[Samba] Unable to join DC to domain

IT Admin it at cliffbells.com
Sun Mar 27 06:25:23 UTC 2016


I ran ldbsearch on my sam.ldb
I searched for CBADC02, CBADC03, and TESTES (all VMs that fail to join
domain), results are below:


CBADC02 shows up a few times:

# record 1906
dn:
CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configu$
objectClass: top
objectClass: server
instanceType: 4
whenCreated: 20160310044543.0Z
uSNCreated: 4215
objectGUID: de85228c-f92b-4d5d-9d6a-01c3f915dec9
systemFlags: 1375731712
dNSHostName: cbadc02.cb.cliffbells.com
cn:: Q0JBREMwMgpERUw6ZGU4NTIyOGMtZjkyYi00ZDVkLTlkNmEtMDFjM2Y5MTVkZWM5
isDeleted: TRUE
name:: Q0JBREMwMgpERUw6ZGU4NTIyOGMtZjkyYi00ZDVkLTlkNmEtMDFjM2Y5MTVkZWM5
lastKnownParent:
CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configurati
 on,DC=cb,DC=cliffbells,DC=com
isRecycled: TRUE
whenChanged: 20160319092438.0Z
uSNChanged: 4261
distinguishedName:
CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec9,CN=Se
 rvers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cb,DC=cliffbell
 s,DC=com


 # record 2372
dn: CN=NTDS
Settings\0ADEL:a5d3b626-e936-4a65-97bc-cade176d1b10,CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec$
objectClass: top
objectClass: applicationSettings
objectClass: nTDSDSA
instanceType: 4
whenCreated: 20160310044546.0Z
uSNCreated: 4214
objectGUID: a5d3b626-e936-4a65-97bc-cade176d1b10
systemFlags: 33554432
cn::
TlREUyBTZXR0aW5ncwpERUw6YTVkM2I2MjYtZTkzNi00YTY1LTk3YmMtY2FkZTE3NmQxYjEw
isDeleted: TRUE
name::
TlREUyBTZXR0aW5ncwpERUw6YTVkM2I2MjYtZTkzNi00YTY1LTk3YmMtY2FkZTE3NmQxYjE
 w
isRecycled: TRUE
whenChanged: 20160319092438.0Z
uSNChanged: 4259
distinguishedName: CN=NTDS
Settings\0ADEL:a5d3b626-e936-4a65-97bc-cade176d1b10
 ,CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec9,CN=Servers,CN=Default-
 First-Site-Name,CN=Sites,CN=Configuration,DC=cb,DC=cliffbells,DC=com



 # record 3275
dn: CN=CBADC02\0ADEL:b34ccfd9-0f88-4f7b-8c00-3296ed92507d,CN=Deleted
Objects,DC=cb,DC=cliffbells,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
instanceType: 4
whenCreated: 20160321212014.0Z
uSNCreated: 4287
objectGUID: b34ccfd9-0f88-4f7b-8c00-3296ed92507d
userAccountControl: 4128
objectSid: S-1-5-21-2555112579-3841919511-698463993-1602
sAMAccountName: CBADC02$
isDeleted: TRUE
lastKnownParent: OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com
isRecycled: TRUE
cn:: Q0JBREMwMgpERUw6YjM0Y2NmZDktMGY4OC00ZjdiLThjMDAtMzI5NmVkOTI1MDdk
name:: Q0JBREMwMgpERUw6YjM0Y2NmZDktMGY4OC00ZjdiLThjMDAtMzI5NmVkOTI1MDdk
whenChanged: 20160327050242.0Z
uSNChanged: 4293
distinguishedName:
CN=CBADC02\0ADEL:b34ccfd9-0f88-4f7b-8c00-3296ed92507d,CN=De
 leted Objects,DC=cb,DC=cliffbells,DC=com





