[Samba] Unable to join DC to domain
IT Admin
it at cliffbells.com
Sun Mar 27 04:15:05 UTC 2016
Good times...
Spent hours today rolling a fresh VM.
FAIL
itwerks at testes:~$ kinit administrator
Password for administrator at CB.CLIFFBELLS.COM:
itwerks at testes:~$ klist -e
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administrator at CB.CLIFFBELLS.COM
Valid starting Expires Service principal
03/27/2016 00:07:04 03/27/2016 10:07:04 krbtgt/
CB.CLIFFBELLS.COM at CB.CLIFFBELLS.COM
renew until 03/28/2016 00:06:59, Etype (skey, tkt):
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
itwerks at testes:~$ sudo /usr/local/samba/bin/samba-tool domain join
cb.cliffbells.com DC -Uadministrator --realm=CB.CLIFFBELLS.COM
--dns-backend=SAMBA_INTERNAL
Finding a writeable DC for domain 'cb.cliffbells.com'
Found DC filer.cb.cliffbells.com
Password for [WORKGROUP\administrator]:
workgroup is CB
realm is cb.cliffbells.com
checking sAMAccountName
Adding CN=TESTES,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com
Join failed - cleaning up
checking sAMAccountName
ERROR(ldb): uncaught exception - LDAP error 68 LDAP_ENTRY_ALREADY_EXISTS -
<00002071: ../lib/ldb/ldb_tdb/ldb_index.c:1216: Failed to re-index
objectSid in CN=TESTES,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com -
../lib/ldb/ldb_tdb/ldb_index.c:1148: unique index violation on objectSid in
CN=TESTES,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com> <>
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line
621, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
1183, in join_DC
ctx.do_join()
File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
1086, in do_join
ctx.join_add_objects()
File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
536, in join_add_objects
ctx.samdb.add(rec)
sigh.
*&@$^@&$(@*$&@^$@!)($#)(^)%@*%_
Please advise.
JS
On Fri, Mar 25, 2016 at 1:19 PM, IT Admin <it at cliffbells.com> wrote:
> "I expect you don't have just copied your VMs disks without changing VMs
> hostname and FQDN. I expect you don't fully re-use smb.conf from another DC
> (you can do that but you must change hostname into smb.conf)."
>
> 1) These are new Ubuntu VMs, not cloned, built from scratch. I tried
> joining them with no smb.conf in /usr/local/samba/etc
>
> You have disabled SELinux too
>
> 2) AFAIK Ubuntu uses apparmor, not selinux. I have not disabled apparmor.
>
> 3) --show-deleted reveals a single instance of cbadc02:
>
> twerks at filer:~$ sudo /usr/local/samba/bin/ldbsearch -H
> /usr/local/samba/private/sam.ldb --cross-ncs --show-deleted >
> ldbsearch_cross-ncs_deleted.txt
> itwerks at filer:~$ cat ldbsearch_cross-ncs_deleted.txt | grep
> cbadc
> dNSHostName: cbadc02.cb.cliffbells.com
> dNSHostName: cbadc01.cb.cliffbells.com
> dn: DC=cbadc01,DC=cb.cliffbells.com
> ,CN=MicrosoftDNS,DC=DomainDnsZones,DC=cb,DC=cliffbells,DC=com
> name: cbadc01
> dc: cbadc01
> distinguishedName: DC=cbadc01,DC=cb.cliffbells.com
> ,CN=MicrosoftDNS,DC=DomainDn
> dNSHostName: cbadc01.cb.cliffbells.com
> dNSHostName: cbadc01.cb.cliffbells.com
> servicePrincipalName: HOST/cbadc01.cb.cliffbells.com
> servicePrincipalName: GC/cbadc01.cb.cliffbells.com/cb.cliffbells.com
> servicePrincipalName: HOST/cbadc01.cb.cliffbells.com/CB
> servicePrincipalName: ldap/cbadc01.cb.cliffbells.com/CB
> servicePrincipalName: ldap/cbadc01.cb.cliffbells.com
> servicePrincipalName: HOST/cbadc01.cb.cliffbells.com/cb.cliffbells.com
> servicePrincipalName: ldap/cbadc01.cb.cliffbells.com/cb.cliffbells.com
> servicePrincipalName: RestrictedKrbHost/cbadc01.cb.cliffbells.com
> servicePrincipalName: ldap/
> cbadc01.cb.cliffbells.com/DomainDnsZones.cb.cliffbe
> servicePrincipalName: ldap/
> cbadc01.cb.cliffbells.com/ForestDnsZones.cb.cliffbe
> dNSHostName: <http://cbadc02.cb.cliffbells.com>cbadc02.
> <http://cbadc02.cb.cliffbells.com>cb.cliffbells.com
> <http://cbadc02.cb.cliffbells.com>
> itwerks at filer:~$
>
> This article seems to explain how to resolve this issue from a Windows ADC:
>
> http://social.technet.microsoft.com/wiki/contents/articles/15435.active-directory-duplicate-object-name-resolution.aspx
>
> How could I replicate the approach in a Samba AD?
>
> Re: spinning up a new VM, I tried that with cbadc03... I'll try again with
> a radically different hostname this weekend.
>
> JS
>
>
> Hi JS,
>
> You said in your firt mail you have this very same behaviour with two new
> VMs you tried to join in your AD domain.
>
> I expect you don't have just copied your VMs disks without changing VMs
> hostname and FQDN. I expect you don't fully re-use smb.conf from another DC
> (you can do that but you must change hostname into smb.conf).
>
> You have disabled SELinux too.
>
> So you have 3 systems to be AD DC:
> cbaddc01 (working and running)
> cbaddc02 (one of the two new VMs which refuse to be joined to AD domain
> hosted on cbaddc01)
> cbaddc03 (the other one new VMs which also refuses to be joined)
>
> I found that few minutes ago speaking about LDB:
> http://somewoman.com/?p=261
> Here two options were interesting me about your issue:
> --cross-ncs to search not only in main DIT
> --show-deleted to show deleted objects
>
> In addition --show-binary switch can be used to decode base64 encoded
> values when needed.
>
> As I have no real idea about your issue I would first try to set up a new
> VM with a different name, very different name, to test if your domain
> refuses to add all new DC (whatever is the name) or only DC with names
> already used.
>
> 2016-03-21 22:25 GMT+01:00 IT Admin <it at cliffbells.com>:
>
> > No dice.
> >
> > Logged in to a workstation with RSAT installed. Added computer to OU
> > Domain Controllers, closed ADUC, attempted join again.
> >
> > itwerks at cbadc03:~$ kinit
> > Administrator
> > Password for Administrator at CB.CLIFFBELLS.COM:
> > itwerks at cbadc03:~$ klist
> > -e
> > Ticket cache: FILE:/tmp/krb5cc_1000
> > Default principal: Administrator at CB.CLIFFBELLS.COM
> >
> > Valid starting Expires Service principal
> > 03/21/2016 17:21:42 03/22/2016 03:21:42 krbtgt/
> > CB.CLIFFBELLS.COM at CB.CLIFFBELLS.COM
> > renew until 03/22/2016 17:21:29, Etype (skey, tkt):
> > aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
> > itwerks at cbadc03:~$ sudo /usr/local/samba/bin/samba-tool domain join
> > cb.cliffbells.com DC -Uadministrator --realm=CB.CLIFFBELLS.COM
> > --dns-backend=SAMBA_INTERNAL
> > [sudo] password for itwerks:
> > Finding a writeable DC for domain 'cb.cliffbells.com'
> > Found DC filer.cb.cliffbells.com
> > Password for [WORKGROUP\administrator]:
> > workgroup is CB
> > realm is cb.cliffbells.com
> > checking sAMAccountName
> > Deleted CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com
> > Adding CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com
> > Join failed - cleaning up
> > checking sAMAccountName
> > ERROR(ldb): uncaught exception - LDAP error 68 LDAP_ENTRY_ALREADY_EXISTS
> -
> > <00002071: ../lib/ldb/ldb_tdb/ldb_index.c:1216: Failed to re-index
> > objectSid in CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com
> -
> > ../lib/ldb/ldb_tdb/ldb_index.c:1148: unique index violation on objectSid
> in
> > CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com> <>
> > File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> > line 175, in _run
> > return self.run(*args, **kwargs)
> > File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
> line
> > 621, in run
> > machinepass=machinepass, use_ntvfs=use_ntvfs,
> dns_backend=dns_backend)
> > File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
> > 1183, in join_DC
> > ctx.do_join()
> > File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
> > 1086, in do_join
> > ctx.join_add_objects()
> > File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
> > 536, in join_add_objects
> > ctx.samdb.add(rec)
> > itwerks at cbadc03:~
> >
> > Please advise.
