Reporting success this past year + new Issues Adding a new Samba 4 DC to existing Samba 4 AD

Aubrey Ekstrom aekstrom at proclivitysystems.com
Mon Nov 28 10:04:21 MST 2011 

Hi Ted,

I re-enabled the generic Administrator account and tried using that. Same
error.

Also, as I said in my original post, the new server was able to join the
1st time, and gave me errors only when I checked the replication and tried
to replicate again. After I blew it away and reinstalled it gave me the
error I put in the post right away, instead of after the fact. Since I can
see the new server name in the Windows GUI, I wonder if that is causing me
problems, but the GUI won't let me delete it.

Does anyone know the proper syntax to delete a DC with the command line
tools? I see "ldbdel" in the Samba bin directory, but that server shows up
in the currently active production A/D, so I don't want to play around and
mess that up. Thanks!

In the mean time I will try to reinstall with the build i downloaded from
Git today and see if I have better luck.

Cheers,*

Aubrey Ekstrom | *Systems Administrator
Proclivity Systems
22 West 19th St., Ninth Floor
New York, NY 10011
p 646.380.2416
aekstrom at proclivitysystems.com
www.proclivitysystems.com

*Proclivity® | We Value Your Customers™*


This message is the property of Proclivity Systems, Inc. and is intended
only for the use of the addressee(s), and may contain material that is
confidential and privileged for the sole use of the intended recipient.  If
you are not the intended recipient, reliance or forwarding without express
permission is strictly prohibited; please contact the sender and delete all
copies.







On Mon, Nov 28, 2011 at 11:20 AM, Ted Salmon <tass2001 at hotmail.com> wrote:

>  I've got a couple basic questions that may or may not help.
> First, Are you sure the 'admin' user has the ability to write to the
> 'Domain Controller' OU?
> Have you tried using the generic "Administrator" user for this join?
> I'm guessing you don't have issues writing regular objects to the DC,
> correct?
>
> Thanks!
>
> > From: aekstrom at proclivitysystems.com
> > Date: Mon, 28 Nov 2011 10:42:08 -0500
> > Subject: Reporting success this past year + new Issues Adding a new
> Samba 4 DC to existing Samba 4 AD
> > To: samba-technical at lists.samba.org
> >
> > Hi All,
> >
> > >
> > > First let me report back that we are still running Samba 4 as our
> primary
> > > (i.e. 'only') ldap/AD authentication in our small (30-40 person,
> depending
> > > on the month) tech start up company. It has been over a year since you
> all
> > > helped me when I ran into trouble extending the Samba 4 schema to
> support
> > > Apple OS X extensions. We have been authenticating all our Windows and
> > > Apple computers against the Samba 4 AD, and it has been rock solid,
> > > including GPO for Windows and Apple's equivalent functionality through
> > > Workgroup Manager.
> > >
> > > That being said, I have been singing it's praises to our new IT
> Director,
> > > and while he prefers Windows to open source for such things as Active
> > > Directory, he is well versed in Linux and open source and so is
> willing to
> > > keep using Samba 4. In fact he wants to put not only all our developer
> > > Linux workstations on Samba 4, but our production Linux servers as
> well. As
> > > part of that effort he asked me to set up another Samba 4 DC in our
> > > production environment and then join it to the existing domain.
> > >
> > >
> > >
> _______________________________________________________________________________________________________________________________________________
> > >
> > > So I downloaded the latest and greatest from GIT, installed all the
> > > packages, configured it (./configure.developer) compiled it, tested it
> > > (make quicktest) and installed it. Then following the online
> instructions (
> > > http://wiki.samba.org/index.php/Samba4_joining_a_domain), joined it to
> > > our existing domain. All looked good. When I tried to test the
> replication
> > > however I started getting errors. Then I tested the local db and got
> more
> > > errors. Then it wouldn't talk to the pre-existing DC any more, so I
> blew it
> > > away and reinstalled (even rebooted both servers at one point,
> although I
> > > doubted that would fix anything, but just in case).
> > >
> > > Still won't talk directly to the existing DC. I get errors like this:
> > >
> > > [root at newdc bin]# ./samba-tool domain join not-our.domain DC -Uadmin
> > > --realm=NOT-OUR.DOMAIN
> > > Finding a writeable DC for domain 'not-our.domain'
> > > ERROR(exceptions.Exception): uncaught exception - Failed to find a
> > > writeable DC for domain 'not-our.domain'
> > > File
> > >
> "/usr/local/samba/lib/python2.4/site-packages/samba/netcmd/__init__.py",
> > > line 167, in _run
> > > return self.run(*args, **kwargs)
> > > File
> > > "/usr/local/samba/lib/python2.4/site-packages/samba/netcmd/domain.py",
> line
> > > 121, in run
> > > domain_critical_only=domain_critical_only)
> > > File "/usr/local/samba/lib/python2.4/site-packages/samba/join.py", line
> > > 913, in join_DC
> > > ctx = dc_join(server, creds, lp, site, netbios_name, targetdir, domain)
> > > File "/usr/local/samba/lib/python2.4/site-packages/samba/join.py", line
> > > 65, in __init__
> > > ctx.server = ctx.find_dc(domain)
> > > File "/usr/local/samba/lib/python2.4/site-packages/samba/join.py", line
> > > 200, in find_dc
> > > raise Exception("Failed to find a writeable DC for domain '%s'" %
> > > domain)
> > >
> > > Now the new DC is a over a year newer than the existing version of
> Samba 4
> > > (I have been loath to touch the old one since it is our only DC and has
> > > been rock solid), AND we want to standardize on CENT OS now, so the
> new DC
> > > is also on CENT OS 5.6, while the existing Samba 4 is on Debian 5.x. I
> did
> > > have a lot more trouble getting all the packages for CENT OS 5 than I
> > > remember having for Debian. Some of them were only available in Yum as
> part
> > > of larger packages that had different names, but once they were all
> there
> > > it compiled, tested and installed without error.
> > >
> > > *Existing Samba 4:*
> > >
> > > Debian 5.x 64bit (don't remember subversion, used a 5.6 live CD, but
> then
> > > upgraded... was still 5 though)
> > >
> > > Samba Version 4.0.0alpha14-GIT-800a76d
> > >
> > >
> > > *New Samba 4:*
> > >
> > > CENT OS 5.6.1 32bit
> > >
> > > Samba Version 4.0.0alpha18-GIT-UNKNOWN
> > >
> > > It does see the other DC. I can ping both by name from each other, and
> > > kinit from the new DC resolves the existing DC and authenticates.
> Before I
> > > ran into trouble and blew it away, it said it joined and replicated...
> > >
> > > [root at newdc bin]# kinit admin
> > > Password for admin at NOT-OUR.DOMAIN:
> > > [root at newdc bin]#
> > >
> > >
> > > Not sure what to try next. Thanks in advance!
> > >
> > >
> > > Cheers,*
> > >
> > > Aubrey Ekstrom | *Systems Administrator
> > > Proclivity Systems
> > > 22 West 19th St., Ninth Floor
> > > New York, NY 10011
> > > p 646.380.2416
> > > aekstrom at proclivitysystems.com
> > > www.proclivitysystems.com
> > >
> > > *Proclivity® | We Value Your Customers™*
> > >
> > >
> > > This message is the property of Proclivity Systems, Inc. and is
> intended
> > > only for the use of the addressee(s), and may contain material that is
> > > confidential and privileged for the sole use of the intended
> recipient. If
> > > you are not the intended recipient, reliance or forwarding without
> express
> > > permission is strictly prohibited; please contact the sender and
> delete all
> > > copies.
> > >
> > >
> > >
> > >
> > >
> > >
>

More information about the samba-technical mailing list