[Samba] Can't add new DC

MORILLO Jordi J.Morillo at educationetformation.fr
Fri Mar 11 08:51:55 UTC 2016 

Hi Denis,

Thanks for your advices.
I have in mind about your kerberos problem in a large environment but i was thinking about problem occuring at 20 and more DCC's
So last night, i modified all my krb5.conf (DC and file server) as you suggest but problem persist.

root at dc111:~# samba-tool domain join pr.educationetformation.fr DC -U administrator --realm=PR.EDUCATIONETFORMATION.FR -W PR --dns-backend=BIND9_DLZ --site=PetitQuevilly --server=smb4dc.pr.educationetformation.fr
Password for [PR\administrator]:
workgroup is PR
realm is pr.educationetformation.fr
checking sAMAccountName
Adding CN=DC111,OU=Domain Controllers,DC=pr,DC=educationetformation,DC=fr
Adding CN=DC111,CN=Servers,CN=PetitQuevilly,CN=Sites,CN=Configuration,DC=pr,DC=educationetformation,DC=fr
Adding CN=NTDS Settings,CN=DC111,CN=Servers,CN=PetitQuevilly,CN=Sites,CN=Configuration,DC=pr,DC=educationetformation,DC=fr
Adding SPNs to CN=DC111,OU=Domain Controllers,DC=pr,DC=educationetformation,DC=fr
Setting account password for DC111$
Join failed - cleaning up
checking sAMAccountName
ERROR(runtime): uncaught exception - samr_LookupNames for [DC111$] failed: NT_STATUS_NONE_MAPPED
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 621, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1170, in join_DC
    ctx.do_join()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1073, in do_join
    ctx.join_add_objects()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 602, in join_add_objects
    newpassword=ctx.acct_pass)

Today, I will try to join domain as member server instead of DC.

The new Douglas KCC is not working as expected in my environment.
I follow all instruction (smb.conf modification, restart samba) etc...
Step by step i deleted ntds connection and created by hand a star topology:
Smb4dc is my bridge head, there is a manual ntds connection replicating to all other DC
Each of my DC has a unique manual ntds connection replicating to smb4dc

The new Douglas KCC seems pretty good because there is no more automatic self generated connection in active directory "sites and services" but samba-tool drs showrepl is always showing a full mesh replication.
RepsFrom and RepsTo in each of ldap partition have not being updated/deleted even if i manually launch samba_kcc by hand.

Cheers

Jordi

-----Message d'origine-----
De : Denis Cardon [mailto:denis.cardon at tranquil-it-systems.fr] 
Envoyé : jeudi 10 mars 2016 09:39
À : MORILLO Jordi <J.Morillo at educationetformation.fr>; samba at lists.samba.org
Objet : Re: [Samba] Can't add new DC

Hi Jordi,

> I'm trying to add new DC to my existent domain (18 Samba4 DC) but this time, domain join stuck after setting account password.
> I have tried so many things but at this point, i really don't know what to do.
>
> I can see the new dc111 computer object on smb4dc serveur but the object is disable.
> If someone have an idea...

Could you try to see if it gets better if you don't use auto-discovery in /etc/krb5.conf. That is to say, you point krb5.conf kdc to itself and the kdc on the main site.

this is one issue I had once on a project in Africa with about 24 sites, and after setting up 12-13 DCs, I started to have timeout on join. 
Indeed during the join, it looks like the process tries to contact all the kdc referenced in the /etc/krb5.conf file (which is all DCs if you use auto-discovery), even if you have already configured "sites and services" properly.

In that case, the VPN had a star topology, with no icmp-unreachable reply (ie. DROP rules) when a branch tries to contact another branch, added 500ms latency through sat link.

Changing the /etc/krb5.conf file did the trick. Something like this should to it:

[libdefaults]
	default_realm = TRANQUILIT.LAN
         dns_lookup_realm=false
[realms]
	TRANQUILIT.LAN = {
         kdc = 10.100.0.11  # itself
	kdc = 10.0.0.11    # hub site kdc
	}

[domain_realms]
	.tranquilit.lan = TRANQUILIT.LAN
	tranquilit.lan = TRANQUILIT.LAN

Once the DC is up and running, it should take into account the "site and services" topology definition and only try to contact the hub site DCs (if that is what is configured).

By the way, are you using the Douglas new KCC? It is a must when you have a larger topology!

Cheers,

Denis


>
> Best regards
>
>
> root at dc111:~# samba-tool domain join pr.educationetformation.fr DC -U 
> administrator --realm=PR.EDUCATIONETFORMATION.FR -W PR 
> --dns-backend=BIND9_DLZ --site=PetitQuevilly 
> --server=smb4dc.pr.educationetformation.fr
> Password for [PR\administrator]:
> workgroup is PR
> realm is pr.educationetformation.fr
> checking sAMAccountName
> Adding CN=DC111,OU=Domain 
> Controllers,DC=pr,DC=educationetformation,DC=fr
> Adding 
> CN=DC111,CN=Servers,CN=PetitQuevilly,CN=Sites,CN=Configuration,DC=pr,D
> C=educationetformation,DC=fr Adding CN=NTDS 
> Settings,CN=DC111,CN=Servers,CN=PetitQuevilly,CN=Sites,CN=Configuratio
> n,DC=pr,DC=educationetformation,DC=fr
> Adding SPNs to CN=DC111,OU=Domain 
> Controllers,DC=pr,DC=educationetformation,DC=fr
> Setting account password for DC111$
>
>
> ________________________________
> This email was scanned by Bitdefender
>

--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr


________________________
This email was scanned by Bitdefender

More information about the samba mailing list