[Samba] Unable to join DC to domain

mathias dufresne infractory at gmail.com
Tue Mar 22 14:11:34 UTC 2016 

Hi JS,

You said in your firt mail you have this very same behaviour with two new
VMs you tried to join in your AD domain.

I expect you don't have just copied your VMs disks without changing VMs
hostname and FQDN. I expect you don't fully re-use smb.conf from another DC
(you can do that but you must change hostname into smb.conf).

You have disabled SELinux too.

So you have 3 systems to be AD DC:
cbaddc01 (working and running)
cbaddc02 (one of the two new VMs which refuse to be joined to AD domain
hosted on cbaddc01)
cbaddc03 (the other one new VMs which also refuses to be joined)

I found that few minutes ago speaking about LDB: http://somewoman.com/?p=261
Here two options were interesting me about your issue:
--cross-ncs to search not only in main DIT
--show-deleted to show deleted objects

In addition --show-binary switch can be used to decode base64 encoded
values when needed.

As I have no real idea about your issue I would first try to set up a new
VM with a different name, very different name, to test if your domain
refuses to add all new DC (whatever is the name) or only DC with names
already used.


2016-03-21 22:25 GMT+01:00 IT Admin <it at cliffbells.com>:

> No dice.
>
> Logged in to a workstation with RSAT installed.  Added computer to OU
> Domain Controllers, closed ADUC, attempted join again.
>
> itwerks at cbadc03:~$ kinit
> Administrator
> Password for Administrator at CB.CLIFFBELLS.COM:
> itwerks at cbadc03:~$ klist
> -e
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: Administrator at CB.CLIFFBELLS.COM
>
> Valid starting       Expires              Service principal
> 03/21/2016 17:21:42  03/22/2016 03:21:42  krbtgt/
> CB.CLIFFBELLS.COM at CB.CLIFFBELLS.COM
>         renew until 03/22/2016 17:21:29, Etype (skey, tkt):
> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
> itwerks at cbadc03:~$ sudo /usr/local/samba/bin/samba-tool domain join
> cb.cliffbells.com DC -Uadministrator --realm=CB.CLIFFBELLS.COM
> --dns-backend=SAMBA_INTERNAL
> [sudo] password for itwerks:
> Finding a writeable DC for domain 'cb.cliffbells.com'
> Found DC filer.cb.cliffbells.com
> Password for [WORKGROUP\administrator]:
> workgroup is CB
> realm is cb.cliffbells.com
> checking sAMAccountName
> Deleted CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com
> Adding CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com
> Join failed - cleaning up
> checking sAMAccountName
> ERROR(ldb): uncaught exception - LDAP error 68 LDAP_ENTRY_ALREADY_EXISTS -
> <00002071: ../lib/ldb/ldb_tdb/ldb_index.c:1216: Failed to re-index
> objectSid in CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com -
> ../lib/ldb/ldb_tdb/ldb_index.c:1148: unique index violation on objectSid in
> CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com> <>
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line
> 621, in run
>     machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
> 1183, in join_DC
>     ctx.do_join()
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
> 1086, in do_join
>     ctx.join_add_objects()
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
> 536, in join_add_objects
>     ctx.samdb.add(rec)
> itwerks at cbadc03:~
>
> Please advise.
>
> JS
> On Mar 21, 2016 3:54 PM, "Rowland penny" <rpenny at samba.org> wrote:
>
> > On 21/03/16 04:26, IT Admin wrote:
> >
> >> I cannot join two new VMs to my domain, I receive the following error on
> >> both machines:
> >>
> >> twerks at cbadc03:~$ kinit
> >> Administrator
> >> Password for Administrator at CB.CLIFFBELLS.COM:
> >> itwerks at cbadc03:~$ klist -e
> >> Ticket cache: FILE:/tmp/krb5cc_1000
> >> Default principal: Administrator at CB.CLIFFBELLS.COM
> >>
> >> Valid starting       Expires              Service principal
> >> 03/21/2016 00:19:56  03/21/2016 10:19:56  krbtgt/
> >> CB.CLIFFBELLS.COM at CB.CLIFFBELLS.COM
> >>          renew until 03/22/2016 00:19:41, Etype (skey, tkt):
> >> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
> >> itwerks at cbadc03:~$ sudo /usr/local/samba/bin/samba-tool domain join
> >> cb.cliffbells.com DC -Uadministrator --realm=CB.CLIFFBELLS.COM
> >> --dns-backend=SAMBA_INTERNAL
> >> Finding a writeable DC for domain 'cb.cliffbells.com'
> >> Found DC filer.cb.cliffbells.com
> >> Password for [WORKGROUP\administrator]:
> >> workgroup is CB
> >> realm is cb.cliffbells.com
> >> checking sAMAccountName
> >> Adding CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com
> >> Join failed - cleaning up
> >> checking sAMAccountName
> >> ERROR(ldb): uncaught exception - LDAP error 68
> LDAP_ENTRY_ALREADY_EXISTS -
> >> <00002071: ../lib/ldb/ldb_tdb/ldb_index.c:1216: Failed to re-index
> >> objectSid in CN=CBADC03,OU=Domain
> Controllers,DC=cb,DC=cliffbells,DC=com -
> >> ../lib/ldb/ldb_tdb/ldb_index.c:1148: unique index violation on objectSid
> >> in
> >> CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com> <>
> >>    File
> >> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> >> line 175, in _run
> >>      return self.run(*args, **kwargs)
> >>    File
> >> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
> >> line
> >> 621, in run
> >>      machinepass=machinepass, use_ntvfs=use_ntvfs,
> >> dns_backend=dns_backend)
> >>    File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
> line
> >> 1183, in join_DC
> >>      ctx.do_join()
> >>    File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
> line
> >> 1086, in do_join
> >>      ctx.join_add_objects()
> >>    File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
> line
> >> 536, in join_add_objects
> >>      ctx.samdb.add(rec)
> >> itwerks at cbadc03:~$
> >>
> >> Neither machine exists in ADUC on either of my current DCs.  Neither
> >> machine has any records in DNS.  I ran ldbsearch and dumped it's output
> to
> >> a text file, there are no references to either machine name in the file.
> >>
> >> Please advise.
> >>
> >> JS
> >>
> >
> > The join seems to be failing because it seems to be trying to add an
> > objectsid that already exists:
> >
> > unique index violation on objectSid in CN=CBADC03,OU=Domain
> > Controllers,DC=cb,DC=cliffbells,DC=com
> >
> > Try pre-creating the computer in 'OU=Domain
> > Controllers,DC=cb,DC=cliffbells,DC=com' and then try joining again.
> >
> > Rowland
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list