Web lists-archives.com

Re: [Samba] samba 4.9.5 - joining Samba DC to existing Samba AD failed




Dne 2019-03-25 16:02, Rowland Penny via samba napsal:
On Mon, 25 Mar 2019 15:12:16 +0100
franta via samba <samba@xxxxxxxxxxxxxxx> wrote:

Hi team,
I have Samba (4.9.5) AD DC, and when trying to add second DC, join
fail:

# samba-tool domain join zamecek.home DC
-U"SSUPS-ZAMECEK\administrator" --option='idmap_ldb:use rfc2307 =
yes' --dns-backend=BIND9_DLZ Finding a writeable DC for domain
'zamecek.home' Found DC dc1.zamecek.home
Password for [SSUPS-ZAMECEK\administrator]:
workgroup is SSUPS-ZAMECEK
realm is zamecek.home
Adding CN=DC2-LYNX,OU=Domain Controllers,DC=zamecek,DC=home
Adding
CN=DC2-LYNX,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zamecek,DC=home
Adding CN=NTDS
Settings,CN=DC2-LYNX,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zamecek,DC=home
Adding SPNs to CN=DC2-LYNX,OU=Domain Controllers,DC=zamecek,DC=home
Setting account password for DC2-LYNX$
Enabling account
Adding DNS account CN=dns-DC2-LYNX,CN=Users,DC=zamecek,DC=home with
dns/ SPN
Setting account password for dns-DC2-LYNX
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness
constraint on local domainSIDs

A Kerberos configuration suitable for Samba AD has been generated at
/var/lib/samba/private/krb5.conf
Merge the contents of this file with your system krb5.conf or replace
it with this one. Do not create a symlink!
Provision OK for domain DN DC=zamecek,DC=home
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=zamecek,DC=home]
objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=zamecek,DC=home]
objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=zamecek,DC=home]
objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=zamecek,DC=home]
objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=zamecek,DC=home] objects[402/1628]
linked_values[0/1]
Partition[CN=Configuration,DC=zamecek,DC=home] objects[804/1628]
linked_values[0/1]
Partition[CN=Configuration,DC=zamecek,DC=home] objects[1206/1628]
linked_values[0/1]
Partition[CN=Configuration,DC=zamecek,DC=home] objects[1608/1628]
linked_values[0/1]
Partition[CN=Configuration,DC=zamecek,DC=home] objects[1628/1628]
linked_values[42/42]
Failed to commit objects: DOS code 0x000021bf
Missing target object - retrying with DRS_GET_TGT
Partition[CN=Configuration,DC=zamecek,DC=home] objects[2030/1628]
linked_values[1/1]
Partition[CN=Configuration,DC=zamecek,DC=home] objects[2432/1628]
linked_values[0/1]
Partition[CN=Configuration,DC=zamecek,DC=home] objects[2834/1628]
linked_values[0/1]
Partition[CN=Configuration,DC=zamecek,DC=home] objects[3236/1628]
linked_values[0/1]
Partition[CN=Configuration,DC=zamecek,DC=home] objects[3256/1628]
linked_values[41/42]
Replicating critical objects from the base DN of the domain
Partition[DC=zamecek,DC=home] objects[98/97] linked_values[141/141]
Partition[DC=zamecek,DC=home] objects[500/700] linked_values[0/22]
Partition[DC=zamecek,DC=home] objects[798/700] linked_values[653/653]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=zamecek,DC=home
Partition[DC=DomainDnsZones,DC=zamecek,DC=home] objects[59/59]
linked_values[0/0]
Replicating DC=ForestDnsZones,DC=zamecek,DC=home
Partition[DC=ForestDnsZones,DC=zamecek,DC=home] objects[18/18]
linked_values[0/0]
Exop on[CN=RID Manager$,CN=System,DC=zamecek,DC=home] objects[3]
linked_values[0]
Committing SAM database
Join failed - cleaning up
Deleted CN=RID Set,CN=DC2-LYNX,OU=Domain
Controllers,DC=zamecek,DC=home Deleted CN=DC2-LYNX,OU=Domain
Controllers,DC=zamecek,DC=home Deleted
CN=dns-DC2-LYNX,CN=Users,DC=zamecek,DC=home Deleted CN=NTDS
Settings,CN=DC2-LYNX,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zamecek,DC=home
Deleted
CN=DC2-LYNX,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zamecek,DC=home
ERROR(ldb): uncaught exception - descriptor_modify on
CN=Administrator,CN=Users,DC=zamecek,DC=home failed: operations error
at ../source4/dsdb/samdb/ldb_modules/descriptor.c:819
   File
"/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line
177, in _run return self.run(*args, **kwargs)
   File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py",
line 716, in run
     backend_store=backend_store)
   File "/usr/lib64/python2.7/site-packages/samba/join.py", line
1501, in join_DC
     ctx.do_join()
   File "/usr/lib64/python2.7/site-packages/samba/join.py", line
1399, in do_join
     ctx.join_replicate()
   File "/usr/lib64/python2.7/site-packages/samba/join.py", line
1005, in join_replicate
     ctx.local_samdb.transaction_commit()

I have no idea, where is problem and how solve it - can anyone help?
Both systems runs Fedora 29 x86_64 Linux, Samba is builded with
Heimdal 7.5.0 Kerberos, tdb 1.3.16, ldb 1.4.6, first DC was
provisioned with '--use-rfc2307' and BIND9_DLZ (bind-9.11.5) DNS
backend. Thanks, Franta



You should only build Samba with the Heimdal version supplied with
Samba, you do not need to and shouldn't install Heimdal.

My mistake in description - I have installed (it seems unnecessarily)
only heimdal-libs package (no -devel ones) and samba itself is not
linked with it:
# ldd /usr/sbin/samba|grep heim
libheimbase-samba4.so.1 => /usr/lib64/samba/libheimbase-samba4.so.1 (0x00007f911e8da000)

Thus my problem should be something else - but what?
TIA, Franta


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba