[Samba] adding samba to win2008Rd domain as DC

Wed Oct 23 04:55:34 MDT 2013

You are the man !!!  

Thank you, it seems the sernet samba version (4.0.10-6 )  didnt have this patch applied. 
I manualy changed the entries as are mentiont in the patch and my server is joined now. 
ok back to the howto, and really thank you. 

Louis

Van: Jacó Ramos [mailto:j4c0r4m0s at gmail.com] 
Verzonden: woensdag 23 oktober 2013 12:40
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] adding samba to win2008Rd domain as DC

Aplied the patch: https://attachments.samba.org/attachment.cgi?id=9210

And works fine!

Thanks!

Jacó Ramos

2013/10/23 L.P.H. van Belle <belle at bazuin.nl>
Hai.

Im trying to add my samba to a win 2008R2 domain.

Im following howto, but its not clear. 

what i did already.
did read ( and follow http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC )
1 installed samba and its packages, ( sernet samba is used )
( apt-get install sernet-samba-ad , extra are installed also )
samba -V gives :  Version 4.0.10-SerNet-Ubuntu-6.precise 

kinit and klist output is ok.
klist output:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at MYDOMAIN.LAN
Valid starting    Expires           Service principal
23/10/2013 10:13  23/10/2013 20:13  krbtgt/MYDOMAIN.LAN at MYDOMAIN.LAN
        renew until 24/10/2013 10:13

my readonly dns servers are in the /etc/resolve.conf   ( and these servers have a copy of my domain, bind based and is ok )
So, im followin howto and now at point join as a DC.

here:   Since samba4 rc2 the internal DNS server is default. If you want to join this or a higher version with using BIND as DNS backend, use the following command:
# samba-tool domain join mydomain.lan DC -Uadministrator --realm=mydomain.lan --dns-backend=BIND9_DLZ

but, first.. BIND as DNS.. setup. check.  http://wiki.samba.org/index.php/Dns-backend_bind 
using bind9.8 , as it states. 
During provisioning/upgrading, a file ('/usr/local/samba/private/named.conf') was created, that must be included in your Bind named.conf:

i have these three files :
/usr/share/samba/setup/named.conf
/usr/share/samba/setup/named.conf.dlz
/usr/share/samba/setup/named.conf.update

when i look in   /usr/share/samba/setup/named.conf  : ( is see variables not filled in, and thats correct, since no providioning done yet. )

# This file should be included in your main BIND configuration file
#
# For example with
# include "${NAMED_CONF}";

zone "${DNSDOMAIN}." IN {
        type master;
        file "${ZONE_FILE}";
        /*
         * the list of principals and what they can change is created
         * dynamically by Samba, based on the membership of the domain controllers
         * group. The provision just creates this file as an empty file.
         */
        include "${NAMED_CONF_UPDATE}";

        /* we need to use check-names ignore so _msdcs A records can be created */
        check-names ignore;
};

BUT WAIT !
the howto says...

During provisioning/upgrading, a file ('/usr/local/samba/private/named.conf') was created, that must be included in your Bind named.conf:

still no provisioning done, im in a loop of howtos....

any suggestions ?

So, im at point http://wiki.samba.org/index.php/Dns-backend_bind 
Configuring Bind as Samba Active Directory backend

include "/usr/local/samba/private/named.conf"; ( i know this file is located after provisioning in /var/lib/samba/private for sernet samba. )

and i need some help. following the howtos is not helping me. :-((
this is the error i get.

root at ms249-lin-007:/etc# samba-tool domain join mydomain.lan DC -Uadministrator --realm=mydomain.lan --dns-backend=BIND9_DLZ
Finding a writeable DC for domain 'mydomain.lan'
Found DC MS249-DB-001.mydomain.lan
Password for [WORKGROUP\administrator]:
workgroup is MYDOMAIN
realm is mydomain.lan
checking sAMAccountName
Adding CN=MS249-LIN-007,OU=Domain Controllers,DC=mydomain,DC=lan
Adding CN=MS249-LIN-007,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
Adding CN=NTDS Settings,CN=MS249-LIN-007,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
Adding SPNs to CN=MS249-LIN-007,OU=Domain Controllers,DC=mydomain,DC=lan
Setting account password for MS249-LIN-007$
Enabling account
Adding DNS account CN=dns-MS249-LIN-007,CN=Users,DC=mydomain,DC=lan with dns/ SPN
Join failed - cleaning up
checking sAMAccountName
Deleted CN=MS249-LIN-007,OU=Domain Controllers,DC=mydomain,DC=lan
Deleted CN=NTDS Settings,CN=MS249-LIN-007,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
Deleted CN=MS249-LIN-007,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM -  <0000052D: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0
> <>
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 552, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1169, in join_DC
    ctx.do_join()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1072, in do_join
    ctx.join_add_objects()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 616, in join_add_objects
    ctx.samdb.add(msg)

someone any sugestions?

Thanks,

Louis

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 

"O homem não foi criado para ser feliz nem para vencer, mas para viver para Deus. Quando vive para Deus é feliz e vence." Isaltino Gomes

$whoami
*	Perito Forense Computacional
*	Pentester 
*	Esp. em Segurança de Redes de Computadores com enfâse a Perícia Forense Computacional - FACID 
*	Bacharel em Ciência da Computação - UESPI 
*	Administrador de Redes de Computadores 
*	CCNA Modulo II 
*	Lattes: http://lattes.cnpq.br/1591329268136905
Esta mensagem pode conter informações confidenciais e/ou privilegiadas. Se você não for o destinatário ou a pessoa autorizada a receber esta mensagem, não deve usar, copiar ou divulgar as informações nela contida ou tomar qualquer ação baseada nessas informações.