Web lists-archives.com

Re: [Samba] Unable to add additional domain controller - uncaught exception - LDAP error 10 on join






On 10/02/2018 05:21 PM, Fabio Fantoni via samba wrote:
I updated both the linux domain controllers to samba 4.8.5, changed the hostname of server I tried to add as dc but same error:

samba-tool domain join m2r.local DC -Uadministrator --realm=m2r.local --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes'
Finding a writeable DC for domain 'm2r.local'
Found DC DUO-ADD-DC.m2r.local
Password for [WORKGROUP\administrator]:
workgroup is M2R
realm is m2r.local
Adding CN=D9NDC,OU=Domain Controllers,DC=m2r,DC=local
Adding CN=D9NDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local Adding CN=NTDS Settings,CN=D9NDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
Join failed - cleaning up
Deleted CN=D9NDC,OU=Domain Controllers,DC=m2r,DC=local
Deleted CN=NTDS Settings,CN=D9NDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local Deleted CN=D9NDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL - <0000202B: RefErr: DSID-030A0B09, data 0, 1 access points
 ref 1: 'a45ce9be-c350-4429-964b-a10c1dd92af5._msdcs.m2r.local'
> <ldap://a45ce9be-c350-4429-964b-a10c1dd92af5._msdcs.m2r.local>
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 706, in run
    plaintext_secrets=plaintext_secrets)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1482, in join_DC
    ctx.do_join()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1381, in do_join
    ctx.join_add_objects()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 673, in join_add_objects
    ctx.samdb.modify(m)


d7npdc have all roles:

samba-tool fsmo show
SchemaMasterRole owner: CN=NTDS Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local InfrastructureMasterRole owner: CN=NTDS Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local RidAllocationMasterRole owner: CN=NTDS Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local PdcEmulationMasterRole owner: CN=NTDS Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local DomainNamingMasterRole owner: CN=NTDS Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local

DUO-ADD-DC.m2r.local is additional dc w2008r2 added recently, d7npdc what at samba 4.5 at the windows dc join.

We have been experiencing a similar (same?) problem when joining samba4 DC's to windows (2008 r2) ones, see this thread for more details: https://lists.samba.org/archive/samba-technical/2018-June/128672.html

As far as I understand the problem is caused by 3 factors

1) samba-tool prefers to pick a windows DC to perform the join
2) when joining as a DC samba-tool tries to modify the application directory partition (presumably describing DNS zone) via LDAP (as opposed to DRS RPC) 3) windows strictly obeys FSMO roles and returns an error (or rather a referral) if  (to a DC holding `Domain naming master` FSMO role)

To solve the problem one can instruct samba-tool to talk with a DC holding `Domain naming master' FSMO role
(d7npdc in your example), something like this:

samba-tool domain join m2r.local DC --server=D7NPDC.m2r.local -Uadministrator --realm=m2r.local --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes'

Or apply a patch which does this automatically (attached), and (if you feel lucky) convince samba developers
to merge it (so people won't face this problem ever and ever again).



>From d57dfdebb060a41ad9d5f1d550caabe085981260 Mon Sep 17 00:00:00 2001
From: Alexey Sheplyakov <asheplyakov@xxxxxxxxxxxx>
Date: Fri, 14 Sep 2018 16:43:26 +0400
Subject: [PATCH] join.py: automatically connect to domain naming master

This avoids failures due to Windows DC having no domain naming
master FSMO role refusing to update directory partitions:

Finding a writable DC for domain 'domain.alt'
Found DC DCW.domain.alt
workgroup is DOMAIN
realm is domain.alt
Adding CN=DC1,OU=Domain Controllers,DC=domain,DC=alt
Adding CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=alt
Adding CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=alt
Join failed - cleaning up
Deleted CN=DC1,OU=Domain Controllers,DC=domain,DC=alt
Deleted CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=alt
Deleted CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=alt
ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL - <0000202B: RefErr: DSID-030A0B09, data 0, 1 access points
    ref 1: 'a93e4f02-8581-46bf-b3e8-8237c1172499._msdcs.domain.alt'
> <ldap://a93e4f02-8581-46bf-b3e8-8237c1172499._msdcs.domain.alt>
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 661, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1269, in join_DC
    ctx.do_join()
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1175, in do_join
    ctx.join_add_objects()
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 643, in join_add_objects
    ctx.samdb.modify(m)
---
 python/samba/join.py | 29 ++++++++++++++++++-----------
 1 file changed, 18 insertions(+), 11 deletions(-)

diff --git a/python/samba/join.py b/python/samba/join.py
index 9782f53..072e4c4 100644
--- a/python/samba/join.py
+++ b/python/samba/join.py
@@ -198,6 +198,10 @@ class dc_join(object):
         # Do not normally register 127. addresses but allow override for selftest
         ctx.force_all_ips = False
 
+        if server is None:
+            # only domain naming master can create application directory partitions
+            ctx.reconnect_to_naming_master()
+
     def del_noerror(ctx, dn, recursive=False):
         if recursive:
             try:
@@ -332,6 +336,19 @@ class dc_join(object):
         ctx.promote_from_dn = res[0].dn
 
 
+    def reconnect_to_naming_master(ctx):
+        ctx.naming_master = ctx.get_naming_master()
+        if ctx.naming_master != ctx.server:
+            ctx.logger.info("Reconnecting to naming master %s" % ctx.naming_master)
+            ctx.server = ctx.naming_master
+            ctx.samdb = SamDB(url="ldap://%s"; % ctx.server,
+                    session_info=system_session(),
+                    credentials=ctx.creds, lp=ctx.lp)
+            res = ctx.samdb.search(base="", scope=ldb.SCOPE_BASE, attrs=['dnsHostName'], controls=[])
+            ctx.server = res[0]["dnsHostName"][0]
+            ctx.logger.info("DNS name of new naming master is %s" % ctx.server)
+
+
     def find_dc(ctx, domain):
         """find a writeable DC for the given domain"""
         try:
@@ -1522,17 +1539,7 @@ def join_subdomain(logger=None, server=None, creds=None, lp=None, site=None,
     ctx.parent_partition_dn = ctx.get_parent_partition_dn()
     ctx.dnsdomain = dnsdomain
     ctx.partition_dn = "CN=%s,CN=Partitions,%s" % (ctx.domain_name, ctx.config_dn)
-    ctx.naming_master = ctx.get_naming_master()
-    if ctx.naming_master != ctx.server:
-        logger.info("Reconnecting to naming master %s" % ctx.naming_master)
-        ctx.server = ctx.naming_master
-        ctx.samdb = SamDB(url="ldap://%s"; % ctx.server,
-                          session_info=system_session(),
-                          credentials=ctx.creds, lp=ctx.lp)
-        res = ctx.samdb.search(base="", scope=ldb.SCOPE_BASE, attrs=['dnsHostName'],
-                               controls=[])
-        ctx.server = res[0]["dnsHostName"]
-        logger.info("DNS name of new naming master is %s" % ctx.server)
+    ctx.reconnect_to_naming_master()
 
     ctx.base_dn = samba.dn_from_dns_name(dnsdomain)
     ctx.forestsid = ctx.domsid
-- 
2.10.2

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba