[Samba] Fail to join a DC to a Domain

Francesco Berni francesco.berni at labs.it
Sat Jan 30 12:28:25 UTC 2016 

Hi,
me and my coworkers are trying to migrate a Samba 3 domain to a Samba4 one.
As for now we did a classicupgrade and imported all the ldap entry to a
DC following the guide without problems following the doc
https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_domain_to_a_Samba_AD_domain_(classic_upgrade)

Now as we try to join another DC following this guide
https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory#Preconditions
but when we try to join we fail with the attacched error.

with --debug=4 i see that it stops there before failing the join.
> DRS replication uptodate modify message: > dn: DC=mydomain,DC=net > changetype: modify > replace:
replUpToDateVector > replUpToDateVector:: [Data here too] > - > replace:
repsFrom > repsFrom:: [data here] > - > > > Replicated 402 objects (0
linked attributes) for DC=mydomain,DC=net >


If i do the join while DC01 is empty of any ldap records it has no problem.

I spent a couple of days with this problem searching and trying and i
really have no idea how to solve this problem.
Any kind of advice would be useful.

PS: if it can be usefull i'm using samba 4.3.3, but i tried with the
latest version from git and the problem is exactly the same.

Thank you in advance

-- 
Francesco Berni 
Laboratori Guglielmo Marconi S.p.a. 
web: http://www.labs.it - email: francesco.berni at labs.it 

-------------- next part --------------
$ samba-tool domain join mydomain.net DC -Umorigi --realm=MYDOMAIN.NET --dns-backend=BIND9_DLZ -d3 --server=dc01.mydomain.net
lpcfg_load: refreshing parameters from /usr/local/samba-4.3.3/etc/smb.conf
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
resolve_lmhosts: Attempting lmhosts lookup for name dc01.mydomain.net<0x20>
Password for [MY_DOMAIN\morigi]:
Server ldap/dc01.mydomain.net at MYDOMAIN.NET is not registered with our KDC:  Miscellaneous failure (see text): Server (ldap/dc01.mydomain.net at MYDOMAIN.NET) unknown
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER
Got challenge flags:
Got NTLMSSP neg_flags=0x60898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088235
workgroup is MY_DOMAIN
realm is mydomain.net
checking sAMAccountName
Adding CN=DC02,OU=Domain Controllers,DC=mydomain,DC=net
Adding CN=DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
Adding CN=NTDS Settings,CN=DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
Using binding ncacn_ip_tcp:dc01.mydomain.net[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name dc01.mydomain.net<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name dc01.mydomain.net<0x20>
Server ldap/DC01.MYDOMAIN.NET at MYDOMAIN.NET is not registered with our KDC:  Miscellaneous failure (see text): Server (ldap/DC01.MYDOMAIN.NET at MYDOMAIN.NET) unknown
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER
Got challenge flags:
Got NTLMSSP neg_flags=0x60898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088235
Adding SPNs to CN=DC02,OU=Domain Controllers,DC=mydomain,DC=net
Setting account password for DC02$
Enabling account
Adding DNS account CN=dns-DC02,CN=Users,DC=mydomain,DC=net with dns/ SPN
Setting account password for dns-DC02
Calling bare provision
lpcfg_load: refreshing parameters from /usr/local/samba-4.3.3/etc/smb.conf
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
ldb_wrap open of hklm.ldb
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
partition_metadata: Migrating partition metadata: open of metadata.tdb gave: (null)
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba-4.3.3/private/krb5.conf
Provision OK for domain DN DC=mydomain,DC=net
Starting replication
Using binding ncacn_ip_tcp:dc01.mydomain.net[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name dc01.mydomain.net<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name dc01.mydomain.net<0x20>
Server ldap/DC01.MYDOMAIN.NET at MYDOMAIN.NET is not registered with our KDC:  Miscellaneous failure (see text): Server (ldap/DC01.MYDOMAIN.NET at MYDOMAIN.NET) unknown
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER
Got challenge flags:
Got NTLMSSP neg_flags=0x60898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088235
Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=net] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=net] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=net] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=net] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Replicated 1550 objects (0 linked attributes) for CN=Schema,CN=Configuration,DC=mydomain,DC=net
Partition[CN=Configuration,DC=mydomain,DC=net] objects[402/1691] linked_values[0/0]
Replicated 402 objects (0 linked attributes) for CN=Configuration,DC=mydomain,DC=net
Partition[CN=Configuration,DC=mydomain,DC=net] objects[804/1691] linked_values[0/0]
1Replicated 402 objects (0 linked attributes) for CN=Configuration,DC=mydomain,DC=net
Partition[CN=Configuration,DC=mydomain,DC=net] objects[1206/1691] linked_values[0/0]
Replicated 402 objects (0 linked attributes) for CN=Configuration,DC=mydomain,DC=net
Partition[CN=Configuration,DC=mydomain,DC=net] objects[1608/1691] linked_values[0/0]
Replicated 402 objects (0 linked attributes) for CN=Configuration,DC=mydomain,DC=net
Partition[CN=Configuration,DC=mydomain,DC=net] objects[1691/1691] linked_values[28/0]
Replicated 83 objects (28 linked attributes) for CN=Configuration,DC=mydomain,DC=net
Replicating critical objects from the base DN of the domain
Partition[DC=mydomain,DC=net] objects[98/98] linked_values[1069/0]
Replicated 98 objects (1069 linked attributes) for DC=mydomain,DC=net
Partition[DC=mydomain,DC=net] objects[500/16885] linked_values[0/0]
Replicated 402 objects (0 linked attributes) for DC=mydomain,DC=net
Join failed - cleaning up
checking sAMAccountName
Deleted CN=DC02,OU=Domain Controllers,DC=mydomain,DC=net
Deleted CN=dns-DC02,CN=Users,DC=mydomain,DC=net
Deleted CN=NTDS Settings,CN=DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
Deleted CN=DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
ERROR(runtime): uncaught exception - (31, 'WERR_GENERAL_FAILURE')
  File "/usr/local/samba-4.3.3/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba-4.3.3/lib/python2.7/site-packages/samba/netcmd/domain.py", line 651, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/local/samba-4.3.3/lib/python2.7/site-packages/samba/join.py", line 1205, in join_DC
    ctx.do_join()
  File "/usr/local/samba-4.3.3/lib/python2.7/site-packages/samba/join.py", line 1109, in do_join
    ctx.join_replicate()
  File "/usr/local/samba-4.3.3/lib/python2.7/site-packages/samba/join.py", line 838, in join_replicate
    replica_flags=ctx.domain_replica_flags)
  File "/usr/local/samba-4.3.3/lib/python2.7/site-packages/samba/drs_utils.py", line 253, in replicate
    (level, ctr) = self.drs.DsGetNCChanges(self.drs_handle, req_level, req)

More information about the samba mailing list