Web lists-archives.com

Re: [Samba] samba 4.9.5 - joining Samba DC to existing Samba AD failed

On Wed, 27 Mar 2019 09:36:55 +0000
Rowland Penny via samba <samba@xxxxxxxxxxxxxxx> wrote:

> On Wed, 27 Mar 2019 09:01:39 +0000
> Rowland Penny via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > On Wed, 27 Mar 2019 09:45:18 +0100
> > "L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx> wrote:
> >   
> > > Hai, 
> > > 
> > > 
> > > I dont think one noticed this.. 
> > > 
> > > ldbsearch -H ldap://dc4 -UAdministrator 
> > > ldbsearch -H ldap://dc1 -U Administrator 
> > > 
> > > So whats the difference when you see this responce of the command: 
> > >  Invalid option -U: unknown ... 
> > > 
> > > The " " between -U Admin... 
> > > Try again without the space or use --user=Administrator 
> > > 
> > > 
> > > Greetz, 
> > > 
> > > Louis  
> > 
> > The space doesn't make any difference '-U Administrator' or
> > '-UAdministrator' both work, as does '-U administrator' or
> > '-Uadministrator'
> > 
> > I just wonder where '-U' went ?
> > 
> > Rowland
> >   
> I have been looking at the 'Administrator' object that the OP posted.
> The failure in his original post was this:
> ERROR(ldb): uncaught exception - descriptor_modify on
> CN=Administrator,CN=Users,DC=zamecek,DC=home failed: operations error
> at ../source4/dsdb/samdb/ldb_modules/descriptor.c:819
> lines 816 - 820 in descriptor.c are these:
> 	objectclass = dsdb_get_last_structural_class(schema,
> 						     objectclass_element);
> 	if (objectclass == NULL) {
> 		return ldb_operr(ldb);
> 	}
> So, it looks like (to me anyway) that it is looking for the objectclass
> for 'nTSecurityDescriptor' and trying to match it to the last (
> objectclass found in the list:
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> objectClass: posixAccount
> I may be barking up the wrong tree here, but I would remove all the
> rfc2307 attributes and objectclass from 'Administrator':
> objectClass: posixAccount
> gidNumber: 1103
> uidNumber: 0
> loginShell: /bin/bash
> unixHomeDirectory: /root
> They are definitely not required and could be causing the problem.

I remove these attributes (via
LDB_MODULES_PATH="/usr/lib64/samba/ldb/" ldbedit -e joe  -H /var/lib/samba/private/sam.ldb -s sub '(CN=Administrator)'
I also deleted some orphaned/abandoned SSS words from /etc/nsswitch (Fedora
by default is installed with sssd support, and it seems even when is system
switching to winbind, some sss stuff remain there - concretely:
shadow:     files sss
services:   files sss
netgroup:   sss
automount:  files sss
) - it caused problem, when I tried join other Samba machine (fileserver)
into domain, this SSS parts caused DNS errors as:

[root@lynx samba]# net ads join -U Administrator
Using short domain name -- SSUPS-ZAMECEK
Joined 'LYNX' to dns domain 'zamecek.home'
DNS Update for lynx.zamecek.home failed: ERROR_DNS_INVALID_MESSAGE

[root@lynx samba]# net ads join -U Administrator
Using short domain name -- SSUPS-ZAMECEK
Joined 'LYNX' to dns domain 'zamecek.home'
DNS Update for lynx.zamecek.home failed: ERROR_DNS_GSS_ERROR

and after removing, all was OK.

_And joind second DC now seems be now finally also good! :

[root@dc2-lynx etc]# samba-tool domain join zamecek.home DC -U"SSUPS-ZAMECEK\administrator" --option='idmap_ldb:use rfc2307 = yes' --dns-backend=BIND9_DLZ
Finding a writeable DC for domain 'zamecek.home'
Found DC dc1.zamecek.home
Password for [SSUPS-ZAMECEK\administrator]:
workgroup is SSUPS-ZAMECEK
realm is zamecek.home
Adding CN=DC2-LYNX,OU=Domain Controllers,DC=zamecek,DC=home
Adding CN=DC2-LYNX,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zamecek,DC=home
Adding CN=NTDS Settings,CN=DC2-LYNX,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zamecek,DC=home
Adding SPNs to CN=DC2-LYNX,OU=Domain Controllers,DC=zamecek,DC=home
Setting account password for DC2-LYNX$
Enabling account
Adding DNS account CN=dns-DC2-LYNX,CN=Users,DC=zamecek,DC=home with dns/ SPN
Setting account password for dns-DC2-LYNX
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs

A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
Provision OK for domain DN DC=zamecek,DC=home
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=zamecek,DC=home] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=zamecek,DC=home] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=zamecek,DC=home] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=zamecek,DC=home] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=zamecek,DC=home] objects[402/1632] linked_values[0/1]
Partition[CN=Configuration,DC=zamecek,DC=home] objects[804/1632] linked_values[0/1]
Partition[CN=Configuration,DC=zamecek,DC=home] objects[1206/1632] linked_values[0/1]
Partition[CN=Configuration,DC=zamecek,DC=home] objects[1608/1632] linked_values[0/1]
Partition[CN=Configuration,DC=zamecek,DC=home] objects[1632/1632] linked_values[46/46]
Failed to commit objects: DOS code 0x000021bf
Missing target object - retrying with DRS_GET_TGT
Partition[CN=Configuration,DC=zamecek,DC=home] objects[2034/1632] linked_values[1/1]
Partition[CN=Configuration,DC=zamecek,DC=home] objects[2436/1632] linked_values[0/1]
Partition[CN=Configuration,DC=zamecek,DC=home] objects[2838/1632] linked_values[0/1]
Partition[CN=Configuration,DC=zamecek,DC=home] objects[3240/1632] linked_values[0/1]
Partition[CN=Configuration,DC=zamecek,DC=home] objects[3264/1632] linked_values[45/46]
Replicating critical objects from the base DN of the domain
Partition[DC=zamecek,DC=home] objects[98/97] linked_values[141/141]
Partition[DC=zamecek,DC=home] objects[500/711] linked_values[0/22]
Partition[DC=zamecek,DC=home] objects[809/711] linked_values[657/657]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=zamecek,DC=home
Partition[DC=DomainDnsZones,DC=zamecek,DC=home] objects[60/60] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=zamecek,DC=home
Partition[DC=ForestDnsZones,DC=zamecek,DC=home] objects[18/18] linked_values[0/0]
Exop on[CN=RID Manager$,CN=System,DC=zamecek,DC=home] objects[3] linked_values[0]
Committing SAM database
Adding 1 remote DNS records for DC2-LYNX.zamecek.home
Adding DNS A record DC2-LYNX.zamecek.home for IPv4 IP:
Adding DNS CNAME record c23dcb8b-6817-4576-9acd-e9b9f7d9fdcd._msdcs.zamecek.home for DC2-LYNX.zamecek.home
All other DNS records (like _ldap SRV records) will be created samba_dnsupdate on first startup
Replicating new DNS records in DC=DomainDnsZones,DC=zamecek,DC=home
Partition[DC=DomainDnsZones,DC=zamecek,DC=home] objects[2/2] linked_values[0/0]
Replicating new DNS records in DC=ForestDnsZones,DC=zamecek,DC=home
Partition[DC=ForestDnsZones,DC=zamecek,DC=home] objects[2/2] linked_values[0/0]
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
See /var/lib/samba/bind-dns/named.conf for an example configuration include file for BIND
and /var/lib/samba/bind-dns/named.txt for further documentation required for secure DNS updates
Joined domain SSUPS-ZAMECEK (SID S-1-5-21-9998-9997-9996) as a DC

Many, many thanks for Your valuable help!
Franta Hanzlik

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba