[Samba] Linux/Windows Domain Controller

matti.kaupenjohann matti.kaupenjohann at fh-dortmund.de
Wed Oct 25 11:58:12 UTC 2023 

So. I've builded 4.19.2 from source. building worked fine and I've 
configured like the following:

./configure \
     --sbindir=/usr/local/sbin \
     --bindir=/usr/local/bin \
     --sysconfdir=/etc/samba \
     --mandir=/usr/share/man \
     --systemd-install-services \
     --with-systemddir=/lib/systemd/system \
     --enable-selftest \
     --disable-cups

I ran make quicktest with no resulting issues.

I generated a ticket with kinit administrator which worked as expected.

Afterwards I tried to join the domain with:

samba-tool domain join mydomain.special.de DC -U"mydomain\administrator"

Which resulted in the foloowing already known error:

INFO 2023-10-25 11:56:33,488 pid:403032 
/usr/local/samba/lib/python3.10/site-packages/samba/join.py #106: 
Finding a writeable DC for domain 'mydomain.special.de'
INFO 2023-10-25 11:56:33,505 pid:403032 
/usr/local/samba/lib/python3.10/site-packages/samba/join.py #108: Found 
DC dc02.mydomain.special.de
Password for [MYDOMAIN\administrator]:
INFO 2023-10-25 11:56:41,616 pid:403032 
/usr/local/samba/lib/python3.10/site-packages/samba/join.py #1614: 
workgroup is MYDOMAIN
INFO 2023-10-25 11:56:41,617 pid:403032 
/usr/local/samba/lib/python3.10/site-packages/samba/join.py #1617: realm 
is mydomain.special.de
Adding CN=DC03,OU=Domain Controllers,DC=mydomain,DC=special,DC=de
Adding 
CN=DC03,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=special,DC=de
Adding CN=NTDS 
Settings,CN=DC03,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=special,DC=de
DsAddEntry failed with status WERR_ACCESS_DENIED info (8567, 
'WERR_DS_INCOMPATIBLE_VERSION')
Join failed - cleaning up
Deleted CN=DC03,OU=Domain Controllers,DC=mydomain,DC=special,DC=de
Deleted 
CN=DC03,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=special,DC=de
ERROR(runtime): uncaught exception - DsAddEntry failed
     File 
"/usr/local/samba/lib/python3.10/site-packages/samba/netcmd/__init__.py", 
line 279, in _run
         return self.run(*args, **kwargs)
     File 
"/usr/local/samba/lib/python3.10/site-packages/samba/netcmd/domain/join.py", 
line 128, in run
         join_DC(logger=logger, server=server, creds=creds, lp=lp, 
domain=domain,
     File "/usr/local/samba/lib/python3.10/site-packages/samba/join.py", 
line 1630, in join_DC
         ctx.do_join()
     File "/usr/local/samba/lib/python3.10/site-packages/samba/join.py", 
line 1518, in do_join
         ctx.join_add_objects()
     File "/usr/local/samba/lib/python3.10/site-packages/samba/join.py", 
line 673, in join_add_objects
         ctx.join_add_ntdsdsa()
     File "/usr/local/samba/lib/python3.10/site-packages/samba/join.py", 
line 598, in join_add_ntdsdsa
         ctx.DsAddEntry([rec])
     File "/usr/local/samba/lib/python3.10/site-packages/samba/join.py", 
line 534, in DsAddEntry
         raise RuntimeError("DsAddEntry failed")

Seems from my position still be an issue with functional level 2016. Do 
I need to configure differently?
Further I am curious about the systemd service flag. The created and 
installed services doesn't uses as exec samba -D instead it uses samba 
--foreground.

Am 10/19/23 um 10:39 schrieb Stefan Kania via samba:

>
>
> Am 18.10.23 um 23:27 schrieb Matti Kaupenjohann via samba:
>> Yes I've red this section and the docu is saying no FL above 2008. 
>> Might be caused by incompleted docu? So far I understand if we don't 
>> use >4.19 we will not be able to use FL 2016 which is necessary since 
>> our DC WIN22 is configured as FL2016?
>
> Yes you MUST usee 4.19 ;-)
>
>>
>> On 18.10.23 19:10, Stefan Kania via samba wrote:
>>> If you take a look at:
>>>
>>> https://wiki.samba.org/index.php/Windows_2012_Server_compatibility
>>>
>>> You will find your error message. I think your domain is running 
>>> with FL 2012 and you are using a samba version < 4.19. So you can 
>>> only go up to FL 2008_R2. The new 4.19 is the first version 
>>> supporting FL >2008_R2. There you can go up to FL 2016.
>>>
>>>
>>> Am 18.10.23 um 18:05 schrieb matti.kaupenjohann via samba:
>>>> DsAddEntry failed with status WERR_ACCESS_DENIED info (8567,
>>>> 'WERR_DS_INCOMPATIBLE_VERSION')
>>>
>>>
>>
>
>
-- 

Mit freundlichen Grüßen

Matti Kaupenjohann

Fachhochschule Dortmund
University of Applied Sciences and Arts

*Kaupenjohann, Matti*
FB Informationstechnik,

Sonnenstraße 96 - 44139 Dortmund
Raum SON-A A701.4
Tel     0231 9112 9190
matti.kaupenjohann at fh-dortmund.de
www.fh-dortmund.de

Think before you print!

More information about the samba mailing list