> >
> > JS
> > On Mar 21, 2016 3:54 PM, "Rowland penny" <rpenny at samba.org> wrote:
> >
> > > On 21/03/16 04:26, IT Admin wrote:
> > >
> > >> I cannot join two new VMs to my domain, I receive the following error
> on
> > >> both machines:
> > >>
> > >> twerks at cbadc03:~$ kinit
> > >> Administrator
> > >> Password for Administrator at CB.CLIFFBELLS.COM:
> > >> itwerks at cbadc03:~$ klist -e
> > >> Ticket cache: FILE:/tmp/krb5cc_1000
> > >> Default principal: Administrator at CB.CLIFFBELLS.COM
> > >>
> > >> Valid starting Expires Service principal
> > >> 03/21/2016 00:19:56 03/21/2016 10:19:56 krbtgt/
> > >> CB.CLIFFBELLS.COM at CB.CLIFFBELLS.COM
> > >> renew until 03/22/2016 00:19:41, Etype (skey, tkt):
> > >> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
> > >> itwerks at cbadc03:~$ sudo /usr/local/samba/bin/samba-tool domain join
> > >> cb.cliffbells.com DC -Uadministrator --realm=CB.CLIFFBELLS.COM
> > >> --dns-backend=SAMBA_INTERNAL
> > >> Finding a writeable DC for domain 'cb.cliffbells.com'
> > >> Found DC filer.cb.cliffbells.com
> > >> Password for [WORKGROUP\administrator]:
> > >> workgroup is CB
> > >> realm is cb.cliffbells.com
> > >> checking sAMAccountName
> > >> Adding CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com
> > >> Join failed - cleaning up
> > >> checking sAMAccountName
> > >> ERROR(ldb): uncaught exception - LDAP error 68
> > LDAP_ENTRY_ALREADY_EXISTS -
> > >> <00002071: ../lib/ldb/ldb_tdb/ldb_index.c:1216: Failed to re-index
> > >> objectSid in CN=CBADC03,OU=Domain
> > Controllers,DC=cb,DC=cliffbells,DC=com -
> > >> ../lib/ldb/ldb_tdb/ldb_index.c:1148: unique index violation on
> objectSid
> > >> in
> > >> CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com> <>
> > >> File
> > >>
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> > >> line 175, in _run
> > >> return self.run(*args, **kwargs)
> > >> File
> > >> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
> > >> line
> > >> 621, in run
> > >> machinepass=machinepass, use_ntvfs=use_ntvfs,
> > >> dns_backend=dns_backend)
> > >> File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
> > line
> > >> 1183, in join_DC
> > >> ctx.do_join()
> > >> File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
> > line
> > >> 1086, in do_join
> > >> ctx.join_add_objects()
> > >> File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
> > line
> > >> 536, in join_add_objects
> > >> ctx.samdb.add(rec)
> > >> itwerks at cbadc03:~$
> > >>
> > >> Neither machine exists in ADUC on either of my current DCs. Neither
> > >> machine has any records in DNS. I ran ldbsearch and dumped it's
> output
> > to
> > >> a text file, there are no references to either machine name in the
> file.
> > >>
> > >> Please advise.
> > >>
> > >> JS
> > >>
> > >
> > > The join seems to be failing because it seems to be trying to add an
> > > objectsid that already exists:
> > >
> > > unique index violation on objectSid in CN=CBADC03,OU=Domain
> > > Controllers,DC=cb,DC=cliffbells,DC=com
> > >
> > > Try pre-creating the computer in 'OU=Domain
> > > Controllers,DC=cb,DC=cliffbells,DC=com' and then try joining again.
> > >
> > > Rowland
> > >
> > >
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions: https://lists.samba.org/mailman/options/samba
> > >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list