Web lists-archives.com

Re: [Samba] error with joining new DC to domain




Actually, I noticed the same problem and already fixed it in master
(commit 26dd30d6d3e677ce). When you specify --server in the join
command, it doesn't automatically detect the site it should join, but it
does without the --server option. This will be fixed in Samba v4.10. In
the meantime, you can workaround the problem by specifying
--site=Obel-und-Partner in the join command.

>> updating these 4.7-DCs  to 4.9.3 and all begins again.. no
replication, no authentication...

This sounds like a different problem? Could you provide more details?

On 13/12/18 9:23 AM, peter grotz via samba wrote:
> may I extend the issue with some strange behaviour? Look here:
>
> installing the sernet 4.7 as mentioned above I can´t join the domain in a regular way. ONLY it works when I asked BOTH of the working DCs with 4.9.3 before I try without explicit naming of a server... ^^
> Follow me here:
>
> [root@dc-02 etc]# samba-tool domain join obel.lan DC -U"OBEL\administrator" --realm=obel.lan --server=dc-10
> Password for [OBEL\administrator]:
> workgroup is OBEL
> realm is obel.lan
> Adding CN=DC-02,OU=Domain Controllers,DC=obel,DC=lan
> Adding CN=DC-02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=obel,DC=lan
> Join failed - cleaning up
> Deleted CN=DC-02,OU=Domain Controllers,DC=obel,DC=lan
> ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT -  <00002030: objectclass: Cannot add CN=DC-02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=obel,DC=lan, parent does not exist!> <>
>   File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 661, in run
>     machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
>   File "/usr/lib64/python2.6/site-packages/samba/join.py", line 1474, in join_DC
>     ctx.do_join()
>   File "/usr/lib64/python2.6/site-packages/samba/join.py", line 1375, in do_join
>     ctx.join_add_objects()
>   File "/usr/lib64/python2.6/site-packages/samba/join.py", line 631, in join_add_objects
>     ctx.samdb.add(rec)
>
>
> Then:
>
> [root@dc-02 etc]# samba-tool domain join obel.lan DC -U"OBEL\administrator" --realm=obel.lan --server=dc-11
> Password for [OBEL\administrator]:
> workgroup is OBEL
> realm is obel.lan
> Adding CN=DC-02,OU=Domain Controllers,DC=obel,DC=lan
> Adding CN=DC-02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=obel,DC=lan
> Join failed - cleaning up
> Deleted CN=DC-02,OU=Domain Controllers,DC=obel,DC=lan
> ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT -  <00002030: objectclass: Cannot add CN=DC-02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=obel,DC=lan, parent does not exist!> <>
>   File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 661, in run
>     machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
>   File "/usr/lib64/python2.6/site-packages/samba/join.py", line 1474, in join_DC
>     ctx.do_join()
>   File "/usr/lib64/python2.6/site-packages/samba/join.py", line 1375, in do_join
>     ctx.join_add_objects()
>   File "/usr/lib64/python2.6/site-packages/samba/join.py", line 631, in join_add_objects
>     ctx.samdb.add(rec)
>
>
> at last:
>
> [root@dc-02 etc]# samba-tool domain join obel.lan DC -Uadministrator --realm=obel.lan
> Finding a writeable DC for domain 'obel.lan'
> Found DC dc-10.obel.lan
> Password for [OBEL\administrator]:
> workgroup is OBEL
> realm is obel.lan
> Deleted CN=DC-02,CN=Servers,CN=Obel-und-Partner,CN=Sites,CN=Configuration,DC=obel,DC=lan
> Adding CN=DC-02,OU=Domain Controllers,DC=obel,DC=lan
> Adding CN=DC-02,CN=Servers,CN=Obel-und-Partner,CN=Sites,CN=Configuration,DC=obel,DC=lan
> Adding CN=NTDS Settings,CN=DC-02,CN=Servers,CN=Obel-und-Partner,CN=Sites,CN=Configuration,DC=obel,DC=lan
> Adding SPNs to CN=DC-02,OU=Domain Controllers,DC=obel,DC=lan
> Setting account password for DC-02$
> Enabling account
> Calling bare provision
> Looking up IPv4 addresses
> Looking up IPv6 addresses
> No IPv6 address will be assigned
> Setting up share.ldb
> Setting up secrets.ldb
> Setting up the registry
> Setting up the privileges database
> Setting up idmap db
> Setting up SAM db
> Setting up sam.ldb partitions and settings
> Setting up sam.ldb rootDSE
> Pre-loading the Samba 4 and AD schema
> A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
> Provision OK for domain DN DC=obel,DC=lan
> Starting replication
> Schema-DN[CN=Schema,CN=Configuration,DC=obel,DC=lan] objects[402/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=obel,DC=lan] objects[804/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=obel,DC=lan] objects[1206/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=obel,DC=lan] objects[1550/1550] linked_values[0/0]
> Analyze and apply schema objects
> Partition[CN=Configuration,DC=obel,DC=lan] objects[402/1690] linked_values[0/0]
> Partition[CN=Configuration,DC=obel,DC=lan] objects[804/1690] linked_values[0/0]
> Partition[CN=Configuration,DC=obel,DC=lan] objects[1206/1690] linked_values[0/0]
> Partition[CN=Configuration,DC=obel,DC=lan] objects[1608/1690] linked_values[0/1]
> Partition[CN=Configuration,DC=obel,DC=lan] objects[1690/1690] linked_values[82/82]
> Replicating critical objects from the base DN of the domain
> Partition[DC=obel,DC=lan] objects[100/100] linked_values[34/34]
> Partition[DC=obel,DC=lan] objects[503/710] linked_values[0/24]
> Partition[DC=obel,DC=lan] objects[810/710] linked_values[585/585]
> Done with always replicated NC (base, config, schema)
> Replicating DC=DomainDnsZones,DC=obel,DC=lan
> Partition[DC=DomainDnsZones,DC=obel,DC=lan] objects[236/236] linked_values[0/0]
> Replicating DC=ForestDnsZones,DC=obel,DC=lan
> Partition[DC=ForestDnsZones,DC=obel,DC=lan] objects[43/43] linked_values[0/0]
> WARNING: Unable to replicate own RID Set, as server dc-10.obel.lan (the server we joined) is not the RID Master.
> NOTE: This is normal and expected, Samba will be able to create users after it contacts the RID Master at first startup.
> Committing SAM database
> Adding 1 remote DNS records for DC-02.obel.lan
> Adding DNS A record DC-02.obel.lan for IPv4 IP: 192.168.1.100
> Adding DNS CNAME record 6fbd7b7e-4d48-45df-a966-a4bebaa0ac5e._msdcs.obel.lan for DC-02.obel.lan
> All other DNS records (like _ldap SRV records) will be created samba_dnsupdate on first startup
> Replicating new DNS records in DC=DomainDnsZones,DC=obel,DC=lan
> Partition[DC=DomainDnsZones,DC=obel,DC=lan] objects[2/2] linked_values[0/0]
> Replicating new DNS records in DC=ForestDnsZones,DC=obel,DC=lan
> Partition[DC=ForestDnsZones,DC=obel,DC=lan] objects[2/2] linked_values[0/0]
> Sending DsReplicaUpdateRefs for all the replicated partitions
> Setting isSynchronized and dsServiceName
> Setting up secrets database
> Joined domain OBEL (SID S-1-5-21-1994583749-1469429152-1855221660) as a DC
>
> WTF?????
>
> -Peter
>
>
>
>
> Am Mittwoch, 12. Dezember 2018 um 16:36 schrieben Sie:
>
> RPvs> On Wed, 12 Dec 2018 16:01:52 +0100
> RPvs> "peter.grotz--- via samba" <samba@xxxxxxxxxxxxxxx> wrote:
>
>>> Thanks Rowland for your answer. 
>>> these are sernet-packages from their subscription. 
>>> There are 4 DCs (all with last sernet-rpms) 2 are demoted with probs
>>> (dc-01 and dc-02 both centos6) and 2 are running (dc-10 and  dc-11 on
>>> centos 7) 
>>> dc-11 has all  fsmo. joining with the old dc-01 and dc-02 doesn´t even
>>> work. 
>>> dc-01 joins but gives me this: 
>>> Deleted
>>> CN=DC-01,CN=Servers,CN=Obel-und-Partner,CN=Sites,CN=Configuration,DC=obel,DC=lan
>>> Adding CN=DC-01,OU=Domain Controllers,DC=obel,DC=lan
>>> Adding
>>> CN=DC-01,CN=Servers,CN=Obel-und-Partner,CN=Sites,CN=Configuration,DC=obel,DC=lan
>>> Adding CN=NTDS
>>> Settings,CN=DC-01,CN=Servers,CN=Obel-und-Partner,CN=Sites,CN=Configuration,DC=obel,DC=lan
>>> Adding SPNs to CN=DC-01,OU=Domain Controllers,DC=obel,DC=lan
>>> Setting account password for DC-01$
>>> Enabling account
>>> Calling bare provision
>>> Looking up IPv4 addresses
>>> Looking up IPv6 addresses
>>> No IPv6 address will be assigned
>>> Setting up share.ldb
>>> Setting up secrets.ldb
>>> Setting up the registry
>>> Setting up the privileges database
>>> Setting up idmap db
>>> Setting up SAM db
>>> Setting up sam.ldb partitions and settings
>>> Setting up sam.ldb rootDSE
>>> Pre-loading the Samba 4 and AD schema
>>> Unable to determine the DomainSID, can not enforce uniqueness
>>> constraint on local domainSIDs
>>> A Kerberos configuration suitable for Samba AD has been generated at
>>> /var/lib/samba/private/krb5.conf
>>> Merge the contents of this file with your system krb5.conf or replace
>>> it with this one. Do not create a symlink!
>>> Provision OK for domain DN DC=obel,DC=lan
>>> Starting replication
>>> Schema-DN[CN=Schema,CN=Configuration,DC=obel,DC=lan] objects[402/1550]
>>> linked_values[0/0]
>>> Schema-DN[CN=Schema,CN=Configuration,DC=obel,DC=lan] objects[804/1550]
>>> linked_values[0/0]
>>> Schema-DN[CN=Schema,CN=Configuration,DC=obel,DC=lan]
>>> objects[1206/1550] linked_values[0/0]
>>> Schema-DN[CN=Schema,CN=Configuration,DC=obel,DC=lan]
>>> objects[1550/1550] linked_values[0/0]
>>> Analyze and apply schema objects
>>> Partition[CN=Configuration,DC=obel,DC=lan] objects[402/1646]
>>> linked_values[0/0]
>>> Partition[CN=Configuration,DC=obel,DC=lan] objects[804/1646]
>>> linked_values[0/0]
>>> Partition[CN=Configuration,DC=obel,DC=lan] objects[1206/1646]
>>> linked_values[0/0]
>>> Partition[CN=Configuration,DC=obel,DC=lan] objects[1608/1646]
>>> linked_values[0/0]
>>> Partition[CN=Configuration,DC=obel,DC=lan] objects[1646/1646]
>>> linked_values[44/44]
>>> Failed to commit objects: DOS code 0x000021bf
>>> Missing target object - retrying with DRS_GET_TGT
>>> Partition[CN=Configuration,DC=obel,DC=lan] objects[2048/1646]
>>> linked_values[0/0]
>>> Partition[CN=Configuration,DC=obel,DC=lan] objects[2450/1646]
>>> linked_values[0/0]
>>> Partition[CN=Configuration,DC=obel,DC=lan] objects[2852/1646]
>>> linked_values[0/0]
>>> Partition[CN=Configuration,DC=obel,DC=lan] objects[3254/1646]
>>> linked_values[0/0]
>>> Partition[CN=Configuration,DC=obel,DC=lan] objects[3292/1646]
>>> linked_values[44/44]
>>> Replicating critical objects from the base DN of the domain
>>> Partition[DC=obel,DC=lan] objects[98/98] linked_values[34/34]
>>> Partition[DC=obel,DC=lan] objects[501/669] linked_values[0/24]
>>> Partition[DC=obel,DC=lan] objects[767/669] linked_values[585/585]
>>> Done with always replicated NC (base, config, schema)
>>> Replicating DC=DomainDnsZones,DC=obel,DC=lan
>>> Partition[DC=DomainDnsZones,DC=obel,DC=lan] objects[229/229]
>>> linked_values[0/0]
>>> Replicating DC=ForestDnsZones,DC=obel,DC=lan
>>> Partition[DC=ForestDnsZones,DC=obel,DC=lan] objects[35/35]
>>> linked_values[0/0]
>>> WARNING: Unable to replicate own RID Set, as server dc-10.obel.lan
>>> (the server we joined) is not the RID Master.
