[Samba] cannot join an existing AD as either a RODC or DC w/ samba4
Mike Edwards
pf-samba at mirkwood.net
Thu Jan 10 14:53:59 MST 2013
I'm unable to have samba4 join an existing AD domain as either an RODC
(preferrable) or merely a DC.
AD domain is Win2k3, but we recently added a pair of Win2k8 DCs to it.
Domain functional level is Win2k3.
### Adding samba4 as an RODC ###
# samba-tool domain join -d5 my.domain RODC -U'adminuser at MY.DOMAIN' --server=nysv-vmdc3.my.domain
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'sasl-DIGEST-MD5' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
added interface eth0 ip=fe80::20c:29ff:fef7:cd62%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=fe80::20c:29ff:fef7:cd6c%eth1
bcast=fe80::ffff:ffff:ffff:ffff%eth1 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=192.168.42.1 bcast=192.168.42.255
netmask=255.255.255.0
added interface eth0 ip=10.2.40.194 bcast=10.2.40.255
netmask=255.255.255.0
added interface eth0 ip=fe80::20c:29ff:fef7:cd62%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=fe80::20c:29ff:fef7:cd6c%eth1
bcast=fe80::ffff:ffff:ffff:ffff%eth1 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=192.168.42.1 bcast=192.168.42.255
netmask=255.255.255.0
added interface eth0 ip=10.2.40.194 bcast=10.2.40.255
netmask=255.255.255.0
added interface eth0 ip=fe80::20c:29ff:fef7:cd62%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=fe80::20c:29ff:fef7:cd6c%eth1
bcast=fe80::ffff:ffff:ffff:ffff%eth1 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=192.168.42.1 bcast=192.168.42.255
netmask=255.255.255.0
added interface eth0 ip=10.2.40.194 bcast=10.2.40.255
netmask=255.255.255.0
added interface eth0 ip=fe80::20c:29ff:fef7:cd62%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=fe80::20c:29ff:fef7:cd6c%eth1
bcast=fe80::ffff:ffff:ffff:ffff%eth1 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=192.168.42.1 bcast=192.168.42.255
netmask=255.255.255.0
added interface eth0 ip=10.2.40.194 bcast=10.2.40.255
netmask=255.255.255.0
added interface eth0 ip=fe80::20c:29ff:fef7:cd62%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=fe80::20c:29ff:fef7:cd6c%eth1
bcast=fe80::ffff:ffff:ffff:ffff%eth1 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=192.168.42.1 bcast=192.168.42.255
netmask=255.255.255.0
added interface eth0 ip=10.2.40.194 bcast=10.2.40.255
netmask=255.255.255.0
added interface eth0 ip=fe80::20c:29ff:fef7:cd62%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=fe80::20c:29ff:fef7:cd6c%eth1
bcast=fe80::ffff:ffff:ffff:ffff%eth1 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=192.168.42.1 bcast=192.168.42.255
netmask=255.255.255.0
added interface eth0 ip=10.2.40.194 bcast=10.2.40.255
netmask=255.255.255.0
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Password for [adminuser at MY.DOMAIN]:
Timed out smb_krb5 packet
Received smb_krb5 packet of length 148
Timed out smb_krb5 packet
Received smb_krb5 packet of length 1450
gensec_gssapi: credentials were delegated
GSSAPI Connection will be cryptographically sealed
workgroup is MY
realm is my.domain
checking sAMAccountName
Adding CN=NYSV-NIS1,OU=Domain Controllers,DC=my,DC=domain
Join failed - cleaning up
checking sAMAccountName
ERROR(ldb): uncaught exception - LDAP error 19
LDAP_CONSTRAINT_VIOLATION - <000020B5: AtrErr: DSID-03152804, #2:
0: 000020B5: DSID-03152804, problem 1005 (CONSTRAINT_ATT_TYPE), data
0, Att 90786 (msDS-NeverRevealGroup)
1: 000020B5: DSID-03152804, problem 1005 (CONSTRAINT_ATT_TYPE), data
0, Att 90788 (msDS-RevealOnDemandGroup)
> <>
File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
line 558, in run
dns_backend=dns_backend)
File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
line 1071, in join_RODC
ctx.do_join()
File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
line 1007, in do_join
ctx.join_add_objects()
File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
line 499, in join_add_objects
ctx.samdb.add(rec)
### Adding samba4 as a DC ###
# samba-tool domain join -d5 my.domain DC -U'adminuser at MY.DOMAIN' --server=nysv-vmdc3.my.domain
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'sasl-DIGEST-MD5' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
added interface eth0 ip=fe80::20c:29ff:fef7:cd62%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=fe80::20c:29ff:fef7:cd6c%eth1
bcast=fe80::ffff:ffff:ffff:ffff%eth1 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=192.168.42.1 bcast=192.168.42.255
netmask=255.255.255.0
added interface eth0 ip=10.2.40.194 bcast=10.2.40.255
netmask=255.255.255.0
added interface eth0 ip=fe80::20c:29ff:fef7:cd62%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=fe80::20c:29ff:fef7:cd6c%eth1
bcast=fe80::ffff:ffff:ffff:ffff%eth1 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=192.168.42.1 bcast=192.168.42.255
netmask=255.255.255.0
added interface eth0 ip=10.2.40.194 bcast=10.2.40.255
netmask=255.255.255.0
added interface eth0 ip=fe80::20c:29ff:fef7:cd62%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=fe80::20c:29ff:fef7:cd6c%eth1
bcast=fe80::ffff:ffff:ffff:ffff%eth1 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=192.168.42.1 bcast=192.168.42.255
netmask=255.255.255.0
added interface eth0 ip=10.2.40.194 bcast=10.2.40.255
netmask=255.255.255.0
added interface eth0 ip=fe80::20c:29ff:fef7:cd62%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=fe80::20c:29ff:fef7:cd6c%eth1
bcast=fe80::ffff:ffff:ffff:ffff%eth1 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=192.168.42.1 bcast=192.168.42.255
netmask=255.255.255.0
added interface eth0 ip=10.2.40.194 bcast=10.2.40.255
netmask=255.255.255.0
added interface eth0 ip=fe80::20c:29ff:fef7:cd62%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=fe80::20c:29ff:fef7:cd6c%eth1
bcast=fe80::ffff:ffff:ffff:ffff%eth1 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=192.168.42.1 bcast=192.168.42.255
netmask=255.255.255.0
added interface eth0 ip=10.2.40.194 bcast=10.2.40.255
netmask=255.255.255.0
added interface eth0 ip=fe80::20c:29ff:fef7:cd62%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=fe80::20c:29ff:fef7:cd6c%eth1
bcast=fe80::ffff:ffff:ffff:ffff%eth1 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=192.168.42.1 bcast=192.168.42.255
netmask=255.255.255.0
added interface eth0 ip=10.2.40.194 bcast=10.2.40.255
netmask=255.255.255.0
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Password for [adminuser at MY.DOMAIN]:
Timed out smb_krb5 packet
Received smb_krb5 packet of length 148
Timed out smb_krb5 packet
Received smb_krb5 packet of length 1450
gensec_gssapi: credentials were delegated
GSSAPI Connection will be cryptographically sealed
workgroup is MY
realm is my.domain
checking sAMAccountName
Adding CN=NYSV-NIS1,OU=Domain Controllers,DC=my,DC=domain
Adding
CN=NYSV-NIS1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=my,DC=domain
Join failed - cleaning up
checking sAMAccountName
Deleted CN=NYSV-NIS1,OU=Domain Controllers,DC=my,DC=domain
ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT -
CN=Sites,CN=Configuration,DC=my,DC=domain <0000208D: NameErr:
DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
'CN=Sites,CN=Configuration,DC=my,DC=domain'
> <>
File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
line 552, in run
machinepass=machinepass, use_ntvfs=use_ntvfs,
dns_backend=dns_backend)
File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
line 1104, in join_DC
ctx.do_join()
File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
line 1007, in do_join
ctx.join_add_objects()
File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
line 518, in join_add_objects
ctx.samdb.add(rec)
Any ideas?
--
Mike Edwards | If this email address disappears,
Unsolicited advertisments to | assume it was spammed to death. To
this address are not welcome. | reach me in that case, s/-.*@/@/
"Our progress as a nation can be no swifter than our progress in education.
The human mind is our fundamental resource."
-- John F. Kennedy
More information about the samba
mailing list