Join Fails - no machine account?

Andrew Bartlett abartlet at samba.org
Wed Dec 5 08:00:54 UTC 2018 

On Tue, 2018-12-04 at 23:12 -0500, Bill Mccabe via samba-technical
wrote:
> Hi,
> 
> I am trying to join a new samba DC to a domain that already has a samba4 AD
> in it. The primary DC with samba4 AD has been upgraded recently to
> version 4.7.6 on ubuntu bionic. Previously it was running a much older
> version of samba4 (whatever normally comes with ubuntu 14.04).
> 
> When I run the following command to join a new DC, also running samba 4.7.6
> from bionic, to the domain:
> 
> samba-tool domain join bousys.com DC -U"BOUSYS\administrator"
> --dns-backend=BIND9_DLZ --option="interfaces=lo enp1s0" --option="bind
> interfaces only=yes" --option='idmap_ldb:use rfc2307 = yes' --verbose
> 
> The command times out after beginning to add the NTDS Settings entries into
> active directory. With the debugging turned up I see a more informative
> error:
> 
> Could not find machine account in secrets database: Failed to fetch machine
> account password from secrets.ldb: Could not find entry to match filter:
> '(&(flatname=BOUSYS)(objectclass=primaryDomain))' base: 'cn=Primary
> Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4636
> and failed to open /var/lib/samba/private/secrets.tdb:
> NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> 
> I assume that the join command is attempting to look for the names of the
> Primary Domains in AD, but is it trying to open a secrets.tdb on the
> already setup domain controller or the new one? Also what do I need to do
> to make the join work? I have already tried fixing the AD, with various
> samba-tool dbcheck commands and many fixes were made.

It is trying to check if the machine is already joined to the domain,
so you don't accidentally re-join it (this takes time and removes the
DC from operation).  The error is exepected, indeed hoped for. 

I re-used the existing code from Samba to do that, so the error message
is a little more scary than is approprite here.

Sorry if this caused some confusion.

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list