[Samba] Linux/Windows Domain Controller

matti.kaupenjohann matti.kaupenjohann at fh-dortmund.de
Mon Oct 30 12:25:40 UTC 2023 

Hi together,

did nobody before joined a Windows Functional Level 2016 Domain with 
Samba 4.19?

Am 10/25/23 um 13:58 schrieb matti.kaupenjohann via samba:
> So. I've builded 4.19.2 from source. building worked fine and I've 
> configured like the following:
>
> ./configure \
>     --sbindir=/usr/local/sbin \
>     --bindir=/usr/local/bin \
>     --sysconfdir=/etc/samba \
>     --mandir=/usr/share/man \
>     --systemd-install-services \
>     --with-systemddir=/lib/systemd/system \
>     --enable-selftest \
>     --disable-cups
>
> I ran make quicktest with no resulting issues.
>
> I generated a ticket with kinit administrator which worked as expected.
>
> Afterwards I tried to join the domain with:
>
> samba-tool domain join mydomain.special.de DC -U"mydomain\administrator"
>
> Which resulted in the foloowing already known error:
>
> INFO 2023-10-25 11:56:33,488 pid:403032 
> /usr/local/samba/lib/python3.10/site-packages/samba/join.py #106: 
> Finding a writeable DC for domain 'mydomain.special.de'
> INFO 2023-10-25 11:56:33,505 pid:403032 
> /usr/local/samba/lib/python3.10/site-packages/samba/join.py #108: 
> Found DC dc02.mydomain.special.de
> Password for [MYDOMAIN\administrator]:
> INFO 2023-10-25 11:56:41,616 pid:403032 
> /usr/local/samba/lib/python3.10/site-packages/samba/join.py #1614: 
> workgroup is MYDOMAIN
> INFO 2023-10-25 11:56:41,617 pid:403032 
> /usr/local/samba/lib/python3.10/site-packages/samba/join.py #1617: 
> realm is mydomain.special.de
> Adding CN=DC03,OU=Domain Controllers,DC=mydomain,DC=special,DC=de
> Adding 
> CN=DC03,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=special,DC=de
> Adding CN=NTDS 
> Settings,CN=DC03,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=special,DC=de
> DsAddEntry failed with status WERR_ACCESS_DENIED info (8567, 
> 'WERR_DS_INCOMPATIBLE_VERSION')
> Join failed - cleaning up
> Deleted CN=DC03,OU=Domain Controllers,DC=mydomain,DC=special,DC=de
> Deleted 
> CN=DC03,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=special,DC=de
> ERROR(runtime): uncaught exception - DsAddEntry failed
>     File 
> "/usr/local/samba/lib/python3.10/site-packages/samba/netcmd/__init__.py", 
> line 279, in _run
>         return self.run(*args, **kwargs)
>     File 
> "/usr/local/samba/lib/python3.10/site-packages/samba/netcmd/domain/join.py", 
> line 128, in run
>         join_DC(logger=logger, server=server, creds=creds, lp=lp, 
> domain=domain,
>     File 
> "/usr/local/samba/lib/python3.10/site-packages/samba/join.py", line 
> 1630, in join_DC
>         ctx.do_join()
>     File 
> "/usr/local/samba/lib/python3.10/site-packages/samba/join.py", line 
> 1518, in do_join
>         ctx.join_add_objects()
>     File 
> "/usr/local/samba/lib/python3.10/site-packages/samba/join.py", line 
> 673, in join_add_objects
>         ctx.join_add_ntdsdsa()
>     File 
> "/usr/local/samba/lib/python3.10/site-packages/samba/join.py", line 
> 598, in join_add_ntdsdsa
>         ctx.DsAddEntry([rec])
>     File 
> "/usr/local/samba/lib/python3.10/site-packages/samba/join.py", line 
> 534, in DsAddEntry
>         raise RuntimeError("DsAddEntry failed")
>
> Seems from my position still be an issue with functional level 2016. 
> Do I need to configure differently?
> Further I am curious about the systemd service flag. The created and 
> installed services doesn't uses as exec samba -D instead it uses samba 
> --foreground.
>
> Am 10/19/23 um 10:39 schrieb Stefan Kania via samba:
>
>>
>>
>> Am 18.10.23 um 23:27 schrieb Matti Kaupenjohann via samba:
>>> Yes I've red this section and the docu is saying no FL above 2008. 
>>> Might be caused by incompleted docu? So far I understand if we don't 
>>> use >4.19 we will not be able to use FL 2016 which is necessary 
>>> since our DC WIN22 is configured as FL2016?
>>
>> Yes you MUST usee 4.19 ;-)
>>
>>>
>>> On 18.10.23 19:10, Stefan Kania via samba wrote:
>>>> If you take a look at:
>>>>
>>>> https://wiki.samba.org/index.php/Windows_2012_Server_compatibility
>>>>
>>>> You will find your error message. I think your domain is running 
>>>> with FL 2012 and you are using a samba version < 4.19. So you can 
>>>> only go up to FL 2008_R2. The new 4.19 is the first version 
>>>> supporting FL >2008_R2. There you can go up to FL 2016.
>>>>
>>>>
>>>> Am 18.10.23 um 18:05 schrieb matti.kaupenjohann via samba:
>>>>> DsAddEntry failed with status WERR_ACCESS_DENIED info (8567,
>>>>> 'WERR_DS_INCOMPATIBLE_VERSION')
>>>>
>>>>
>>>
>>
>>
>>
-- 

Mit freundlichen Grüßen

Matti Kaupenjohann

Fachhochschule Dortmund
University of Applied Sciences and Arts

*Kaupenjohann, Matti*
FB Informationstechnik,

Sonnenstraße 96 - 44139 Dortmund
Raum SON-A A701.4
Tel     0231 9112 9190
matti.kaupenjohann at fh-dortmund.de
www.fh-dortmund.de

Think before you print!

More information about the samba mailing list