=example,DC=com with dns/ SPN
Setting account password for dns-PHT-VDC1 Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness
constraint on local domainSIDs

A Kerberos configuration suitable for Samba AD has been generated
at /usr/local/samba/private/krb5.conf Merge the contents of this
file with your system krb5.conf or replace it with this one. Do
not create a symlink! Provision OK for domain DN DC=example,DC=com
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com]
objects[402/4383] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com]
objects[804/4383] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com]
objects[1206/4383] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com]
objects[1608/4383] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com]
objects[2010/4383] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com]
objects[2412/4383] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com]
objects[2814/4383] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com]
objects[3216/4383] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com]
objects[3618/4383] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com]
objects[3735/4383] linked_values[0/0] Analyze and apply schema
objects Partition[CN=Configuration,DC=example,DC=com]
objects[402/7722] linked_values[0/355]
Partition[CN=Configuration,DC=example,DC=com] objects[804/7722]
linked_values[0/355] ...
Partition[CN=Configuration,DC=example,DC=com] objects[6376/7722]
linked_values[0/355] Partition[CN=Configuration,DC=example,DC=com]
objects[6510/7722] linked_values[12/355] Replicating critical
objects from the base DN of the domain
Partition[DC=example,DC=com] objects[105/156]
linked_values[42/388] Partition[DC=example,DC=com]
objects[296/7902] linked_values[1/388]
Partition[DC=example,DC=com] objects[466/7902]
linked_values[72/388] Failed to commit objects: DOS code
0x000021bf Join failed - cleaning up

This is where it seems to fail and 0x000021bf is this:

The replication operation failed because the target object
referenced by a link value is recycled.

So it might be an idea to check the DC you are trying to join to.

Check it for what? If I understand correctly the error is saying that
the target object is not there. The problem is I do not understand
what the target object is or how to find it. Assuming that the error
is referring to Partition[DC=example,DC=com] objects[466/7952]
linked_values[72/388] How do I figure out what the error is referring
to?

As I said in a separate message, I can successfully join using 4.7.7.
If this is a problem with the existing MS DC, why does 4.7.7 join
without error?

To be clear I am not doubting your advice and I do appreciate it. I
am just trying to understand.

Regards,


The index mode changed at 4.8.0, this might be more picky i.e. it wont
allow things that 4.7.x would.

If this was a Samba DC, I would suggest running 'samba-tool
dbcheck' on it, but is there a windows version of this tool ?

Apparently there is
http://www.rebeladmin.com/2018/03/integrity-check-detect-low-level-active-directory-database-corruption/

Huh, learn something new every day!! :-)

I am going to give that a try.


If 4.7.7 joins and works successfully, have you considered using this
as the main DC and try joining the 4.8.2 to it ?

That also sounds like a good idea.

Thanks for the help.

Regards,

--
Tom			me@xxxxxxxxxx

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba