Web lists-archives.com

Re: [Samba] Unable to add additional domain controller - uncaught exception - LDAP error 10 on join




Il 02/10/2018 15:47, Rowland Penny via samba ha scritto:
On Tue, 2 Oct 2018 15:21:03 +0200
Fabio Fantoni <fabio.fantoni@xxxxxxx> wrote:

Il 02/10/2018 11:03, Rowland Penny via samba ha scritto:
On Tue, 2 Oct 2018 10:33:35 +0200
Fabio Fantoni <fabio.fantoni@xxxxxxx> wrote:

Il 01/10/2018 17:33, Rowland Penny via samba ha scritto:
On Mon, 1 Oct 2018 17:14:09 +0200
"L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx> wrote:

Hai Fabio,

We dont mind crappy english...
At least not me, I'm the same, lots of typos. You will learn it,
the more you type it. ;-)

https://lists.samba.org/archive/samba/2018-February/214118.html
Shows exact the same, but not solution.

Looks like a left over from an other DC.
Thanks for your reply, as explained I already did some search and
solve/workaround 2 previous fails with different error but I not
found solution for this :(
ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL -
<0000202B: RefErr: DSID-030A0B09, data 0, 1 access points
            ref 1:
'a45ce9be-c350-4429-964b-a10c1dd92af5._msdcs.m2r.local'
    > <ldap://a45ce9be-c350-4429-964b-a10c1dd92af5._msdcs.m2r.local>
Try to find :
a45ce9be-c350-4429-964b-a10c1dd92af5._msdcs.m2r.local And check
what that is, any old server, a running one?
a45ce9be-c350-4429-964b-a10c1dd92af5._msdcs.m2r.local is a cname of
the actual and correct pdc d7npdc.m2r.local (with same version
samba)


Greetz,

Louis


I wonder if this is sort of self inflicted ?
The OP tried to join as a second DC, but this failed, he then
tried again. I wonder if the first try set up something (and
didn't remove it) that the second attempt doesn't like ?

Rowland

Sorry for my bad english but here I not understand what you mean.
Your English isn't that bad, I just phrased the comment in a away
you didn't understand ;-)

What I was trying to say was, did the first attempt to join the
second DC to the first DC (NOTE: please don't call it a pdc, it
isn't a pdc) create something in AD that the second join attempt
didn't like.

Can I suggest this:
go here: http://apt.van-belle.nl/

Upgrade your first DC to 4.8.5 using Louis's packages.
Clean up and rename the PC that will become the second DC and then,
using Louis's 4.8.5 packages try again.

The debian 4.5.x packages are EOL as far as Samba is concerned and
there have been many changes since they were released.

Rowland

I updated both the linux domain controllers to samba 4.8.5, changed
the hostname of server I tried to add as dc but same error:

samba-tool domain join m2r.local DC -Uadministrator
--realm=m2r.local --dns-backend=SAMBA_INTERNAL
--option='idmap_ldb:use rfc2307 = yes' Finding a writeable DC for
domain 'm2r.local' Found DC DUO-ADD-DC.m2r.local
Password for [WORKGROUP\administrator]:
workgroup is M2R
realm is m2r.local
Adding CN=D9NDC,OU=Domain Controllers,DC=m2r,DC=local
Adding
CN=D9NDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
Adding CN=NTDS
Settings,CN=D9NDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
Join failed - cleaning up
Deleted CN=D9NDC,OU=Domain Controllers,DC=m2r,DC=local
Deleted CN=NTDS
Settings,CN=D9NDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
Deleted
CN=D9NDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL -
<0000202B: RefErr: DSID-030A0B09, data 0, 1 access points
  ref 1: 'a45ce9be-c350-4429-964b-a10c1dd92af5._msdcs.m2r.local'
<ldap://a45ce9be-c350-4429-964b-a10c1dd92af5._msdcs.m2r.local>
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py",
line 706, in run
     plaintext_secrets=plaintext_secrets)
   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1482,
in join_DC
     ctx.do_join()
   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1381,
in do_join
     ctx.join_add_objects()
   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 673,
in join_add_objects
     ctx.samdb.modify(m)

d7npdc have all roles:

samba-tool fsmo show
SchemaMasterRole owner: CN=NTDS
Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
InfrastructureMasterRole owner: CN=NTDS
Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
RidAllocationMasterRole owner: CN=NTDS
Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
PdcEmulationMasterRole owner: CN=NTDS
Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
DomainNamingMasterRole owner: CN=NTDS
Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
DomainDnsZonesMasterRole owner: CN=NTDS
Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
ForestDnsZonesMasterRole owner: CN=NTDS
Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
DUO-ADD-DC.m2r.local is additional dc w2008r2 added recently, d7npdc
what at samba 4.5 at the windows dc join.

Initially there was "s4pdc" debian 6 server with samba 4.0 beta or rc
when I did provisioning, after I upgraded it to 4.0, added d7npdc
(initially with debian 7 and it samba official backports packages),
upgraded both to latest samba 4.1 and migrated all roles to d7npdc,
after I upgraded them to debian 8, removed s4pdc, upgraded d7npdc to
debian 9 and added the windows dc, previous week I tried to add
additional debian 9 dc and today I upgraded samba to 4.8.

I also did dbcheck and other things after any samba upgrade until
today that after 4.8 there are error that fail to fix:

ERROR: incorrect DN SID component for member in object CN=Domain
Users,CN=Users,DC=m2r,DC=local -
<GUID=6fcff21c-b468-4417-99f9-a1a766708b06>;<RMD_ADDTIME=131758801250000000>;<RMD_CHANGETIME=131775157830000000>;<RMD_FLAGS=1>;<RMD_INVOCID=725f5ec4-75c7-4888-89a6-4fc935c7eb63>;<RMD_LOCAL_USN=101925>;<RMD_ORIGINATING_USN=101925>;<RMD_VERSION=11>;CN=Fabio
Fantoni,OU=Accounts,DC=m2r,DC=local
Change DN to
<GUID=6fcff21c-b468-4417-99f9-a1a766708b06>;<SID=S-1-5-21-2277923408-2990964511-2040291283-1126>;CN=Fabio
Fantoni,OU=Accounts,DC=m2r,DC=local? [y/N/all/none] all
Failed to fix incorrect DN SID on attribute member : (68, 'samldb:
member CN=Fabio Fantoni,OU=Accounts,DC=m2r,DC=local already set via
primaryGroupID 513')
ERROR: incorrect DN SID component for member in object CN=Domain
Users,CN=Users,DC=m2r,DC=local -
<GUID=6d68eb67-0fec-4cd2-bd1f-f374538c9f37>;<RMD_ADDTIME=131758801350000000>;<RMD_CHANGETIME=131775157700000000>;<RMD_FLAGS=1>;<RMD_INVOCID=725f5ec4-75c7-4888-89a6-4fc935c7eb63>;<RMD_LOCAL_USN=101922>;<RMD_ORIGINATING_USN=101922>;<RMD_VERSION=13>;CN=Amministrazione,OU=Accounts,DC=m2r,DC=local
And others are same type.

Hmm 'ERROR: incorrect DN SID component for member in object CN=Domain
Users,CN=Users,DC=m2r,DC=local '

There shouldn't be any 'member' attributes in the 'Domain Users'
object, all users are automatically members of 'Domain Users'.
Have you done something strange, such as changing all (or some) of your
users primaryGroupID attributes ?

Rowland

Yes, we had to change primarygroup of users that need 2 factor authentication with duo security or duo will and we had also to add windows 2008r2 dc for it because was impossible have duo active directory sync working connecting to samba4 dc.

I don't know if duo issue is related to something not working in samba main controller but other windows/linux client seems ok with domain.


---
Questa e-mail è stata controllata per individuare virus con Avast antivirus.
https://www.avast.com/antivirus


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba