[Samba] Add samba4 as DC to Windows 2000 SP4 (which is DC)

Rafa Toucedo debian.vigo at gmail.com
Thu Dec 2 01:27:02 MST 2010 

I tried to add my backup samba4 as DC or DC to a Windows 2000 SP4 to
synchronize the "user database" and "kill" the Windows to let the SAMBA
Instead it without touching the profiles of network clients.

First of all to mention what I said Andrew Bartlett:

We are working to enable support for Windows 2000 DCs as a target for a
'samba-tool join' (which will then do what our previous 'vampire' tool
did, and make Samba an additional DC in that domain).

Some fixes for this were made yesterday, but we know that some other
issues remain.  Our automated testing infrastructure is being extended
to support this, and so we should be able to reliably handle this in the
near future.

Andrew Bartlett

...................


SLES11
# Linux arce00000 2.6.27.19-5-xen #1 SMP 2009-02-28 04:40:21 +0100 x86_64
x86_64 x86_64 GNU/Linux

 I installed SAMBA 4 by GIT, waf, quicktest ... as explained in the wiki and
it works perfectly as SAMBA DC
# Version 4.0.0alpha14-UNKNOWN

The target domain is called DOMD4086 and no extension because it is a
migration from NT4 and here my troubles begin as samba-tool needs
"domain.extension" to work, to "trick" a samba-tool I do is add a point at
the end of the domain and I still like this: DOMD4086.

Kerberos taste as follows:

arce00000:/usr/local/samba # kdestroy
arce00000:/usr/local/samba # kinit ADMCONST
Password for ADMCONST at DOMD4086:
arce00000:/usr/local/samba # klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ADMCONST at DOMD4086

Valid starting     Expires            Service principal
12/02/10 09:15:23  12/02/10 19:15:44  krbtgt/DOMD4086 at DOMD4086
    renew until 12/03/10 09:15:23, Etype (skey, tkt): ArcFour with HMAC/md5,
ArcFour with HMAC/md5


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
arce00000:/usr/local/samba #

Samba-tool use as follows:

: /usr/local/samba #bin/samba-tool  join DC DOMD4086.
-UADMCONST at DOMD4086%ADMCONST
- realm=DOMD4086. -D2

where: DOMD4086. (Dot) is the domain to which I add my samba-U (user)
ADMCONST (the domain user with domain administrator privileges and is in all
caps) @ (domain user)% (password) - realm = DOMD4086. (Which is the target
domain with the point)-d2 is the debug level 2.

and the result is as follows (with debug level 2)

arce00000:/usr/local/samba # bin/samba-tool join DOMD4086. DC
-UADMCONST at DOMD4086%ADMCONST --realm=DOMD4086. -d2
Finding a writeable DC for domain 'DOMD4086.'
Found DC d4y08601.DOMD4086
Failed to get CCACHE for GSSAPI client: Cannot contact any KDC for requested
realm
Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_NO_LOGON_SERVERS
workgroup is DOMD4086
realm is DOMD4086
checking samaccountname
Adding CN=ARCE00000,OU=Domain Controllers,DC=DOMD4086
Adding
CN=ARCE00000,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMD4086
Adding CN=NTDS
Settings,CN=ARCE00000,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMD4086
Failed to get CCACHE for GSSAPI client: Cannot contact any KDC for requested
realm
Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_NO_LOGON_SERVERS
Join failed - cleaning up
checking samaccountname
Deleted CN=ARCE00000,OU=Domain Controllers,DC=DOMD4086
Deleted CN=NTDS
Settings,CN=ARCE00000,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMD4086
Deleted
CN=ARCE00000,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMD4086
ERROR(<type 'exceptions.AttributeError'>): uncaught exception -
'drsuapi.DsAddEntryCtr2' object has no attribute 'err_ver'
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 134, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/join.py", line
64, in run
    site=site, netbios_name=netbios_name)
  File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line
574, in join_DC
    ctx.do_join()
  File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line
506, in do_join
    ctx.join_add_objects()
  File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line
366, in join_add_objects
    ctx.DsAddEntry(rec)
  File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line
299, in DsAddEntry
    if ctr.err_ver != 1:
arce00000:/usr/local/samba #


(attached due to size the log file with debug level 5)

Mi configuración es:

kerberos:

[libdefaults]
        default_realm = DOMD4086
        dns_lookup_realm = true
        dns_lookup_kdc = true
        default_keytab_name  = FILE:/home/pilote/rafa.keytab

[realms]
DOMD4086.local = {
        kdc = D4Y08601.DOMD4086 88
                }

[logging]
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON

[appdefaults]
pam = {
        debug = false
        ticket_lifetime = 1d
        renew_lifetime = 1d
        forwardable = true
        krb4_convert = false
        proxiable = false
        minimum_uid = 1
        external = sshd
        use_shmem = sshd
        }

my resolv.conf:

nameserver 10.159.172.244
domain domd4086


thank you very much everybody!

More information about the samba mailing list