Web lists-archives.com

Re: [Samba] Domain join issues - 4.9.0




On Tue, 13 Nov 2018 20:55:08 +0000
Jonathan Hunter via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi,
> 
> After a recent hardware failure where I did not have a working backup,
> I am trying to re-create one of my DCs (DC1). This is a Samba 4.9.0
> environment throughout. I have DC1 (the one that is hopefully being
> re-joined), but also DC2, DC3 and DC4 which are still present, and
> these have not experienced issues.
> 
> After running the following:
> $ sudo samba-tool domain join mydomain.org DC -U myadmin --site=mysite
> --server=dc3
> all seems well, until:
> [...]
> Setting up secrets.ldb
> Setting up the registry
> Setting up the privileges database
> Setting up idmap db
> Setting up SAM db
> Setting up sam.ldb partitions and settings
> Setting up sam.ldb rootDSE
> Pre-loading the Samba 4 and AD schema
> Unable to determine the DomainSID, can not enforce uniqueness
> constraint on local domainSIDs
> [... and also ...]
> Replicating critical objects from the base DN of the domain
> Partition[DC=mydomain,DC=org] objects[99/99] linked_values[28/28]
> Partition[DC=mydomain,DC=org] objects[501/886] linked_values[0/61]
> Partition[DC=mydomain,DC=org] objects[903/886] linked_values[0/718]
> ../lib/ldb/ldb_tdb/ldb_index.c:2352: duplicate attribute value in
> CN=somePC,OU=someOU,OU=Computers,OU=mysite,DC=mydomain,DC=org for
> index on servicePrincipalName, duplicate of objectGUID
> 00000000-1111-2222-3333-444444444444 in
> @INDEX:SERVICEPRINCIPALNAME:RESTRICTEDKRBHOST/SOMEPC
> [lots of these]
> 
> Should I be worried by either of these two messages? (unable to
> determine DomainSID, and the multiple duplicate attribute values)?
> 
> The domain has been in existence for a while, and has been upgraded
> from 4.0.0 right up to 4.9.0 where it is today, so there might be
> something in the database that isn't quite right.. I have tried
> targetting a couple of different DCs for the domain join, with the
> same result so far.
> 
> Samba does seem to run on DC1 after it is joined to the domain, but
> I'm not sure it's working properly.. my test script for freeradius
> (which I run on each DC) fails on DC1.
> 
> Any pointers/advice would be appreciated, as always!
> 
> Thanks :)
> 
> Jonathan
> 

I think you may be running into this bug:

https://bugzilla.samba.org/show_bug.cgi?id=8929

You may have duplicate SPN's e.g. one 'HOST/somePC' and another
'host/somepc'

Also there were several problems with 4.9.0, so I would rapidly upgrade
to 4.9.2

Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba