[Samba] Problems joining Samba 4 in the domain
L.P.H. van Belle
belle at bazuin.nl
Mon Aug 12 15:01:08 UTC 2019
Ah, so the error changed..
Can you try
samba-tool domain join empresa.com.br DC -k yes -d 3 --server=samba4-dc01.empresa.com.br
so we try to join through samba4-dc1 and not the windows DC.
Looking at below again.
(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4691) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
This looks familuar.. i have to look this up.. ( tomorrow, office is closing here.. sorry )
> Do I need to manually enter information (ldap and kerberos) about the new DC in the DNS entries in the msdcs.empresa.com.br e empresa.com.br trees?
No, these records should and need to be created by the server.
So far,
Louis
Van: Marcio Demetrio Bacci [mailto:marciobacci at gmail.com]
Verzonden: maandag 12 augustus 2019 16:52
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Problems joining Samba 4 in the domain
Hi,
I created a new Samba 4 with a different name from the previous one.
I followed your configuration guidelines for the /etc/ hosts and /etc/resolv.conf files. I also removed the smb.conf file of the new DC
I did maintenance on Samba 4 DC1:
samba-tool dbcheck --cross-ncs --fix --yes
Checking 6340 objects
Checked 6340 objects (0 errors)
I cleaned up DNS records.
However, the following error occurred:
root at samba4-new-dc:/etc/samba# samba-tool domain join empresa.com.br DC -k yes -d 3
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Finding a writeable DC for domain 'empresa.com.br'
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.empresa.com.br<0x0>
Found DC win-dc2.empresa.com.br
resolve_lmhosts: Attempting lmhosts lookup for name win-dc2.empresa.com.br<0x20>
workgroup is EMPRESA
realm is empresa.com.br
Adding CN=SAMBA4-NEW-DC,OU=Domain Controllers,DC=empresa,DC=com,DC=br
Adding CN=SAMBA4-NEW-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
Adding CN=NTDS Settings,CN=SAMBA4-NEW-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
Using binding ncacn_ip_tcp:win-dc2.empresa.com.br[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name win-dc2.empresa.com.br<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name win-dc2.empresa.com.br<0x20>
Join failed - cleaning up
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch machine account password for EMPRESA from both secrets.ldb (Could not find entry to match filter: '(&(flatname=EMPRESA)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4691) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Deleted CN=SAMBA4-NEW-DC,OU=Domain Controllers,DC=empresa,DC=com,DC=br
Deleted CN=NTDS Settings,CN=SAMBA4-NEW-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
Deleted CN=SAMBA4-NEW-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL - <0000202B: RefErr: DSID-030A0AEB, data 0, 1 access points
ref 1: 'a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br'
> <ldap://a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br>
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in join_DC
ctx.do_join()
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in do_join
ctx.join_add_objects()
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 668, in join_add_objects
ctx.samdb.modify(m)
Do I need to manually enter information (ldap and kerberos) about the new DC in the DNS entries in the msdcs.empresa.com.br e empresa.com.br trees?
Regards,
Márcio Bacci
Em qui, 8 de ago de 2019 às 11:48, L.P.H. van Belle via samba <samba at lists.samba.org> escreveu:
Hai marcio,
As far i can see, most look ok to me.
A few very small points.
First change this :
> cat /etc/hosts
> 192.168.1.19 samba4-dc2.empresa.com.br samba4-dc2
> 192.168.1.20 samba4-dc1.empresa.com.br. samba4-dc1
> 10.133.84.135 win-dc2.empresa.com.br. wind-dc2
>
>
> cat /etc/resolv.conf
> domain empresa.com.br
> search empresa.com.br
> nameserver 192.168.1.20
To
/etc/hosts
192.168.1.19 samba4-dc2.empresa.com.br samba4-dc2
192.168.1.20 samba4-dc1.empresa.com.br samba4-dc1
10.133.84.135 win-dc2.empresa.com.br wind-dc2
/etc/resolv.conf
search empresa.com.br
nameserver 10.133.84.135
nameserver 192.168.1.20
nameserver 192.168.1.19
Now, question.
If this the first attempt to join this server? Of not, what guess based on the output below.
- Then verify in the dns and AD if the old server is completely removed.
And take you time for this.
- cleanup /var/lib/samba ( remove all files there and in subfolders, keep the folders )
- cleanup /var/cache/samba ( remove all files there and in subfolders, keep the folders )
- remove /etc/samba/smb.conf
> Failed to get kerberos credentials (kerberos required): kinit for
> SAMBA4-DC2$@EMPRESA.COM.BR failed (Clients credentials have
> been revoked)
So this really looks like leftovers from previous attempt, so there must be something in the AD domain with that hostname.
That that one is revoked.
Then, after a good cleanup, you can try to join again.
After the join, reboot Then change :
/etc/resolv.conf
search empresa.com.br
nameserver 192.168.1.19
nameserver 192.168.1.20
nameserver 10.133.84.135
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Marcio Demetrio Bacci via samba
> Verzonden: donderdag 8 augustus 2019 16:26
> Aan: sambalist
> Onderwerp: [Samba] Problems joining Samba 4 in the domain
>
> Hi,
>
> I have 2 DC in my network.
>
> DC master is a Samba 4 and the secondary is Windows Server 2008.
>
> I want to put another Samba 4 as DC to replace Windows
> Server, however the
> following errors are emerging:
>
> root at samba4-dc2:~# samba-tool domain join empresa.com.br DC
> -k yes -d 3
> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Finding a writeable DC for domain 'empresa.com.br'
> resolve_lmhosts: Attempting lmhosts lookup for name _ldap._
> tcp.empresa.com.br<0x0>
> Found DC win-dc2.empresa.com.br
> resolve_lmhosts: Attempting lmhosts lookup for name
> win-dc2.empresa.com.br
> <0x20>
> workgroup is EMPRESA
> realm is empresa.com.br
> Adding CN=SAMBA4-DC2,OU=Domain Controllers,DC=empresa,DC=com,DC=br
> Adding
> CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
N=Configuration,DC=empresa,DC=com,DC=br
> Adding CN=NTDS
> Settings,CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,C
N=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
> Using binding ncacn_ip_tcp:win-dc2.empresa.com.br[,seal]
> resolve_lmhosts: Attempting lmhosts lookup for name
> win-dc2.empresa.com.br
> <0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name
> win-dc2.empresa.com.br
> <0x20>
> Join failed - cleaning up
> ldb_wrap open of secrets.ldb
> resolve_lmhosts: Attempting lmhosts lookup for name
> win-dc2.empresa.com.br
> <0x20>
> Failed to get kerberos credentials (kerberos required): kinit for
> SAMBA4-DC2$@EMPRESA.COM.BR failed (Clients credentials have
> been revoked)
>
> Account locked out: kinit for SAMBA4-DC2$@EMPRESA.COM.BR
> failed (Clients
> credentials have been revoked)
>
> SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for
> ldap/win-dc2.empresa.com.br
> failed (next[(null)]): NT_STATUS_ACCOUNT_LOCKED_OUT
> Failed to bind - LDAP client internal error:
> NT_STATUS_ACCOUNT_LOCKED_OUT
> Failed to connect to 'ldap://win-dc2.empresa.com.br' with
> backend 'ldap':
> LDAP client internal error: NT_STATUS_ACCOUNT_LOCKED_OUT
> Deleted CN=SAMBA4-DC2,OU=Domain Controllers,DC=empresa,DC=com,DC=br
> Deleted CN=NTDS
> Settings,CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,C
N=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
> Deleted
> CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
N=Configuration,DC=empresa,DC=com,DC=br
> ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL
> - <0000202B:
> RefErr: DSID-030A0AEB, data 0, 1 access points
> ref 1: 'a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br'
> > <ldap://a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br>
> File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 176, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661,
> in run
> machinepass=machinepass, use_ntvfs=use_ntvfs,
> dns_backend=dns_backend)
> File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in
> join_DC
> ctx.do_join()
> File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in
> do_join
> ctx.join_add_objects()
> File "/usr/lib/python2.7/dist-packages/samba/join.py", line 668, in
> join_add_objects
> ctx.samdb.modify(m)
>
> ##############################################################
> ###############################################
>
>
> root at samba4-dc2:~# samba-tool domain join empresa.com.br DC
> -U"EMPRESA\administrator" -d 3
> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Finding a writeable DC for domain 'empresa.com.br'
> resolve_lmhosts: Attempting lmhosts lookup for name _ldap._
> tcp.empresa.com.br<0x0>
> Found DC win-dc2.empresa.com.br
> resolve_lmhosts: Attempting lmhosts lookup for name
> win-dc2.empresa.com.br
> <0x20>
> Password for [EMPRESA\administrador]:
> Cannot reach a KDC we require to contact (null) : kinit for
> administrador at EMPRESA failed (Cannot contact any KDC for
> requested realm)
>
> SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for
> ldap/win-dc2.empresa.com.br
> failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS
> Got challenge flags:
> Got NTLMSSP neg_flags=0x62898235
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x62088235
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088235
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088235
> workgroup is EMPRESA
> realm is empresa.com.br
> Adding CN=SAMBA4-DC2,OU=Domain Controllers,DC=empresa,DC=com,DC=br
> Adding
> CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
N=Configuration,DC=empresa,DC=com,DC=br
> Adding CN=NTDS
> Settings,CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,C
N=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
> Using binding ncacn_ip_tcp:win-dc2.empresa.com.br[,seal]
> resolve_lmhosts: Attempting lmhosts lookup for name
> win-dc2.empresa.com.br
> <0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name
> win-dc2.empresa.com.br
> <0x20>
> Cannot reach a KDC we require to contact (null) : kinit for
> administrador at EMPRESA failed (Cannot contact any KDC for
> requested realm)
>
> SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for
> ldap/WIN-DC2.EMPRESA.COM.BR
> failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS
> Got challenge flags:
> Got NTLMSSP neg_flags=0x62898235
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x62088235
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088235
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088235
> Join failed - cleaning up
> ldb_wrap open of secrets.ldb
> resolve_lmhosts: Attempting lmhosts lookup for name
> win-dc2.empresa.com.br
> <0x20>
> Account locked out: kinit for SAMBA4-DC2$@EMPRESA.COM.BR
> failed (Clients
> credentials have been revoked)
>
> SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for
> ldap/win-dc2.empresa.com.br
> failed (next[ntlmssp]): NT_STATUS_ACCOUNT_LOCKED_OUT
> Got challenge flags:
> Got NTLMSSP neg_flags=0x62898235
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x62088235
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088235
> Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C:
> LdapErr: DSID-0C09052B, comment: AcceptSecurityContext error,
> data 52e,
> v1773> <>
> Failed to connect to 'ldap://win-dc2.empresa.com.br' with
> backend 'ldap':
> LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr:
> DSID-0C09052B, comment: AcceptSecurityContext error, data
> 52e, v1773> <>
> Deleted CN=SAMBA4-DC2,OU=Domain Controllers,DC=empresa,DC=com,DC=br
> Deleted CN=NTDS
> Settings,CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,C
N=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
> Deleted
> CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
N=Configuration,DC=empresa,DC=com,DC=br
> ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL
> - <0000202B:
> RefErr: DSID-030A0AEB, data 0, 1 access points
> ref 1: 'a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br'
> > <ldap://a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br>
> File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 176, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661,
> in run
> machinepass=machinepass, use_ntvfs=use_ntvfs,
> dns_backend=dns_backend)
> File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in
> join_DC
> ctx.do_join()
> File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in
> do_join
> ctx.join_add_objects()
> File "/usr/lib/python2.7/dist-packages/samba/join.py", line 668, in
> join_add_objects
> ctx.samdb.modify(m)
>
> ##############################################################
> ###############################
>
> I did some tests in the new Samaba4 DC and it seems OK as below:
>
> root at samba4-dc2:~# kinit Administrator
> Password for marcio at EMPRESA.COM.BR:
>
>
> root at samba4-dc2:~# klist -l
> Principal name Cache name
> -------------- ----------
> Administrator at EMPRESA.COM.BR FILE:/tmp/krb5cc_0
>
> root at samba4-dc2:~# host -t SRV _kerberos._udp.EMPRESA.COM.BR
> _kerberos._udp.EMPRESA.COM.BR has SRV record 0 100 88
> samba4-dc1.empresa.com.br.
> _kerberos._udp.EMPRESA.COM.BR has SRV record 0 100 88
> win-dc2.empresa.com.br
> .
> root at samba4-dc2:~#
> root at samba4-dc2:~#
> root at samba4-dc2:~# host -t SRV _ldap._tcp.EMPRESA.COM.BR
> _ldap._tcp.EMPRESA.COM.BR has SRV record 0 100 389
> win-dc2.empresa.com.br.
> _ldap._tcp.EMPRESA.COM.BR has SRV record 0 100 389
> samba4-dc1.empresa.com.br
> .
> root at samba4-dc2:~#
> root at samba4-dc2:~# cat /etc/krb5.conf
> [libdefaults]
> dns_lookup_realm = false
> dns_lookup_kdc = true
> default_realm = EMPRESA.COM.BR
> root at samba4-dc2:~# host -t EMPRESA.COM.BR
> host: invalid type: EMPRESA.COM.BR
>
> root at samba4-dc2:~# host -t A EMPRESA.COM.BR
> EMPRESA.COM.BR has address 10.133.84.135 # Wind-DC2
> EMPRESA.COM.BR has address 192.168.1.20 # Samba4-DC1
> EMPRESA.COM.BR has address 192.168.1.19 # Samba4-DC2 . I did not
> understand why. He hasn't joined in the domain yet.
>
>
> My kerberos configurations:
>
> cat /etc/krb5.conf
>
> [libdefaults]
> dns_lookup_realm = false
> dns_lookup_kdc = true
> default_realm = EMPRESA.COM.BR
>
>
> Another configurations:
>
> cat /etc/hosts
> 192.168.1.19 samba4-dc2.empresa.com.br samba4-dc2
> 192.168.1.20 samba4-dc1.empresa.com.br. samba4-dc1
> 10.133.84.135 win-dc2.empresa.com.br. wind-dc2
>
>
> cat /etc/resolv.conf
> domain empresa.com.br
> search empresa.com.br
> nameserver 192.168.1.20
> nameserver 10.133.84.135
>
> Could anybody help me?
>
> Regards,
>
> Márcio Bacci
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list