Web lists-archives.com

Re: [Samba] samba 4.9.5 - joining Samba DC to existing Samba AD failed




On Mon, 25 Mar 2019 15:12:16 +0100
franta via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi team,
> I have Samba (4.9.5) AD DC, and when trying to add second DC, join
> fail:
> 
> # samba-tool domain join zamecek.home DC
> -U"SSUPS-ZAMECEK\administrator" --option='idmap_ldb:use rfc2307 =
> yes' --dns-backend=BIND9_DLZ Finding a writeable DC for domain
> 'zamecek.home' Found DC dc1.zamecek.home
> Password for [SSUPS-ZAMECEK\administrator]:
> workgroup is SSUPS-ZAMECEK
> realm is zamecek.home
> Adding CN=DC2-LYNX,OU=Domain Controllers,DC=zamecek,DC=home
> Adding 
> CN=DC2-LYNX,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zamecek,DC=home
> Adding CN=NTDS 
> Settings,CN=DC2-LYNX,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zamecek,DC=home
> Adding SPNs to CN=DC2-LYNX,OU=Domain Controllers,DC=zamecek,DC=home
> Setting account password for DC2-LYNX$
> Enabling account
> Adding DNS account CN=dns-DC2-LYNX,CN=Users,DC=zamecek,DC=home with
> dns/ SPN
> Setting account password for dns-DC2-LYNX
> Calling bare provision
> Looking up IPv4 addresses
> Looking up IPv6 addresses
> No IPv6 address will be assigned
> Setting up share.ldb
> Setting up secrets.ldb
> Setting up the registry
> Setting up the privileges database
> Setting up idmap db
> Setting up SAM db
> Setting up sam.ldb partitions and settings
> Setting up sam.ldb rootDSE
> Pre-loading the Samba 4 and AD schema
> Unable to determine the DomainSID, can not enforce uniqueness
> constraint on local domainSIDs
> 
> A Kerberos configuration suitable for Samba AD has been generated at 
> /var/lib/samba/private/krb5.conf
> Merge the contents of this file with your system krb5.conf or replace
> it with this one. Do not create a symlink!
> Provision OK for domain DN DC=zamecek,DC=home
> Starting replication
> Schema-DN[CN=Schema,CN=Configuration,DC=zamecek,DC=home]
> objects[402/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=zamecek,DC=home]
> objects[804/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=zamecek,DC=home]
> objects[1206/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=zamecek,DC=home]
> objects[1550/1550] linked_values[0/0]
> Analyze and apply schema objects
> Partition[CN=Configuration,DC=zamecek,DC=home] objects[402/1628] 
> linked_values[0/1]
> Partition[CN=Configuration,DC=zamecek,DC=home] objects[804/1628] 
> linked_values[0/1]
> Partition[CN=Configuration,DC=zamecek,DC=home] objects[1206/1628] 
> linked_values[0/1]
> Partition[CN=Configuration,DC=zamecek,DC=home] objects[1608/1628] 
> linked_values[0/1]
> Partition[CN=Configuration,DC=zamecek,DC=home] objects[1628/1628] 
> linked_values[42/42]
> Failed to commit objects: DOS code 0x000021bf
> Missing target object - retrying with DRS_GET_TGT
> Partition[CN=Configuration,DC=zamecek,DC=home] objects[2030/1628] 
> linked_values[1/1]
> Partition[CN=Configuration,DC=zamecek,DC=home] objects[2432/1628] 
> linked_values[0/1]
> Partition[CN=Configuration,DC=zamecek,DC=home] objects[2834/1628] 
> linked_values[0/1]
> Partition[CN=Configuration,DC=zamecek,DC=home] objects[3236/1628] 
> linked_values[0/1]
> Partition[CN=Configuration,DC=zamecek,DC=home] objects[3256/1628] 
> linked_values[41/42]
> Replicating critical objects from the base DN of the domain
> Partition[DC=zamecek,DC=home] objects[98/97] linked_values[141/141]
> Partition[DC=zamecek,DC=home] objects[500/700] linked_values[0/22]
> Partition[DC=zamecek,DC=home] objects[798/700] linked_values[653/653]
> Done with always replicated NC (base, config, schema)
> Replicating DC=DomainDnsZones,DC=zamecek,DC=home
> Partition[DC=DomainDnsZones,DC=zamecek,DC=home] objects[59/59] 
> linked_values[0/0]
> Replicating DC=ForestDnsZones,DC=zamecek,DC=home
> Partition[DC=ForestDnsZones,DC=zamecek,DC=home] objects[18/18] 
> linked_values[0/0]
> Exop on[CN=RID Manager$,CN=System,DC=zamecek,DC=home] objects[3] 
> linked_values[0]
> Committing SAM database
> Join failed - cleaning up
> Deleted CN=RID Set,CN=DC2-LYNX,OU=Domain
> Controllers,DC=zamecek,DC=home Deleted CN=DC2-LYNX,OU=Domain
> Controllers,DC=zamecek,DC=home Deleted
> CN=dns-DC2-LYNX,CN=Users,DC=zamecek,DC=home Deleted CN=NTDS 
> Settings,CN=DC2-LYNX,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zamecek,DC=home
> Deleted 
> CN=DC2-LYNX,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zamecek,DC=home
> ERROR(ldb): uncaught exception - descriptor_modify on 
> CN=Administrator,CN=Users,DC=zamecek,DC=home failed: operations error
> at ../source4/dsdb/samdb/ldb_modules/descriptor.c:819
>    File
> "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line
> 177, in _run return self.run(*args, **kwargs)
>    File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py",
> line 716, in run
>      backend_store=backend_store)
>    File "/usr/lib64/python2.7/site-packages/samba/join.py", line
> 1501, in join_DC
>      ctx.do_join()
>    File "/usr/lib64/python2.7/site-packages/samba/join.py", line
> 1399, in do_join
>      ctx.join_replicate()
>    File "/usr/lib64/python2.7/site-packages/samba/join.py", line
> 1005, in join_replicate
>      ctx.local_samdb.transaction_commit()
> 
> I have no idea, where is problem and how solve it - can anyone help?
> Both systems runs Fedora 29 x86_64 Linux, Samba is builded with
> Heimdal 7.5.0 Kerberos, tdb 1.3.16, ldb 1.4.6, first DC was
> provisioned with '--use-rfc2307' and BIND9_DLZ (bind-9.11.5) DNS
> backend. Thanks, Franta
> 
> 

You should only build Samba with the Heimdal version supplied with
Samba, you do not need to and shouldn't install Heimdal.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba