Web lists-archives.com

Re: [Samba] Problem joining a samba DC to a windows domain




Hi Tim Andrew and Rowland,

Thanks for taking the time to look into this.

On Fri, 22 Jun 2018, Tim Beale via samba wrote:

Hi Tom,

The problem here is due to fundamental implementation differences in the
way Windows and Samba store linked attributes. Your DB is likely fine
(no corruptions).

That is great to hear!

During replication (i.e. the join), Windows can sometimes send linked
attributes before Samba knows about the source/target objects involved.
As Andrew said, historically Samba has handled this by silently dropping
these links, which isn't ideal. So on Samba 4.7, after the join
succeeds, it's probably worth running 'samba-tool drs replicate
--full-sync' to make sure the new DC has all the linked attributes.

I ran "samba-tool drs replicate PHT-VDC1 PHT1 dc=example,dc=com --full-sync"
and it returned "Replicate from PHT1 to PHT-VDC1 was successful".

In Samba 4.8, instead of dropping the link, we added code that used the
GET_TGT flag in the DRS message to force the Windows DC to send all the
link target objects. This meant Samba could successfully process all the
links. The problem is that the GET_TGT flag is a reasonably new addition
to the Windows protocol, and the code in this case thinks it's not
supported. GET_TGT (GETCHGREQ_V10) should be supported in Windows Server
2008 R2 onwards - what version of Windows are you running?

Well based on your explanation above this problem makes perfect sense.
The existing DC is sbs2008 which is running 2008 SP2. I guess I need to remember
that anything older then 2008 R2 needs to start with 4.7 until there is a better
solution.

Rowland's idea of joining a 4.7 DC (and then doing a 'drs replicate
--full-sync'), then joining a 4.8 DC to the 4.7 DC should work. I'll
have a think what else we could do to handle this situation better.

Would it make sense to add a warning to the wiki until there is a better
solution?

Is this something that can be done while the 2008 SP2 DC is still on line
or should I wait until after it is retired?

Regards and Thanks again!!

--
Tom			me@xxxxxxxxxx


Thanks,
Tim

On 22/06/18 08:22, Andrew Bartlett via samba wrote:
On Thu, 2018-06-21 at 18:46 +0100, Rowland Penny via samba wrote:
On Thu, 21 Jun 2018 12:02:41 -0400 (EDT)
Tom Diehl via samba <samba@xxxxxxxxxxxxxxx> wrote:

Hi,

I am trying to join a self compiled samba 4.8.2 DC to an existing
Windows domain using
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller
as instructions.

The smb.conf looks like the following:

[global]
     netbios name = PHT-VDC1
     realm = EXAMPLE.COM
     server role = active directory domain controller
     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = EXAMPLE

[netlogon]
     path = /usr/local/samba/var/locks/sysvol/example.com/scripts
     read only = No

[sysvol]
     path = /usr/local/samba/var/locks/sysvol
     read only = No

The above was generated by the following samba-tool command line:
samba-tool domain join example.com DC -U"example\admin"
--dns-backend=BIND9_DLZ

When I run samba-tool I get the following output:
(pht-vdc1 pts10) # samba-tool domain join example.com DC
-U"example\admin" --dns-backend=BIND9_DLZ Finding a writeable DC for
domain 'example.com' Found DC PHT1.example.com
Password for [EXAMPLE\admin]:
....

Partition[CN=Configuration,DC=example,DC=com] objects[804/7722]
linked_values[0/355] ...
Partition[CN=Configuration,DC=example,DC=com] objects[6376/7722]
linked_values[0/355] Partition[CN=Configuration,DC=example,DC=com]
objects[6510/7722] linked_values[12/355] Replicating critical objects
from the base DN of the domain Partition[DC=example,DC=com]
objects[105/156] linked_values[42/388] Partition[DC=example,DC=com]
objects[296/7902] linked_values[1/388] Partition[DC=example,DC=com]
objects[466/7902] linked_values[72/388] Failed to commit objects: DOS
code 0x000021bf Join failed - cleaning up
This is where it seems to fail and 0x000021bf is this:

The replication operation failed because the target object referenced
by a link value is recycled.

So it might be an idea to check the DC you are trying to join to.
Thanks Rowland,

What is happening here is that Samba is trying to find the end of a
link that it has been given, so as to be able to set the backlink.
This used to just result in the backlink being dropped, and now we have
fixed that (never dropping the link).  However it seems that goes a bit
wrong here against Windows.

The reason this works with 4.7 is that the backlink is just ignored and
dropped in this case.

I've CC'ed Tim Beale who was the developer of that code, who may have
some insights.

Thanks,

Andrew Bartlett




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba