Web lists-archives.com

Re: [Samba] samba 4.9.5 - joining Samba DC to existing Samba AD failed




On Tue, 26 Mar 2019 05:18:20 +0100
Franta Hanzlík <franta@xxxxxxxxxxx> wrote:

> Hi Tim and Rowland, thanks for Your support!
> I was thinking about e.g. Python 2.7.15 compatibility (as newer Samba
> versions require Python3), but You are right, here in DB can be
> problem
>  - first Samba AD DC was created by migrating Samba3 NT4 domain to
> Samba4 AD cca week ago (using 'samba-tool domain classicupgrade ...',
> according to Samba Wiki):
> 
> [root@dc1 samba]# samba-tool dbcheck
> Checking 701 objects
> NOTE: old (due to rename or delete) DN string component for
> lastKnownParent in object CN=RID
> Set\0ADEL:2df6a1a3-2a54-4385-ae71-5d95b1348310,CN=Deleted
> Objects,DC=zamecek,DC=home - CN=DC2-LYNX,OU=Domain
> Controllers,DC=zamecek,DC=home Not fixing old string component 

You can ignore lines like that, the '\0ADEL' means it is a deleted
object and will eventually go away.


> > 2. Try dumping the object it's failing on, just to see if there's
> > anything odd with the objectClass attributes. E.g.
> > ldbsearch -H ldap://$SERVER -b
> > 'CN=Administrator,CN=Users,DC=zamecek,DC=home'  
> 
> [root@dc1 samba]# ldbsearch
> -H /var/lib/samba/private/sam.ldb.d/DC=ZAMECEK,DC=HOME.ldb
> '(CN=Administrator)' 

Do not touch the files found under 'sam.ldb.d', use the 'sam'ldb' file
instead, or use the 'ldbsearch' as shown, not that it would work for
what you require, it should have been something like this:

ldbsearch -H ldap://dc4 -UAdministrator -b
'CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com' -s base
nTSecurityDescriptor

Which (after you enter Administrator's password)) should produce
something like this:

# record 1
dn: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com
nTSecurityDescriptor: O:DAG:DAD:AI(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWP
 CRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC;
 ;;PS)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a54-1e2f-1
 1d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)(O
 A;;RPWP;77b5b886-944a-11d1-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b2-9455-11d1
 -aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b3-9455-11d1-aebd-0000f80367c1;;PS)(OA
 ;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;RS)(OA;;RP;4c164200-20c0-11d0-a768
 -00aa006e0529;;RS)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;RS)(A;;RC;;;A
 U)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;77b5b886-944a-11d1
 -aebd-0000f80367c1;;AU)(OA;;RP;e45795b3-9455-11d1-aebd-0000f80367c1;;AU)(OA;;
 RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;CR;ab721a53-1e2f-11d0-9819-0
 0aa0040529b;;WD)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;RS)(OA;;RPWP;bf
 967a7f-0de6-11d0-a285-00aa003049e2;;CA)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58
 d456d2;;S-1-5-32-560)(OA;;RPWP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32
 -561)(OA;;RPWP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)(OA;CIIOID;
 RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;
 RU)(OA;CIID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-0
 0aa003049e2;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-14
 37-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf
 ;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-902
 0-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;bc0ac240-7
 9a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID
 ;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28
 ;RU)(OA;CIID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-
 00aa003049e2;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1
 437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;037088f8-0ae1-11d2-b422-00a0c968f93
 9;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-85
 4e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6
 d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CII
 D;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e
 2;ED)(OA;CIIOID;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;
 RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RPLCLORC;;bf967aba
 -0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff
 4f3ccd8;;PS)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIID;LC;;;RU)(A;CIID;R
 PWPCRCCLCLORCWOWDSDSW;;;BA)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f8
 0367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-
 11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)


> unicodePwd::

I would change Administrators password, you have given it to the
world ;-)

Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba