Web lists-archives.com

Re: [Samba] Problem joining a samba Dc to a winbdows domain

Hi Tom,

The problem here is due to fundamental implementation differences in the
way Windows and Samba store linked attributes. Your DB is likely fine
(no corruptions).

During replication (i.e. the join), Windows can sometimes send linked
attributes before Samba knows about the source/target objects involved.
As Andrew said, historically Samba has handled this by silently dropping
these links, which isn't ideal. So on Samba 4.7, after the join
succeeds, it's probably worth running 'samba-tool drs replicate
--full-sync' to make sure the new DC has all the linked attributes.

In Samba 4.8, instead of dropping the link, we added code that used the
GET_TGT flag in the DRS message to force the Windows DC to send all the
link target objects. This meant Samba could successfully process all the
links. The problem is that the GET_TGT flag is a reasonably new addition
to the Windows protocol, and the code in this case thinks it's not
supported. GET_TGT (GETCHGREQ_V10) should be supported in Windows Server
2008 R2 onwards - what version of Windows are you running?

Rowland's idea of joining a 4.7 DC (and then doing a 'drs replicate
--full-sync'), then joining a 4.8 DC to the 4.7 DC should work. I'll
have a think what else we could do to handle this situation better.


On 22/06/18 08:22, Andrew Bartlett via samba wrote:
> On Thu, 2018-06-21 at 18:46 +0100, Rowland Penny via samba wrote:
>> On Thu, 21 Jun 2018 12:02:41 -0400 (EDT)
>> Tom Diehl via samba <samba@xxxxxxxxxxxxxxx> wrote:
>>> Hi,
>>> I am trying to join a self compiled samba 4.8.2 DC to an existing
>>> Windows domain using
>>> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller
>>> as instructions.
>>> The smb.conf looks like the following:
>>> [global]
>>>      netbios name = PHT-VDC1
>>>      realm = EXAMPLE.COM
>>>      server role = active directory domain controller
>>>      server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>>> drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = EXAMPLE
>>> [netlogon]
>>>      path = /usr/local/samba/var/locks/sysvol/example.com/scripts
>>>      read only = No
>>> [sysvol]
>>>      path = /usr/local/samba/var/locks/sysvol
>>>      read only = No
>>> The above was generated by the following samba-tool command line:
>>> samba-tool domain join example.com DC -U"example\admin"
>>> --dns-backend=BIND9_DLZ
>>> When I run samba-tool I get the following output:
>>> (pht-vdc1 pts10) # samba-tool domain join example.com DC
>>> -U"example\admin" --dns-backend=BIND9_DLZ Finding a writeable DC for
>>> domain 'example.com' Found DC PHT1.example.com
>>> Password for [EXAMPLE\admin]:
> ....
>>> Partition[CN=Configuration,DC=example,DC=com] objects[804/7722]
>>> linked_values[0/355] ...
>>> Partition[CN=Configuration,DC=example,DC=com] objects[6376/7722]
>>> linked_values[0/355] Partition[CN=Configuration,DC=example,DC=com]
>>> objects[6510/7722] linked_values[12/355] Replicating critical objects
>>> from the base DN of the domain Partition[DC=example,DC=com]
>>> objects[105/156] linked_values[42/388] Partition[DC=example,DC=com]
>>> objects[296/7902] linked_values[1/388] Partition[DC=example,DC=com]
>>> objects[466/7902] linked_values[72/388] Failed to commit objects: DOS
>>> code 0x000021bf Join failed - cleaning up
>> This is where it seems to fail and 0x000021bf is this:
>> The replication operation failed because the target object referenced
>> by a link value is recycled.
>> So it might be an idea to check the DC you are trying to join to.
> Thanks Rowland,
> What is happening here is that Samba is trying to find the end of a
> link that it has been given, so as to be able to set the backlink. 
> This used to just result in the backlink being dropped, and now we have
> fixed that (never dropping the link).  However it seems that goes a bit
> wrong here against Windows.
> The reason this works with 4.7 is that the backlink is just ignored and
> dropped in this case.
> I've CC'ed Tim Beale who was the developer of that code, who may have
> some insights. 
> Thanks,
> Andrew Bartlett

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba