[Samba] Joining samba4 as a DC to Windows Server 2012 active directory

Max Luehrig max.luehrig at sophistex.com
Tue Feb 3 02:13:52 MST 2015 

Matthieu Patou <mat <at> samba.org> writes:

> 
> On 04/28/2013 02:57 AM, James-Arthur Eaton Gonzalez wrote:
> > Hello all,
> >
> > I am attempting to join samba4 to my current domain which is controlled by
> > a Windows 2012 Active Directory Server. When following the instructions on
> > the official WIKI:
> >
> > http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC
> >
> > I am able to do a kinit administrator, which then gives me a ticket which I
> > can see via klist.
> >
> > The problem is that once I run the command:
> >
> >
> > # bin/samba-tool domain join samba.example.com DC -Uadministrator
> > --realm=samba.example.com
> >
> >
> > It does not work. I get the following error:
> > DsAddEntry failed with status (5, 'WERR_ACCESS_DENIED') info (8567,
> > 'WERR_DS_INCOMPATIBLE_VERSION')
> >
> > Could this be because of the version of AD? I can't find much
> > around compatibility of this version of Windows. Any help is greatly
> > appreciated.
> What is the level of your forest and domain, I suspect that you have a 
> 2012 Forest and Domain level.
> 
> For the moment we don't support this and we still have a schema issue 
> with 2012 so you'd better off not using 2012.
> 
> Matthieu.
> 


Hi Matthieu,

I will warm up this story again. 

We are using Windows 2012 R2 Domain Controller with AD level 2008 R2. 

samba-tool domain join STX.CORP  DC -UAdministrator --realm=STX.CORP
Finding a writeable DC for domain 'STX.CORP'
Found DC MAINFRAME.stx.corp
Password for [STX\Administrator]:
workgroup is STX
realm is stx.corp
checking sAMAccountName
Adding CN=DC02,OU=Domain Controllers,DC=stx,DC=corp
Adding CN=DC02,CN=Servers,CN=HQ,CN=Sites,CN=Configuration,DC=stx,DC=corp
Adding CN=NTDS
Settings,CN=DC02,CN=Servers,CN=HQ,CN=Sites,CN=Configuration,DC=st          
      x,DC=corp
DsAddEntry failed with status (5, 'WERR_ACCESS_DENIED') info (8612,
'WERR_DS_DOM                 AIN_RENAME_IN_PROGRESS')
Join failed - cleaning up
checking sAMAccountName
Deleted CN=DC02,OU=Domain Controllers,DC=stx,DC=corp
Deleted CN=DC02,CN=Servers,CN=HQ,CN=Sites,CN=Configuration,DC=stx,DC=corp
ERROR(runtime): uncaught exception - DsAddEntry failed
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line
175,                  in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line
555, in                  run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1172, in join_DC
    ctx.do_join()
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1075, in do_join
    ctx.join_add_objects()
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 541, in
join_add                 _objects
    ctx.join_add_ntdsdsa()
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 474, in
join_add                 _ntdsdsa
    ctx.DsAddEntry([rec])
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 437, in
DsAddEnt                 ry
    raise RuntimeError("DsAddEntry failed")


Anything that I can do for you to analyze the issue?
We are running CentOS 7 with latest Sernet Samba package (Version
4.1.16-SerNet-RedHat-10.el7).

Many thanks,
Max

More information about the samba mailing list