[Samba] Many errors after adding SAMBA 4.1 as 2nd AD in Win 2008 domain

Arch Willingham arch at tuparks.com
Sun Jan 18 16:40:41 MST 2015


Not even sure where to begin. I've attempted to setup a Ubuntu 14.04 box as a 2nd AD controler in a Windows 2008 domain. The main domain controller is an actual windows machine. Unfortunaly it is an older domain and is a ".local" which I know gives y'all heartburn.

After installign samba, I did not provsion it but ran this: "sudo samba-tool domain join MYDOMAIN.LOCAL DC -U administrator"


It ran, I saw all teh info get copied over from the domain and it seemed to work. I can go inot Windowsm and use it to open the Samba Domain controller. Th eproblem is all the errors on both the Ubuntu box and the Windows domain controller.

If I run " sudo samba-tool domain level show"

ldb_wrap open of secrets.ldb
Domain and forest function level for domain 'DC=MYDOMAIN,DC=local'

Forest function level: (Windows) 2008
Domain function level: (Windows) 2008
Lowest function level of a DC: (Windows) 2008



If I issue "smbclient -L localhost -U%", I get this:


Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk
        sysvol          Disk
        fileshare       Disk
        IPC$            IPC       IPC Service (Samba 4.1.6-Ubuntu)
Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            VMWARE_UEB







Typical errors in /var/log/samba/log.samba

[2015/01/18 18:30:26.551835,  0] ../source4/smbd/server.c:492(binary_smbd_main)
  samba: using 'standard' process model
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
[2015/01/18 18:30:26.614689,  3] ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server)
  DCERPC endpoint server 'rpcecho' registered
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
[2015/01/18 18:30:26.631091,  3] ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server)
  DCERPC endpoint server 'epmapper' registered

2015/01/18 17:37:15.239428,  0] ../source4/librpc/rpc/dcerpc_util.c:681(dcerpc_pipe_auth_recv)
  Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for e3514235-4b06-11d1-ab04-00c04fc2dcd2 at ncacn_ip_tcp:fa2f509c-accf-442f-b7f2-9497bb286180._msdcs.MYDOMAIN.local[1029,seal,krb5] NT_STATUS_NO_LOGON_SERVERS
[2015/01/18 17:37:25.439073,  3] ../source4/auth/gensec/gensec_gssapi.c:309(gensec_gssapi_client_creds)
  Cannot reach a KDC we require to contact GC/WINDOWSDC.MYDOMAIN.local/MYDOMAIN.local : kinit for LINUXDC$@MYDOMAIN.local failed (Cannot contact any KDC for requested realm)

Typical errors in Windows event log (Domain controller)

Error

Active Directory Domain Services could not use DNS to resolve the IP address of the source domain controller listed below. To maintain the consistency of Security groups, group policy, users and computers and their passwords, Active Directory Domain Services successfully replicated using the NetBIOS or fully qualified computer name of the source domain controller.

Invalid DNS configuration may be affecting other essential operations on member computers, domain controllers or application servers in this Active Directory Domain Services forest, including logon authentication or access to network resources.

You should immediately resolve this DNS configuration error so that this domain controller can resolve the IP address of the source domain controller using DNS.

Alternate server name:
 LINUXDC
Failing DNS host name:
 b952c564-4c5a-4f7d-854b-18e309f6e969._msdcs.MYDOMAIN.local


Error

Replication of application directory partition DC=MYDOMAIN,DC=local from source b952c564-4c5a-4f7d-854b-18e309f6e969 has been aborted. Replication requires consistent schema but last attempt to synchornize the schema had failed. It is crucial that schema replication functions properly. See previous errors for more diagnostics. If this issue persists, please contact Microsoft Product Support Services for assistance. Error 8418: The replication operation failed because of a schema mismatch between the servers involved..


Error

Replication of application directory partition CN=Configuration,DC=MYDOMAIN,DC=local from source b952c564-4c5a-4f7d-854b-18e309f6e969 has been aborted. Replication requires consistent schema but last attempt to synchornize the schema had failed. It is crucial that schema replication functions properly. See previous errors for more diagnostics. If this issue persists, please contact Microsoft Product Support Services for assistance. Error 8418: The replication operation failed because of a schema mismatch between the servers involved.


Error

Active Directory Domain Services could not use DNS to resolve the IP address of the source domain controller listed below. To maintain the consistency of Security groups, group policy, users and computers and their passwords, Active Directory Domain Services successfully replicated using the NetBIOS or fully qualified computer name of the source domain controller.

Invalid DNS configuration may be affecting other essential operations on member computers, domain controllers or application servers in this Active Directory Domain Services forest, including logon authentication or access to network resources.

You should immediately resolve this DNS configuration error so that this domain controller can resolve the IP address of the source domain controller using DNS.

Alternate server name:
 LINUXDC.MYDOMAIN.local
Failing DNS host name:
 b952c564-4c5a-4f7d-854b-18e309f6e969._msdcs.MYDOMAIN.local


Error

This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.

Operations which require contacting a FSMO operation master will fail until this condition is corrected.

FSMO Role: CN=Partitions,CN=Configuration,DC=MYDOMAIN,DC=local

User Action:

1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.
2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors.  Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication.
3. In the rare event that all replication partners being down is an expected occurance, perhaps because of maintenance or a disaster recovery, you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.

The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.



Error


This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.

Operations which require contacting a FSMO operation master will fail until this condition is corrected.

FSMO Role: CN=RID Manager$,CN=System,DC=MYDOMAIN,DC=local

Error

This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.

Operations which require contacting a FSMO operation master will fail until this condition is corrected.

FSMO Role: CN=Infrastructure,DC=MYDOMAIN,DC=local


Error


This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.

Operations which require contacting a FSMO operation master will fail until this condition is corrected.

FSMO Role: DC=MYDOMAIN,DC=local





---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Samba configuration file /etc/samba/smb.conf

# Global parameters
[global]
    workgroup = MYDOMAIN
    realm = MYDOMAIN.local
    netbios name = LINUXDC
    server role = active directory domain controller
    allow dns updates = nonsecure and secure
    dns forwarder = 10.10.10.23
        log level = 3
      # this fix stops the syslog
      # being spammed by the lack of a CUPS server.
    printing = CUPS
    printcap name = /dev/nul

[netlogon]
    path = /var/lib/samba/sysvol/MYDOMAIN.local/scripts
    read only = No

[sysvol]
    path = /var/lib/samba/sysvol
    read only = No

[fileshare]
    writeable = yes
    path = /mnt/datastorage/sambastuff



/etc/resolv.conf:

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 10.0.0.233
search mydomain.local


/etc/krb5.conf:

[libdefaults]
    dns_lookup_realm = true
    dns_lookup_kdc = true
    default_realm = MYDOMAIN.LOCAL

[realms]
MYDOMAIN.LOCAL = {
kdc = WAREHOUSE.MYDOMAIN.LOCAL
admin_server = LINUXDC.MYDOMAIN.LOCAL
}

[domain_realm]
        .mydomain.local = MYDOMAIN.LOCAL
        mydomain.local = MYDOMAIN.LOCAL



More information about the samba mailing list