[Samba] Unable to join new domain controller to Samba4 domain

Alex Ferrara alex at receptiveit.com.au
Wed Sep 10 08:11:43 MDT 2014

Thanks Rowland,


On 10/09/2014, at 8:34 PM, Rowland Penny <rowlandpenny at googlemail.com> wrote:

> On 10/09/14 05:09, Alex Ferrara wrote:
>> Hi folks,
>> Everything is working great and I am not having any issues with the three domain controllers that I currently have set up. We are migrating from Puppet to Ansible for configuration management, and I decided to create a playbook that will do all the things necessary to set up a DC and join the domain. I have found that in the domain joining process, an error stops replication from happening, and therefore stops the join. Replication to the currently joined servers is working fine, as reported by "samba-tool drs showrepl"
>> In the past, I extended the Samba4 schema to allow for our groupware SOGo server to load calendar resources from AD (http://wiki.sogo.nu/ResourceConfiguration). This did not cause me any grief at the time, but the object that is generating the errors is one of the calendar resources that I have created.
>> Below is the output from the attempted domain join
>> # samba-tool domain join hq.domain.com.au DC -Uadministrator --realm=hq.achievecorp.com.au --dns-backend=BIND9_DLZ
>> Finding a writeable DC for domain 'hq.domain.com.au'
>> Found DC zeus.hq.domain.com.au
>> Password for [DOMAIN\administrator]:
>> workgroup is DOMAIN
>> realm is hq.domain.com.au
>> checking sAMAccountName
>> Adding CN=SERVER,OU=Domain Controllers,DC=hq,DC=domain,DC=com,DC=au
>> Adding CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hq,DC=domain,DC=com,DC=au
>> Adding CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hq,DC=domain,DC=com,DC=au
>> Adding SPNs to CN=SERVER,OU=Domain Controllers,DC=hq,DC=domain,DC=com,DC=au
>> Setting account password for SERVER$
>> Enabling account
>> Adding DNS account CN=dns-SERVER,CN=Users,DC=hq,DC=domain,DC=com,DC=au with dns/ SPN
>> Setting account password for dns-SERVER
>> Calling bare provision
>> No IPv6 address will be assigned
>> Provision OK for domain DN DC=hq,DC=domain,DC=com,DC=au
>> Starting replication
>> Schema-DN[CN=Schema,CN=Configuration,DC=hq,DC=domain,DC=com,DC=au] objects[402/2383] linked_values[0/0]
>> Schema-DN[CN=Schema,CN=Configuration,DC=hq,DC=domain,DC=com,DC=au] objects[804/2383] linked_values[0/0]
>> Schema-DN[CN=Schema,CN=Configuration,DC=hq,DC=domain,DC=com,DC=au] objects[1206/2383] linked_values[0/0]
>> Schema-DN[CN=Schema,CN=Configuration,DC=hq,DC=domain,DC=com,DC=au] objects[1608/2383] linked_values[0/0]
>> Schema-DN[CN=Schema,CN=Configuration,DC=hq,DC=domain,DC=com,DC=au] objects[2010/2383] linked_values[0/0]
>> Schema-DN[CN=Schema,CN=Configuration,DC=hq,DC=domain,DC=com,DC=au] objects[2383/2383] linked_values[0/0]
>> Analyze and apply schema objects
>> Partition[CN=Configuration,DC=hq,DC=domain,DC=com,DC=au] objects[402/1634] linked_values[0/0]
>> Partition[CN=Configuration,DC=hq,DC=domain,DC=com,DC=au] objects[804/1634] linked_values[0/0]
>> Partition[CN=Configuration,DC=hq,DC=domain,DC=com,DC=au] objects[1206/1634] linked_values[0/0]
>> Partition[CN=Configuration,DC=hq,DC=domain,DC=com,DC=au] objects[1608/1634] linked_values[0/0]
>> Partition[CN=Configuration,DC=hq,DC=domain,DC=com,DC=au] objects[1634/1634] linked_values[48/0]
>> Replicating critical objects from the base DN of the domain
>> Partition[DC=hq,DC=domain,DC=com,DC=au] objects[103/103] linked_values[34/0]
>> Partition[DC=hq,DC=domain,DC=com,DC=au] objects[505/543] linked_values[0/0]
>> Partition[DC=hq,DC=domain,DC=com,DC=au] objects[646/543] linked_values[389/0]
>> No objectClass found in replPropertyMetaData for CN=Wealth Room,OU=Resources,OU=Users,OU=Site,DC=hq,DC=domain,DC=com,DC=au!
>> Failed to apply records: replmd_replicated_apply_add: error during DRS repl ADD: No objectClass found in replPropertyMetaData for CN=Wealth Room,OU=Resources,OU=Users,OU=Site,DC=hq,DC=domain,DC=com,DC=au!�: Object class violation
>> Failed to commit objects: WERR_GENERAL_FAILURE
>> Join failed - cleaning up
>> checking sAMAccountName
>> Deleted CN=SERVER,OU=Domain Controllers,DC=hq,DC=domain,DC=com,DC=au
>> Deleted CN=dns-SERVER,CN=Users,DC=hq,DC=domain,DC=com,DC=au
>> Deleted CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hq,DC=domain,DC=com,DC=au
>> Deleted CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hq,DC=domain,DC=com,DC=au
>> ERROR(<type 'exceptions.TypeError'>): uncaught exception - Failed to process chunk: NT_STATUS_UNSUCCESSFUL
>>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run
>>     return self.run(*args, **kwargs)
>>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 555, in run
>>     machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
>>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1172, in join_DC
>>     ctx.do_join()
>>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1077, in do_join
>>     ctx.join_replicate()
>>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 817, in join_replicate
>>     replica_flags=ctx.domain_replica_flags)
>>   File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 256, in replicate
>>     schema=schema, req_level=req_level, req=req)
>> Alex Ferrara
>> Director
>> Receptive IT Solutions
>> P 0403 604 604
>> F (02) 4822 7700
>> E alex at receptiveit.com.au
>> W www.receptiveit.com.au
> Known problem, last raised in August, see here: https://lists.samba.org/archive/samba/2014-August/184571.html
> and here: https://lists.samba.org/archive/samba-technical/2014-February/098052.html
> and bug report here: https://bugzilla.samba.org/show_bug.cgi?id=10398
> Rowland
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list