[Samba] Unable to join DC to domain
IT Admin
it at cliffbells.com
Sun Mar 27 06:25:23 UTC 2016
I ran ldbsearch on my sam.ldb
I searched for CBADC02, CBADC03, and TESTES (all VMs that fail to join
domain), results are below:
CBADC02 shows up a few times:
# record 1906
dn:
CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configu$
objectClass: top
objectClass: server
instanceType: 4
whenCreated: 20160310044543.0Z
uSNCreated: 4215
objectGUID: de85228c-f92b-4d5d-9d6a-01c3f915dec9
systemFlags: 1375731712
dNSHostName: cbadc02.cb.cliffbells.com
cn:: Q0JBREMwMgpERUw6ZGU4NTIyOGMtZjkyYi00ZDVkLTlkNmEtMDFjM2Y5MTVkZWM5
isDeleted: TRUE
name:: Q0JBREMwMgpERUw6ZGU4NTIyOGMtZjkyYi00ZDVkLTlkNmEtMDFjM2Y5MTVkZWM5
lastKnownParent:
CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configurati
on,DC=cb,DC=cliffbells,DC=com
isRecycled: TRUE
whenChanged: 20160319092438.0Z
uSNChanged: 4261
distinguishedName:
CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec9,CN=Se
rvers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cb,DC=cliffbell
s,DC=com
# record 2372
dn: CN=NTDS
Settings\0ADEL:a5d3b626-e936-4a65-97bc-cade176d1b10,CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec$
objectClass: top
objectClass: applicationSettings
objectClass: nTDSDSA
instanceType: 4
whenCreated: 20160310044546.0Z
uSNCreated: 4214
objectGUID: a5d3b626-e936-4a65-97bc-cade176d1b10
systemFlags: 33554432
cn::
TlREUyBTZXR0aW5ncwpERUw6YTVkM2I2MjYtZTkzNi00YTY1LTk3YmMtY2FkZTE3NmQxYjEw
isDeleted: TRUE
name::
TlREUyBTZXR0aW5ncwpERUw6YTVkM2I2MjYtZTkzNi00YTY1LTk3YmMtY2FkZTE3NmQxYjE
w
isRecycled: TRUE
whenChanged: 20160319092438.0Z
uSNChanged: 4259
distinguishedName: CN=NTDS
Settings\0ADEL:a5d3b626-e936-4a65-97bc-cade176d1b10
,CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec9,CN=Servers,CN=Default-
First-Site-Name,CN=Sites,CN=Configuration,DC=cb,DC=cliffbells,DC=com
# record 3275
dn: CN=CBADC02\0ADEL:b34ccfd9-0f88-4f7b-8c00-3296ed92507d,CN=Deleted
Objects,DC=cb,DC=cliffbells,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
instanceType: 4
whenCreated: 20160321212014.0Z
uSNCreated: 4287
objectGUID: b34ccfd9-0f88-4f7b-8c00-3296ed92507d
userAccountControl: 4128
objectSid: S-1-5-21-2555112579-3841919511-698463993-1602
sAMAccountName: CBADC02$
isDeleted: TRUE
lastKnownParent: OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com
isRecycled: TRUE
cn:: Q0JBREMwMgpERUw6YjM0Y2NmZDktMGY4OC00ZjdiLThjMDAtMzI5NmVkOTI1MDdk
name:: Q0JBREMwMgpERUw6YjM0Y2NmZDktMGY4OC00ZjdiLThjMDAtMzI5NmVkOTI1MDdk
whenChanged: 20160327050242.0Z
uSNChanged: 4293
distinguishedName:
CN=CBADC02\0ADEL:b34ccfd9-0f88-4f7b-8c00-3296ed92507d,CN=De
leted Objects,DC=cb,DC=cliffbells,DC=com
# record 3481
dn: CN=CBADC02\0ADEL:ec36364c-6f01-4c82-be95-8def84528d9a,CN=Deleted
Objects,DC=cb,DC=cliffbells,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
instanceType: 4
whenCreated: 20160310044542.0Z
uSNCreated: 4212
objectGUID: ec36364c-6f01-4c82-be95-8def84528d9a
userAccountControl: 532480
objectSid: S-1-5-21-2555112579-3841919511-698463993-1122
sAMAccountName: CBADC02$
dNSHostName: cbadc02.cb.cliffbells.com
cn:: Q0JBREMwMgpERUw6ZWMzNjM2NGMtNmYwMS00YzgyLWJlOTUtOGRlZjg0NTI4ZDlh
whenChanged: 20160318045619.0Z
isDeleted: TRUE
uSNChanged: 4253
name:: Q0JBREMwMgpERUw6ZWMzNjM2NGMtNmYwMS00YzgyLWJlOTUtOGRlZjg0NTI4ZDlh
lastKnownParent: OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com
isRecycled: TRUE
distinguishedName:
CN=CBADC02\0ADEL:ec36364c-6f01-4c82-be95-8def84528d9a,CN=De
leted Objects,DC=cb,DC=cliffbells,DC=com
CBADC03 is there once:
# record 3431
dn:
CN=CBADC03\0ADEL:0d3362c2-c153-415e-b077-0772a61b96b5\0ADEL:0d3362c2-c153-415e-b077-0772a61b96b5,CN=Deleted
Obje$
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
instanceType: 4
whenCreated: 20160321211933.0Z
uSNCreated: 4286
objectGUID: 0d3362c2-c153-415e-b077-0772a61b96b5
userAccountControl: 4128
objectSid: S-1-5-21-2555112579-3841919511-698463993-1601
sAMAccountName: CBADC03$
isDeleted: TRUE
lastKnownParent: CN=LostAndFound,DC=cb,DC=cliffbells,DC=com
isRecycled: TRUE
cn::
Q0JBREMwMwpERUw6MGQzMzYyYzItYzE1My00MTVlLWIwNzctMDc3MmE2MWI5NmI1CkRFTDowZ
DMzNjJjMi1jMTUzLTQxNWUtYjA3Ny0wNzcyYTYxYjk2YjU=
name::
Q0JBREMwMwpERUw6MGQzMzYyYzItYzE1My00MTVlLWIwNzctMDc3MmE2MWI5NmI1CkRFTDo
wZDMzNjJjMi1jMTUzLTQxNWUtYjA3Ny0wNzcyYTYxYjk2YjU=
whenChanged: 20160327050527.0Z
uSNChanged: 4294
distinguishedName:
CN=CBADC03\0ADEL:0d3362c2-c153-415e-b077-0772a61b96b5\0ADEL
:0d3362c2-c153-415e-b077-0772a61b96b5,CN=Deleted
Objects,DC=cb,DC=cliffbells,
DC=com
TESTES is nowhere to be found and still fails due to ObjectSID. I don't
understand how that is even possible. I also manually inspected ADUC,
ADSS, ADSIEdit and DNS in RSAT for both of my live DCs (FILER & CBADC01)
and removed all references to CBADC02 & CBADC03. Replication between FILER
and CBADC01 is successful. RSync replication of sysvol from FILER to
CBADC01 is running via cron.
I am spun. I've been banging my head against Samba since 12/17/2015.
Please advise, I need to get these VMs joined to the domain so I can sieze
FSMO roles off of FILER so I don't have to keep restoring this ^&*(@^#()*&^
database every 36 hours.
JS
On Sun, Mar 27, 2016 at 12:15 AM, IT Admin <it at cliffbells.com> wrote:
> Good times...
>
> Spent hours today rolling a fresh VM.
>
> FAIL
>
> itwerks at testes:~$ kinit administrator
> Password for administrator at CB.CLIFFBELLS.COM:
> itwerks at testes:~$ klist -e
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: administrator at CB.CLIFFBELLS.COM
>
> Valid starting Expires Service principal
> 03/27/2016 00:07:04 03/27/2016 10:07:04 krbtgt/
> CB.CLIFFBELLS.COM at CB.CLIFFBELLS.COM
> renew until 03/28/2016 00:06:59, Etype (skey, tkt):
> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
> itwerks at testes:~$ sudo /usr/local/samba/bin/samba-tool domain join
> cb.cliffbells.com DC -Uadministrator --realm=CB.CLIFFBELLS.COM
> --dns-backend=SAMBA_INTERNAL
> Finding a writeable DC for domain 'cb.cliffbells.com'
> Found DC filer.cb.cliffbells.com
> Password for [WORKGROUP\administrator]:
> workgroup is CB
> realm is cb.cliffbells.com
> checking sAMAccountName
> Adding CN=TESTES,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com
> Join failed - cleaning up
> checking sAMAccountName
> ERROR(ldb): uncaught exception - LDAP error 68 LDAP_ENTRY_ALREADY_EXISTS -
> <00002071: ../lib/ldb/ldb_tdb/ldb_index.c:1216: Failed to re-index
> objectSid in CN=TESTES,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com -
> ../lib/ldb/ldb_tdb/ldb_index.c:1148: unique index violation on objectSid in
> CN=TESTES,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com> <>
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line
> 621, in run
> machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
> File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
> 1183, in join_DC
> ctx.do_join()
> File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
> 1086, in do_join
> ctx.join_add_objects()
> File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
> 536, in join_add_objects
> ctx.samdb.add(rec)
>
>
> sigh.
>
> *&@$^@&$(@*$&@^$@!)($#)(^)%@*%_
>
> Please advise.
>
> JS
>
> On Fri, Mar 25, 2016 at 1:19 PM, IT Admin <it at cliffbells.com> wrote:
>
>> "I expect you don't have just copied your VMs disks without changing VMs
>> hostname and FQDN. I expect you don't fully re-use smb.conf from another
>> DC
>> (you can do that but you must change hostname into smb.conf)."
>>
>> 1) These are new Ubuntu VMs, not cloned, built from scratch. I tried
>> joining them with no smb.conf in /usr/local/samba/etc
>>
>> You have disabled SELinux too
>>
>> 2) AFAIK Ubuntu uses apparmor, not selinux. I have not disabled apparmor.
>>
>> 3) --show-deleted reveals a single instance of cbadc02:
>>
>> twerks at filer:~$ sudo /usr/local/samba/bin/ldbsearch -H
>> /usr/local/samba/private/sam.ldb --cross-ncs --show-deleted >
>> ldbsearch_cross-ncs_deleted.txt
>> itwerks at filer:~$ cat ldbsearch_cross-ncs_deleted.txt | grep
>> cbadc
>> dNSHostName: cbadc02.cb.cliffbells.com
>> dNSHostName: cbadc01.cb.cliffbells.com
>> dn: DC=cbadc01,DC=cb.cliffbells.com
>> ,CN=MicrosoftDNS,DC=DomainDnsZones,DC=cb,DC=cliffbells,DC=com
>> name: cbadc01
>> dc: cbadc01
>> distinguishedName: DC=cbadc01,DC=cb.cliffbells.com
>> ,CN=MicrosoftDNS,DC=DomainDn
>> dNSHostName: cbadc01.cb.cliffbells.com
>> dNSHostName: cbadc01.cb.cliffbells.com
>> servicePrincipalName: HOST/cbadc01.cb.cliffbells.com
>> servicePrincipalName: GC/cbadc01.cb.cliffbells.com/cb.cliffbells.com
>> servicePrincipalName: HOST/cbadc01.cb.cliffbells.com/CB
>> servicePrincipalName: ldap/cbadc01.cb.cliffbells.com/CB
>> servicePrincipalName: ldap/cbadc01.cb.cliffbells.com
>> servicePrincipalName: HOST/cbadc01.cb.cliffbells.com/cb.cliffbells.com
>> servicePrincipalName: ldap/cbadc01.cb.cliffbells.com/cb.cliffbells.com
>> servicePrincipalName: RestrictedKrbHost/cbadc01.cb.cliffbells.com
>> servicePrincipalName: ldap/
>> cbadc01.cb.cliffbells.com/DomainDnsZones.cb.cliffbe
>> servicePrincipalName: ldap/
>> cbadc01.cb.cliffbells.com/ForestDnsZones.cb.cliffbe
>> dNSHostName: <http://cbadc02.cb.cliffbells.com>cbadc02.
>> <http://cbadc02.cb.cliffbells.com>cb.cliffbells.com
>> <http://cbadc02.cb.cliffbells.com>
>> itwerks at filer:~$
>>
>> This article seems to explain how to resolve this issue from a Windows
>> ADC:
>>
>> http://social.technet.microsoft.com/wiki/contents/articles/15435.active-directory-duplicate-object-name-resolution.aspx
>>
>> How could I replicate the approach in a Samba AD?
>>
>> Re: spinning up a new VM, I tried that with cbadc03... I'll try again
>> with a radically different hostname this weekend.
>>
>> JS
>>
>>
>> Hi JS,
>>
>> You said in your firt mail you have this very same behaviour with two new
>> VMs you tried to join in your AD domain.
>>
>> I expect you don't have just copied your VMs disks without changing VMs
>> hostname and FQDN. I expect you don't fully re-use smb.conf from another
>> DC
>> (you can do that but you must change hostname into smb.conf).
>>
>> You have disabled SELinux too.
>>
>> So you have 3 systems to be AD DC:
>> cbaddc01 (working and running)
>> cbaddc02 (one of the two new VMs which refuse to be joined to AD domain
>> hosted on cbaddc01)
>> cbaddc03 (the other one new VMs which also refuses to be joined)
>>
>> I found that few minutes ago speaking about LDB:
>> http://somewoman.com/?p=261
>> Here two options were interesting me about your issue:
>> --cross-ncs to search not only in main DIT
>> --show-deleted to show deleted objects
>>
>> In addition --show-binary switch can be used to decode base64 encoded
>> values when needed.
>>
>> As I have no real idea about your issue I would first try to set up a new
>> VM with a different name, very different name, to test if your domain
>> refuses to add all new DC (whatever is the name) or only DC with names
>> already used.
>>
>> 2016-03-21 22:25 GMT+01:00 IT Admin <it at cliffbells.com>:
>>
>> > No dice.
>> >
>> > Logged in to a workstation with RSAT installed. Added computer to OU
>> > Domain Controllers, closed ADUC, attempted join again.
>> >
>> > itwerks at cbadc03:~$ kinit
>> > Administrator
>> > Password for Administrator at CB.CLIFFBELLS.COM:
>> > itwerks at cbadc03:~$ klist
>> > -e
>> > Ticket cache: FILE:/tmp/krb5cc_1000
>> > Default principal: Administrator at CB.CLIFFBELLS.COM
>> >
>> > Valid starting Expires Service principal
>> > 03/21/2016 17:21:42 03/22/2016 03:21:42 krbtgt/
>> > CB.CLIFFBELLS.COM at CB.CLIFFBELLS.COM
>> > renew until 03/22/2016 17:21:29, Etype (skey, tkt):
>> > aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
>> > itwerks at cbadc03:~$ sudo /usr/local/samba/bin/samba-tool domain join
>> > cb.cliffbells.com DC -Uadministrator --realm=CB.CLIFFBELLS.COM
>> > --dns-backend=SAMBA_INTERNAL
>> > [sudo] password for itwerks:
>> > Finding a writeable DC for domain 'cb.cliffbells.com'
>> > Found DC filer.cb.cliffbells.com
>> > Password for [WORKGROUP\administrator]:
>> > workgroup is CB
>> > realm is cb.cliffbells.com
>> > checking sAMAccountName
>> > Deleted CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com
>> > Adding CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com
>> > Join failed - cleaning up
>> > checking sAMAccountName
>> > ERROR(ldb): uncaught exception - LDAP error 68
>> LDAP_ENTRY_ALREADY_EXISTS -
>> > <00002071: ../lib/ldb/ldb_tdb/ldb_index.c:1216: Failed to re-index
>> > objectSid in CN=CBADC03,OU=Domain
>> Controllers,DC=cb,DC=cliffbells,DC=com -
>> > ../lib/ldb/ldb_tdb/ldb_index.c:1148: unique index violation on
>> objectSid in
>> > CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com> <>
>> > File
>> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>> > line 175, in _run
>> > return self.run(*args, **kwargs)
>> > File
>> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
>> line
>> > 621, in run
>> > machinepass=machinepass, use_ntvfs=use_ntvfs,
>> dns_backend=dns_backend)
>> > File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
>> line
>> > 1183, in join_DC
>> > ctx.do_join()
>> > File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
>> line
>> > 1086, in do_join
>> > ctx.join_add_objects()
>> > File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
>> line
>> > 536, in join_add_objects
>> > ctx.samdb.add(rec)
>> > itwerks at cbadc03:~
>> >
>> > Please advise.
>> >
>> > JS
>> > On Mar 21, 2016 3:54 PM, "Rowland penny" <rpenny at samba.org> wrote:
>> >
>> > > On 21/03/16 04:26, IT Admin wrote:
>> > >
>> > >> I cannot join two new VMs to my domain, I receive the following
>> error on
>> > >> both machines:
>> > >>
>> > >> twerks at cbadc03:~$ kinit
>> > >> Administrator
>> > >> Password for Administrator at CB.CLIFFBELLS.COM:
>> > >> itwerks at cbadc03:~$ klist -e
>> > >> Ticket cache: FILE:/tmp/krb5cc_1000
>> > >> Default principal: Administrator at CB.CLIFFBELLS.COM
>> > >>
>> > >> Valid starting Expires Service principal
>> > >> 03/21/2016 00:19:56 03/21/2016 10:19:56 krbtgt/
>> > >> CB.CLIFFBELLS.COM at CB.CLIFFBELLS.COM
>> > >> renew until 03/22/2016 00:19:41, Etype (skey, tkt):
>> > >> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
>> > >> itwerks at cbadc03:~$ sudo /usr/local/samba/bin/samba-tool domain join
>> > >> cb.cliffbells.com DC -Uadministrator --realm=CB.CLIFFBELLS.COM
>> > >> --dns-backend=SAMBA_INTERNAL
>> > >> Finding a writeable DC for domain 'cb.cliffbells.com'
>> > >> Found DC filer.cb.cliffbells.com
>> > >> Password for [WORKGROUP\administrator]:
>> > >> workgroup is CB
>> > >> realm is cb.cliffbells.com
>> > >> checking sAMAccountName
>> > >> Adding CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com
>> > >> Join failed - cleaning up
>> > >> checking sAMAccountName
>> > >> ERROR(ldb): uncaught exception - LDAP error 68
>> > LDAP_ENTRY_ALREADY_EXISTS -
>> > >> <00002071: ../lib/ldb/ldb_tdb/ldb_index.c:1216: Failed to re-index
>> > >> objectSid in CN=CBADC03,OU=Domain
>> > Controllers,DC=cb,DC=cliffbells,DC=com -
>> > >> ../lib/ldb/ldb_tdb/ldb_index.c:1148: unique index violation on
>> objectSid
>> > >> in
>> > >> CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com> <>
>> > >> File
>> > >>
>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>> > >> line 175, in _run
>> > >> return self.run(*args, **kwargs)
>> > >> File
>> > >>
>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
>> > >> line
>> > >> 621, in run
>> > >> machinepass=machinepass, use_ntvfs=use_ntvfs,
>> > >> dns_backend=dns_backend)
>> > >> File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
>> > line
>> > >> 1183, in join_DC
>> > >> ctx.do_join()
>> > >> File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
>> > line
>> > >> 1086, in do_join
>> > >> ctx.join_add_objects()
>> > >> File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
>> > line
>> > >> 536, in join_add_objects
>> > >> ctx.samdb.add(rec)
>> > >> itwerks at cbadc03:~$
>> > >>
>> > >> Neither machine exists in ADUC on either of my current DCs. Neither
>> > >> machine has any records in DNS. I ran ldbsearch and dumped it's
>> output
>> > to
>> > >> a text file, there are no references to either machine name in the
>> file.
>> > >>
>> > >> Please advise.
>> > >>
>> > >> JS
>> > >>
>> > >
>> > > The join seems to be failing because it seems to be trying to add an
>> > > objectsid that already exists:
>> > >
>> > > unique index violation on objectSid in CN=CBADC03,OU=Domain
>> > > Controllers,DC=cb,DC=cliffbells,DC=com
>> > >
>> > > Try pre-creating the computer in 'OU=Domain
>> > > Controllers,DC=cb,DC=cliffbells,DC=com' and then try joining again.
>> > >
>> > > Rowland
>> > >
>> > >
>> > >
>> > > --
>> > > To unsubscribe from this list go to the following URL and read the
>> > > instructions: https://lists.samba.org/mailman/options/samba
>> > >
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions: https://lists.samba.org/mailman/options/samba
>> >
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>
More information about the samba
mailing list