Web lists-archives.com

Re: [Samba] Samba 4.3.11 join an exiting windows AD failed with timeout




Thanks. It is an internal network. We opened up firewall. And windows DC is working well. 

We have two windows DCs now one PDC, anther BDC. We are moving to linux. So would like to add this linux  as BDC, and demote the currently windows BDC. And have a test. If all good, we will migrate it totally. But now cannot make it works. 
Any other place should I check to make it work?

Thanks,

Ming. 
-----Original Message-----
From: Andrew Bartlett <abartlet@xxxxxxxxx> 
Sent: Tuesday, October 16, 2018 1:46 PM
To: Ming Li <Ming.Li@xxxxxxxxx>; samba@xxxxxxxxxxxxxxx
Subject: Re: [Samba] Samba 4.3.11 join an exiting windows AD failed with timeout

On Tue, 2018-10-16 at 18:16 +0000, Ming Li via samba wrote:
> Hello,
>
> I built a DNS and AD in windows 2012 as PDC, and would like to setup a BDC in linux. I followed this link https://www.server-world.info/en/note?os=Ubuntu_18.04&p=samba&f=7 . But got below error. Any ides would be appreciated.
>
> $ samba-tool domain join xxx.com DC -U "xxx\administrator" 
> --dns-backend=SAMBA_INTERNAL
>
> Finding a writeable DC for domain 'xxx.com'
> Found DC DCPR1.xxx.com
> Password for [XXX\administrator]:
> workgroup is XXX
> realm is xxx.com
> checking sAMAccountName
> Adding CN=UBUNTUBDC,OU=Domain Controllers,DC=xxx,DC=com Adding 
> CN=UBUNTUBDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configu
> ration,DC=xxx,DC=com Adding CN=NTDS 
> Settings,CN=UBUNTUBDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
> N=Configuration,DC=xxx,DC=com
> Join failed - cleaning up
> checking sAMAccountName
> Deleted CN=UBUNTUBDC,OU=Domain Controllers,DC=xxx,DC=com Deleted 
> CN=UBUNTUBDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configu
> ration,DC=xxx,DC=com
> ERROR(runtime): uncaught exception - (-1073741643, '{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.')
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 621, in run
>     machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1170, in join_DC
>     ctx.do_join()
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1073, in do_join
>     ctx.join_add_objects()
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 562, in join_add_objects
>     ctx.join_add_ntdsdsa()
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 495, in join_add_ntdsdsa
>     ctx.DsAddEntry([rec])
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 432, in DsAddEntry
>     (level, ctr) = ctx.drsuapi.DsAddEntry(ctx.drsuapi_handle, 2, req2)

I would check you have firewall access to the high DCE/RPC port uses for DRSUAPI, and that your windows server is happy in general.

Is there a specific reason you are adding this additional DC?  I suspect the domain isn't working correctly already.

Finally, I would note that long-term windows/samba domains are supported, but rare.  I would encourage a full migration if you intend this to be in production long-term.

Andrew Bartlett
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


Disclaimer:

This e-mail and any attachments thereto are intended for use solely by the addressee(s) named herein, and the contents may contain legally privileged and/or confidential information. This e-mail messages should not be shown to or forwarded to anyone without the explicit, prior consent of the sender. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or other use of this e-mail and/or any of the attachments hereto, in whole or in part, is strictly prohibited. If you have received this e-mail in error, please notify the undersigned immediately by telephone and permanently delete the original and all copies of this e-mail, the attachments thereto, and any printouts, in whole or in part, thereof.


Codeword:@#$AZDie934jSdi9#$iodusk#@!@


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba