[Samba] WERR_DS_DRA_MISSING_PARENT while Joining Samba4 DC to Samba4 Domain
Daniel McFeeters
danielj.mcfeeters at lcdhd.org
Thu Dec 21 22:58:54 UTC 2017
Perhaps I'm rooting around at a lower level than I should be, and somewhat beyond what I can understand, but here is a bit of info I dug up. It might be helpful? The GUID in the first search matches the one referred to in the error message.
$ sudo ldbsearch -H /var/lib/samba/private/sam.ldb.d/DC\=DOMAINDNSZONES\,DC\=REDACTED\,DC\=DOMAIN\,DC\=LOCAL.ldb "(DC=DomainDnsZones)"
# record 1
dn: DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
objectClass: top
objectClass: domain
objectClass: domainDNS
description: Microsoft DNS Directory
instanceType: 13
whenCreated: 20171218211518.0Z
whenChanged: 20171218211518.0Z
uSNCreated: 3620
nTSecurityDescriptor: REDACTED
name: DomainDnsZones
objectGUID: 60e25dda-6d35-4aab-bfa5-6137cb271e27
objectCategory: <GUID=b7263211-731a-43fe-a2f4-b522bf2d1a9d>;CN=Domain-DNS,CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local
msDS-NcType: 0
dc: DomainDnsZones
wellKnownObjects: B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:<GUID=ff815094-bd8e-49
08-ac71-c62beeb47896>;CN=NTDS Quotas,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
wellKnownObjects: B:32:18E2EA80684F11D2B9AA00C04F79F805:<GUID=d3806832-94c6-41
3b-9406-0f512a8a6cd5>;CN=Deleted Objects,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
wellKnownObjects: B:32:2FBAC1870ADE11D297C400C04FD8D5CD:<GUID=e72f6718-5cb2-45
35-9410-c1fc3e4ea084>;CN=Infrastructure,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
wellKnownObjects: B:32:AB8153B7768811D1ADED00C04FD8D5CD:<GUID=5e3f945f-a07e-4d
5a-bf69-6d191f5a6bc2>;CN=LostAndFound,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
replPropertyMetaData:: REDACTED
uSNChanged: 3627
distinguishedName: DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
# record 2
dn: DC=DomainDnsZones,DC=lc.lcdhd.org,CN=MicrosoftDNS,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
objectClass: top
objectClass: dnsNode
instanceType: 4
whenCreated: 20171218211518.0Z
whenChanged: 20171218211518.0Z
uSNCreated: 3672
uSNChanged: 3672
showInAdvancedViewOnly: TRUE
name: DomainDnsZones
objectGUID: 4f08c35a-d330-4e01-8cd7-7a6790397b3a
replPropertyMetaData:: REDACTED
dnsRecord:: BAABAAXwAAABAAAAAAADhAAAAAAAAAAACmMAFQ==
objectCategory: <GUID=30c12cc0-3c1f-43d6-9498-5ca8856a6156>;CN=Dns-Node,CN=Sch
ema,CN=Configuration,DC=redacted,DC=domain,DC=local
dc: DomainDnsZones
nTSecurityDescriptor: REDACTED
distinguishedName: DC=DomainDnsZones,DC=lc.lcdhd.org,CN=MicrosoftDNS,DC=Domain
DnsZones,DC=redacted,DC=domain,DC=local
# returned 2 records
# 2 entries
# 0 referrals
$ sudo ldbsearch -H /var/lib/samba/private/sam.ldb.d/DC\=DOMAINDNSZONES\,DC\=REDACTED\,DC\=DOMAIN\,DC\=LOCAL.ldb "(CN=MicrosoftDNS)"
# record 1
dn: CN=MicrosoftDNS,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
objectClass: top
objectClass: container
cn: MicrosoftDNS
instanceType: 4
whenCreated: 20171218211518.0Z
uSNCreated: 3638
showInAdvancedViewOnly: TRUE
name: MicrosoftDNS
objectGUID: 249ac0c0-b3fd-4998-84b7-950066285b78
nTSecurityDescriptor: REDACTED
objectCategory: <GUID=591defdf-e2f7-4c9e-9b5a-d6c2d0744b44>;CN=Container,CN=Sc
hema,CN=Configuration,DC=redacted,DC=domain,DC=local
replPropertyMetaData:: REDACTED
whenChanged: 20171220011156.0Z
uSNChanged: 887580
distinguishedName: CN=MicrosoftDNS,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
# returned 1 records
# 1 entries
# 0 referrals
$ sudo ldbsearch -H /var/lib/samba/private/sam.ldb.d/DC\=REDACTED\,DC\=DOMAIN\,DC\=LOCAL.ldb "(CN=MicrosoftDNS)"
# record 1
dn: CN=MicrosoftDNS,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
objectClass: top
objectClass: container
cn: MicrosoftDNS
instanceType: 4
whenCreated: 20100113175618.0Z
whenChanged: 20121217022721.0Z
displayName: DNS Servers
uSNCreated: 3330
uSNChanged: 3330
showInAdvancedViewOnly: TRUE
name: MicrosoftDNS
objectGUID: 6e2ba870-34a5-494c-82a9-ab06f109c3dd
replPropertyMetaData:: REDACTED
objectCategory: <GUID=591defdf-e2f7-4c9e-9b5a-d6c2d0744b44>;CN=Container,CN=Sc
hema,CN=Configuration,DC=redacted,DC=domain,DC=local
nTSecurityDescriptor: REDACTED
distinguishedName: CN=MicrosoftDNS,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
# returned 1 records
# 1 entries
# 0 referrals
Daniel McFeeters
----- Original Message -----
> From: "samba" <samba at lists.samba.org>
> To: "Garming Sam" <garming at catalyst.net.nz>
> Cc: "samba" <samba at lists.samba.org>, "Andrew Bartlett" <abartlet at samba.org>
> Sent: Thursday, December 21, 2017 5:20:30 PM
> Subject: Re: [Samba] WERR_DS_DRA_MISSING_PARENT while Joining Samba4 DC to Samba4 Domain
> OK, we're getting closer here I think. I repeated with -d 2 without much help.
> Here is -d 3, which may point us in the right direction. As I suspected, it
> seems to point to some corruption in the DNS still, perhaps?
> The key line seems to be here:
> Missing parent while attempting to apply records: No parent with GUID
> 60e25dda-6d35-4aab-bfa5-6137cb271e27 found for object remotely known as
> CN=MicrosoftDNS,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
> Failed to commit objects: WERR_DS_DRA_MISSING_PARENT
> Here is the full output in context:
> $ sudo samba-tool domain join redacted.domain.local DC
> -U"REDACTED\my.domain.admin" --dns-backend=SAMBA_INTERNAL -d 3
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Finding a writeable DC for domain 'redacted.domain.local'
> resolve_lmhosts: Attempting lmhosts lookup for name
> _ldap._tcp.redacted.domain.local<0x0>
> Found DC samba4dom.redacted.domain.local
> resolve_lmhosts: Attempting lmhosts lookup for name
> samba4dom.redacted.domain.local<0x20>
> cli_credentials(REDACTED\my.domain.admin) without realm, cannot use kerberos for
> this connection ldap/samba4dom.redacted.domain.local
> Got challenge flags:
> Got NTLMSSP neg_flags=0x62898235
> Password for [REDACTED\my.domain.admin]:
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x62088235
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088235
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088235
> NO DNS zone information found in source domain, not replicating DNS
> workgroup is REDACTED
> realm is redacted.domain.local
> Adding CN=SAMBA4DC2,OU=Domain Controllers,DC=redacted,DC=domain,DC=local
> Adding
> CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
> Adding CN=NTDS
> Settings,CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
> Using binding ncacn_ip_tcp:samba4dom.redacted.domain.local[,seal]
> resolve_lmhosts: Attempting lmhosts lookup for name
> samba4dom.redacted.domain.local<0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name
> samba4dom.redacted.domain.local<0x20>
> cli_credentials(REDACTED\my.domain.admin) without realm, cannot use kerberos for
> this connection ldap/SAMBA4DOM.REDACTED.DOMAIN.LOCAL
> Got challenge flags:
> Got NTLMSSP neg_flags=0x62898235
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x62088235
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088235
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088235
> Adding SPNs to CN=SAMBA4DC2,OU=Domain Controllers,DC=redacted,DC=domain,DC=local
> Setting account password for SAMBA4DC2$
> Enabling account
> Calling bare provision
> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> Looking up IPv4 addresses
> Looking up IPv6 addresses
> No IPv6 address will be assigned
> Setting up share.ldb
> Setting up secrets.ldb
> Setting up the registry
> ldb_wrap open of hklm.ldb
> Key 'key=SOFTWARE,hive=NONE' not found
> key added: key=SOFTWARE,hive=NONE
> Key 'key=Microsoft,key=SOFTWARE,hive=NONE' not found
> key added: key=Microsoft,key=SOFTWARE,hive=NONE
> Key 'key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found
> key added: key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE
> Key 'key=CurrentVersion,key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE' not
> found
> key added: key=CurrentVersion,key=Windows
> NT,key=Microsoft,key=SOFTWARE,hive=NONE
> Key 'key=SYSTEM,hive=NONE' not found
> key added: key=SYSTEM,hive=NONE
> Key 'key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
> key added: key=CurrentControlSet,key=SYSTEM,hive=NONE
> Key 'key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
> key added: key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
> Key 'key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE'
> not found
> key added:
> key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
> Key 'key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
> key added: key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
> Key 'key=Terminal Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE'
> not found
> key added: key=Terminal
> Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
> Key 'key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
> key added: key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
> Key 'key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not
> found
> key added: key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
> Key
> 'key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
> not found
> key added:
> key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
> Key 'key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not
> found
> key added: key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
> Key
> 'key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
> not found
> key added:
> key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
> Setting up the privileges database
> Setting up idmap db
> Setting up SAM db
> Setting up sam.ldb partitions and settings
> Setting up sam.ldb rootDSE
> Pre-loading the Samba 4 and AD schema
> partition_metadata: Migrating partition metadata: open of metadata.tdb gave:
> (null)
> A Kerberos configuration suitable for Samba AD has been generated at
> /var/lib/samba/private/krb5.conf
> Provision OK for domain DN DC=redacted,DC=domain,DC=local
> Starting replication
> Using binding ncacn_ip_tcp:samba4dom.redacted.domain.local[,seal]
> resolve_lmhosts: Attempting lmhosts lookup for name
> samba4dom.redacted.domain.local<0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name
> samba4dom.redacted.domain.local<0x20>
> cli_credentials(REDACTED\my.domain.admin) without realm, cannot use kerberos for
> this connection ldap/SAMBA4DOM.REDACTED.DOMAIN.LOCAL
> Got challenge flags:
> Got NTLMSSP neg_flags=0x62898235
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x62088235
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088235
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088235
> Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local]
> objects[402/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local]
> objects[804/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local]
> objects[1206/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local]
> objects[1550/1550] linked_values[0/0]
> Analyze and apply schema objects
> Replicated 1550 objects (0 linked attributes) for
> CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local
> Partition[CN=Configuration,DC=redacted,DC=domain,DC=local] objects[402/1610]
> linked_values[0/0]
> Replicated 402 objects (0 linked attributes) for
> CN=Configuration,DC=redacted,DC=domain,DC=local
> Partition[CN=Configuration,DC=redacted,DC=domain,DC=local] objects[804/1610]
> linked_values[0/0]
> Replicated 402 objects (0 linked attributes) for
> CN=Configuration,DC=redacted,DC=domain,DC=local
> Partition[CN=Configuration,DC=redacted,DC=domain,DC=local] objects[1206/1610]
> linked_values[0/0]
> Replicated 402 objects (0 linked attributes) for
> CN=Configuration,DC=redacted,DC=domain,DC=local
> Partition[CN=Configuration,DC=redacted,DC=domain,DC=local] objects[1608/1610]
> linked_values[0/15]
> Replicated 402 objects (0 linked attributes) for
> CN=Configuration,DC=redacted,DC=domain,DC=local
> Partition[CN=Configuration,DC=redacted,DC=domain,DC=local] objects[1609/1610]
> linked_values[22/22]
> Replicated 1 objects (22 linked attributes) for
> CN=Configuration,DC=redacted,DC=domain,DC=local
> Replicating critical objects from the base DN of the domain
> Partition[DC=redacted,DC=domain,DC=local] objects[76/74] linked_values[21/21]
> Replicated 76 objects (21 linked attributes) for DC=redacted,DC=domain,DC=local
> Partition[DC=redacted,DC=domain,DC=local] objects[478/19962] linked_values[0/0]
> Missing parent while attempting to apply records: No parent with GUID
> 60e25dda-6d35-4aab-bfa5-6137cb271e27 found for object remotely known as
> CN=MicrosoftDNS,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
> Failed to commit objects: WERR_DS_DRA_MISSING_PARENT
> Join failed - cleaning up
> ldb_wrap open of secrets.ldb
> Could not find machine account in secrets database: Failed to fetch machine
> account password for REDACTED from both secrets.ldb (Could not find entry to
> match filter: '(&(flatname=REDACTED)(objectclass=primaryDomain))' base:
> 'cn=Primary Domains': No such object: dsdb_search at
> ../source4/dsdb/common/util.c:4636) and from
> /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> Deleted CN=SAMBA4DC2,OU=Domain Controllers,DC=redacted,DC=domain,DC=local
> Deleted CN=NTDS
> Settings,CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
> Deleted
> CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
> ERROR(runtime): uncaught exception - (8460, "Failed to process 'chunk' of DRS
> replicated objects: WERR_DS_DRA_MISSING_PARENT")
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in
> _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, in run
> machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
> File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in join_DC
> ctx.do_join()
> File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1377, in do_join
> ctx.join_replicate()
> File "/usr/lib/python2.7/dist-packages/samba/join.py", line 936, in
> join_replicate
> replica_flags=ctx.domain_replica_flags)
> File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 295, in
> replicate
> schema=schema, req_level=req_level, req=req)
> $
> Daniel McFeeters
More information about the samba
mailing list