Join Fails - no machine account?

Bill Mccabe wmccabe at gmail.com
Wed Dec 5 19:28:02 UTC 2018 

On Wed, Dec 5, 2018, 03:00 Andrew Bartlett <abartlet at samba.org wrote:

> On Tue, 2018-12-04 at 23:12 -0500, Bill Mccabe via samba-technical
> wrote:
> > Hi,
> >
> > I am trying to join a new samba DC to a domain that already has a samba4
> AD
> > in it. The primary DC with samba4 AD has been upgraded recently to
> > version 4.7.6 on ubuntu bionic. Previously it was running a much older
> > version of samba4 (whatever normally comes with ubuntu 14.04).
> >
> > When I run the following command to join a new DC, also running samba
> 4.7.6
> > from bionic, to the domain:
> >
> > samba-tool domain join bousys.com DC -U"BOUSYS\administrator"
> > --dns-backend=BIND9_DLZ --option="interfaces=lo enp1s0" --option="bind
> > interfaces only=yes" --option='idmap_ldb:use rfc2307 = yes' --verbose
> >
> > The command times out after beginning to add the NTDS Settings entries
> into
> > active directory. With the debugging turned up I see a more informative
> > error:
> >
> > Could not find machine account in secrets database: Failed to fetch
> machine
> > account password from secrets.ldb: Could not find entry to match filter:
> > '(&(flatname=BOUSYS)(objectclass=primaryDomain))' base: 'cn=Primary
> > Domains': No such object: dsdb_search at
> ../source4/dsdb/common/util.c:4636
> > and failed to open /var/lib/samba/private/secrets.tdb:
> > NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> >
> > I assume that the join command is attempting to look for the names of the
> > Primary Domains in AD, but is it trying to open a secrets.tdb on the
> > already setup domain controller or the new one? Also what do I need to do
> > to make the join work? I have already tried fixing the AD, with various
> > samba-tool dbcheck commands and many fixes were made.
>
> It is trying to check if the machine is already joined to the domain,
> so you don't accidentally re-join it (this takes time and removes the
> DC from operation).  The error is exepected, indeed hoped for.
>
> I re-used the existing code from Samba to do that, so the error message
> is a little more scary than is approprite here.
>
> Sorry if this caused some confusion.
>
> Andrew Bartlett
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT
> http://catalyst.net.nz/services/samba
>
>
> Andrew,

Thanks for responding. From what you are saying it sounds as if the join
operation will recover when it does not find a domain controller with the
same name as the one that I am trying to join. In fact, it may already be
recovering, in which case I can ignore the error? Assuming that I can
ignore that error, then could there be a different problem that is
preventing the join? Such as the timeout interval is too short?

I can post the precise error message when I have a moment, from what I
remember the timeout occured in the domain.py script and was related to
drsuapi.py. Also while monitoring the traffic it looked like the client was
sending an acknowledgement to the server, the server was responding back,
but the client was not receiving this response. This conversation was
taking place over a high port (41952), I believe. Also the failure appeared
after an attempt to do a TCP window size change.

I guess what I am getting at here is I would like understand if this is a
networking problem since I am attempting to do the join on a vxlan tunnel,
or it is a samba bug.
I have already had to turn off ethernet checksumming in order for ssh to
operate between the two machines, maybe there is something else that is
lower level that is also causing the join to fail?

Any help is appreciated,

Bill

More information about the samba-technical mailing list