>>> NOTE: This is normal and expected, Samba will be able to create users
>>> after it contacts the RID Master at first startup.
>>> Committing SAM database
>>> Adding 1 remote DNS records for DC-01.obel.lan
>>> Adding DNS A record DC-01.obel.lan for IPv4 IP: 192.168.0.101
>>> Adding DNS CNAME record
>>> 96ed5e12-99b8-4f8d-b9bf-f58b9c82eaa5._msdcs.obel.lan for
>>> DC-01.obel.lan All other DNS records (like _ldap SRV records) will be
>>> created samba_dnsupdate on first startup
>>> Replicating new DNS records in DC=DomainDnsZones,DC=obel,DC=lan
>>> Partition[DC=DomainDnsZones,DC=obel,DC=lan] objects[2/2]
>>> linked_values[0/0]
>>> Replicating new DNS records in DC=ForestDnsZones,DC=obel,DC=lan
>>> Partition[DC=ForestDnsZones,DC=obel,DC=lan] objects[2/2]
>>> linked_values[0/0]
>>> Sending DsReplicaUpdateRefs for all the replicated partitions
>>> Setting isSynchronized and dsServiceName
>>> Setting up secrets database
>>> Joined domain OBEL (SID S-1-5-21-1994583749-1469429152-1855221660) as
>>> a DC 
>>> Then he joined but is not really working (now drs replicatin on
>>> samba-tool drs showrepl 
>>> demoting dc-01 brings me the following: 
>>> [root@dc-01 samba]# samba-tool domain demote --server=dc-10
>>> -Uadministrator
>>> Using dc-10 as partner server for the demotion
>>> Password for [OBEL\administrator]:
>>> Deactivating inbound replication
>>> Asking partner server dc-10 to synchronize from us
>>> Error while replicating out last local changes from
>>> 'CN=Schema,CN=Configuration,DC=obel,DC=lan' for demotion, re-enabling
>>> inbound replication
>>> ERROR(<class 'samba.WERRORError'>): Error while sending a
>>> DsReplicaSync for partition
>>> 'CN=Schema,CN=Configuration,DC=obel,DC=lan' - (2,
>>> 'WERR_FILE_NOT_FOUND') File
>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line
>>> 855, in run drsuapiBind.DsReplicaSync(drsuapi_handle, 1, req1)
>>> [root@dc-01 samba]# samba-tool domain demote --server=dc-10
>>> -Uadministrator
>>> Using dc-10 as partner server for the demotion
>>> Password for [OBEL\administrator]:
>>> Deactivating inbound replication
>>> Asking partner server dc-10 to synchronize from us
>>> Error while replicating out last local changes from
>>> 'CN=Schema,CN=Configuration,DC=obel,DC=lan' for demotion, re-enabling
>>> inbound replication
>>> ERROR(<class 'samba.WERRORError'>): Error while sending a
>>> DsReplicaSync for partition
>>> 'CN=Schema,CN=Configuration,DC=obel,DC=lan' - (2,
>>> 'WERR_FILE_NOT_FOUND') File
>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line
>>> 855, in run drsuapiBind.DsReplicaSync(drsuapi_handle, 1, req1) 
>>> Peter
>>> Am 12.12.2018 15:53, schrieb Rowland Penny via samba:
>>>> On Wed, 12 Dec 2018 15:43:09 +0100
>>>> peter grotz via samba <samba@xxxxxxxxxxxxxxx> wrote:
>>>>
>>>>> I forgot: this is samba 4.9.3 on centos 7
>>>> Where did you get Samba 4.9.3 from ?
>>>>
>>>>> Thanks
>>>>>
>>>>> Hello,
>>>>>
>>>>> I got a problem with adding an new dc to a domain. when I try to
>>>>> join I get the following:
>>>> What are the other DC(s) ?
>>>>
>>>> Rowland
> RPvs> There was a similar thread here:
>
> RPvs> https://lists.samba.org/archive/samba/2018-June/216543.html
>
> RPvs> Rowland
>
>
>
>

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba