[Samba] domain join failure - error during DRS repl ADD: No objectClass found

Rowland Penny rowlandpenny at googlemail.com
Tue Jun 23 08:34:34 MDT 2015 

On 23/06/15 15:02, Luke Bigum wrote:
> Hello,
>
> I am trying to join a third domain controller to an existing Samba 4 domain (sernet samba 4.2.1-17.el6.x86_64) and we're hitting a problem that looks like some bad replication data on certain objects. We get part way through replicating the tree and then it dies on a Sudo Rule object:
>
> [root at dc03 ~]# /usr/bin/samba-tool domain join EXAMPLE.COM DC -U Administrator --password=xxxxxxxxxxxx  --dns-backend=BIND9_DLZ
> ...

Hmm, not sure if this will help, but I normally join a DC with this:

samba-tool domain join example.com DC -U Administrator 
--realm=EXAMPLE.COM --dns-backend=BIND9_DLZ

Rowland


> Failed to apply records: replmd_replicated_apply_add: error during DRS repl ADD: No objectClass found in replPropertyMetaData for CN=rule,OU=SUDOers,DC=example,DC=com!
> : Object class violation
> Failed to commit objects: WERR_GENERAL_FAILURE
> Join failed - cleaning up
> checking sAMAccountName
> ...
> ERROR(<type 'exceptions.TypeError'>): uncaught exception - Failed to process chunk: NT_STATUS_UNSUCCESSFUL
>    File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 613, in run
>      machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
>    File "/usr/lib64/python2.6/site-packages/samba/join.py", line 1183, in join_DC
>      ctx.do_join()
>    File "/usr/lib64/python2.6/site-packages/samba/join.py", line 1088, in do_join
>      ctx.join_replicate()
>    File "/usr/lib64/python2.6/site-packages/samba/join.py", line 828, in join_replicate
>      replica_flags=ctx.domain_replica_flags)
>    File "/usr/lib64/python2.6/site-packages/samba/drs_utils.py", line 256, in replicate
>      schema=schema, req_level=req_level, req=req)
>
>
>
> However, when I check the data that the domain join is complaining about on the two existing domain controllers, it appears to be present and ok, so I don't think we are talking about https://bugzilla.samba.org/show_bug.cgi?id=10398 (plus we are > 4.1 here):
>
> [root at dc01 ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b "CN=rule,OU=SUDOers,DC=example,DC=com" -s base objectClass
> ...
> # record 1
> dn: CN=rule,OU=SUDOers,DC=example,DC=com
> objectClass: top
> objectClass: sudoRole
>
>
>
> If I run a dbcheck I see a number of these for various objects:
>
> Values/Order of values do/does not match: ...
> ERROR: Normalisation error for attribute 'objectClass' in ...
>
>
>
> But none of the out of objects affected are what blows up the domain join. If I look at the meta data in binary of the Sudo Rule it does mentions objectClass, however there is a lot of other UNKNOWN_ENUM_VALUE entries in that array for this entry. When I compare it to other standard AD objects in the LDAP tree, there are no unknown values.
>
> [root at dc01 ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b "CN=rule,OU=SUDOers,DC=example,DC=com" -s base replPropertyMetaData --show-binary
> ...
> # record 1
> dn: CN=rule,OU=SUDOers,DC=example,DC=com
> replPropertyMetaData:     NDR: struct replPropertyMetaDataBlob
>          version                  : 0x00000001 (1)
>          reserved                 : 0x00000000 (0)
>          ctr                      : union replPropertyMetaDataCtr(case 1)
>          ctr1: struct replPropertyMetaDataCtr1
>              count                    : 0x0000000d (13)
>              reserved                 : 0x00000000 (0)
>              array: ARRAY(13)
>                  array: struct replPropertyMetaData1
>                      attid                    : UNKNOWN_ENUM_VALUE (0x882CB1CF)
>                      version                  : 0x00000007 (7)
>                      originating_change_time  : Wed Jun  4 12:24:20 2014 UTC
>                      originating_invocation_id: f712c17f-95ec-47db-b814-cb62f463bd7c
>                      originating_usn          : 0x0000000000001b6d (7021)
>                      local_usn                : 0x0000000000001b6e (7022)
>                  array: struct replPropertyMetaData1
>                      attid                    : DRSUAPI_ATTID_objectClass (0x0)
>                      version                  : 0x00000001 (1)
>                      originating_change_time  : Wed Feb 19 12:30:04 2014 UTC
>                      originating_invocation_id: f712c17f-95ec-47db-b814-cb62f463bd7c
>                      originating_usn          : 0x0000000000000f3a (3898)
>                      local_usn                : 0x0000000000000f3a (3898)
> ...
>

What happened on 'Wed Feb 19 12:30:04 2014 UTC' ? the last time this 
came up, the date gave the clue to the answer, see here: 
https://lists.samba.org/archive/samba/2014-August/185453.html

Rowland

>
> Does anyone have any ideas about what is interfering with the domain join, or where to debug further?
>
> Thanks,
>
> --
>

More information about the samba mailing list