join as DC fails: LDAP error 10 LDAP_REFERRAL, or how to properly create application directory partition

Rowland Penny rpenny at samba.org
Mon Jun 25 13:30:49 UTC 2018


On Mon, 25 Jun 2018 16:36:52 +0400
Alexey Sheplyakov via samba-technical <samba-technical at lists.samba.org>
wrote:

> Hi!
> 
> 
> I've got a domain with 2 controllers: Windows 2008 R2 (hostname: DCW) 
> and samba 4.6.16 (hostname: dc0).
> 
> An attempt to join yet another samba server as a controller fails
> with the following error:
> 
> Finding a writable DC for domain 'domain.alt'
> Found DC DCW.domain.alt
> workgroup is DOMAIN
> realm is domain.alt
> Adding CN=DC1,OU=Domain Controllers,DC=domain,DC=alt
> Adding 
> CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=alt
> Adding CN=NTDS 
> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=alt
> Join failed - cleaning up
> Deleted CN=DC1,OU=Domain Controllers,DC=domain,DC=alt
> Deleted CN=NTDS 
> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=alt
> Deleted 
> CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=alt
> ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL - 
> <0000202B: RefErr: DSID-030A0B09, data 0, 1 access points
>      ref 1: 'a93e4f02-8581-46bf-b3e8-8237c1172499._msdcs.domain.alt'
>  > <ldap://a93e4f02-8581-46bf-b3e8-8237c1172499._msdcs.domain.alt>
>    File
> "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line
> 176, in _run return self.run(*args, **kwargs)
>    File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", 
> line 661, in run
>      machinepass=machinepass, use_ntvfs=use_ntvfs,
> dns_backend=dns_backend) File
> "/usr/lib64/python2.7/site-packages/samba/join.py", line 1269, in
> join_DC ctx.do_join()
>    File "/usr/lib64/python2.7/site-packages/samba/join.py", line
> 1175, in do_join
>      ctx.join_add_objects()
>    File "/usr/lib64/python2.7/site-packages/samba/join.py", line 643,
> in join_add_objects
>      ctx.samdb.modify(m)
> 
> 
> (a similar log with debug level 10 is attached)
> 
> The problem here is that the join script tries to create an
> application directory partition [1].
> 
> However the controller it talks with (DCW) has no `Domain naming
> master` FSMO role:
> 
> $ samba-tool fsmo show
> 
> SchemaMasterRole owner: CN=NTDS 
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=alt
> InfrastructureMasterRole owner: CN=NTDS 
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=alt
> RidAllocationMasterRole owner: CN=NTDS 
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=alt
> PdcEmulationMasterRole owner: CN=NTDS 
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=alt
> DomainNamingMasterRole owner: CN=NTDS 
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=alt
> DomainDnsZonesMasterRole owner: CN=NTDS 
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=alt
> ForestDnsZonesMasterRole owner: CN=NTDS 
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=alt
> 
> so the DCW (Windows 2008 R2) controller returns an error (a referral 
> pointing to the controller DC0).
> 
> Any ideas how to handle an error properly (so join `just works'
> without specifying the server explicitly)?
> 
> Is it OK to 1) find out which DC is domain naming master, 2) connect
> to that DC and ask it to create a directory partition, 3) continue as 
> nothing bad has happened?
> 
> [1] 
> https://git.samba.org/?p=samba.git;a=blob;f=python/samba/join.py;h=30ecce77c55852ed5ff542ea05c3e5f0c535835c;hb=a261a2a4294a588b07297f3b75ef98cd14984b99#l668
> 
> Best regards,
> 
>      Alexey
> 
> 

Try adding '--server=dc0' to the join command.

Rowland



More information about the samba-technical mailing list