 # record 3481
dn: CN=CBADC02\0ADEL:ec36364c-6f01-4c82-be95-8def84528d9a,CN=Deleted
Objects,DC=cb,DC=cliffbells,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
instanceType: 4
whenCreated: 20160310044542.0Z
uSNCreated: 4212
objectGUID: ec36364c-6f01-4c82-be95-8def84528d9a
userAccountControl: 532480
objectSid: S-1-5-21-2555112579-3841919511-698463993-1122
sAMAccountName: CBADC02$
dNSHostName: cbadc02.cb.cliffbells.com
cn:: Q0JBREMwMgpERUw6ZWMzNjM2NGMtNmYwMS00YzgyLWJlOTUtOGRlZjg0NTI4ZDlh
whenChanged: 20160318045619.0Z
isDeleted: TRUE
uSNChanged: 4253
name:: Q0JBREMwMgpERUw6ZWMzNjM2NGMtNmYwMS00YzgyLWJlOTUtOGRlZjg0NTI4ZDlh
lastKnownParent: OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com
isRecycled: TRUE
distinguishedName:
CN=CBADC02\0ADEL:ec36364c-6f01-4c82-be95-8def84528d9a,CN=De
 leted Objects,DC=cb,DC=cliffbells,DC=com








 CBADC03 is there once:



 # record 3431
dn:
CN=CBADC03\0ADEL:0d3362c2-c153-415e-b077-0772a61b96b5\0ADEL:0d3362c2-c153-415e-b077-0772a61b96b5,CN=Deleted
Obje$
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
instanceType: 4
whenCreated: 20160321211933.0Z
uSNCreated: 4286
objectGUID: 0d3362c2-c153-415e-b077-0772a61b96b5
userAccountControl: 4128
objectSid: S-1-5-21-2555112579-3841919511-698463993-1601
sAMAccountName: CBADC03$
isDeleted: TRUE
lastKnownParent: CN=LostAndFound,DC=cb,DC=cliffbells,DC=com
isRecycled: TRUE
cn::
Q0JBREMwMwpERUw6MGQzMzYyYzItYzE1My00MTVlLWIwNzctMDc3MmE2MWI5NmI1CkRFTDowZ
 DMzNjJjMi1jMTUzLTQxNWUtYjA3Ny0wNzcyYTYxYjk2YjU=
name::
Q0JBREMwMwpERUw6MGQzMzYyYzItYzE1My00MTVlLWIwNzctMDc3MmE2MWI5NmI1CkRFTDo
 wZDMzNjJjMi1jMTUzLTQxNWUtYjA3Ny0wNzcyYTYxYjk2YjU=
whenChanged: 20160327050527.0Z
uSNChanged: 4294
distinguishedName:
CN=CBADC03\0ADEL:0d3362c2-c153-415e-b077-0772a61b96b5\0ADEL
 :0d3362c2-c153-415e-b077-0772a61b96b5,CN=Deleted
Objects,DC=cb,DC=cliffbells,
 DC=com



 TESTES is nowhere to be found and still fails due to ObjectSID.  I don't
understand how that is even possible.  I also manually inspected ADUC,
ADSS, ADSIEdit and DNS in RSAT for both of my live DCs (FILER & CBADC01)
and removed all references to CBADC02 & CBADC03.  Replication between FILER
and CBADC01 is successful.  RSync replication of sysvol from FILER to
CBADC01 is running via cron.

I am spun.  I've been banging my head against Samba since 12/17/2015.
Please advise, I need to get these VMs joined to the domain so I can sieze
FSMO roles off of FILER so I don't have to keep restoring this ^&*(@^#()*&^
database every 36 hours.


JS








On Sun, Mar 27, 2016 at 12:15 AM, IT Admin <it at cliffbells.com> wrote:

> Good times...
>
> Spent hours today rolling a fresh VM.
>
> FAIL
>
> itwerks at testes:~$ kinit administrator
> Password for administrator at CB.CLIFFBELLS.COM:
> itwerks at testes:~$ klist -e
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: administrator at CB.CLIFFBELLS.COM
>
> Valid starting       Expires              Service principal
> 03/27/2016 00:07:04  03/27/2016 10:07:04  krbtgt/
> CB.CLIFFBELLS.COM at CB.CLIFFBELLS.COM
>         renew until 03/28/2016 00:06:59, Etype (skey, tkt):
> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
> itwerks at testes:~$ sudo /usr/local/samba/bin/samba-tool domain join
> cb.cliffbells.com DC -Uadministrator --realm=CB.CLIFFBELLS.COM
> --dns-backend=SAMBA_INTERNAL
> Finding a writeable DC for domain 'cb.cliffbells.com'
> Found DC filer.cb.cliffbells.com
> Password for [WORKGROUP\administrator]:
> workgroup is CB
> realm is cb.cliffbells.com
> checking sAMAccountName
> Adding CN=TESTES,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com
> Join failed - cleaning up
> checking sAMAccountName
> ERROR(ldb): uncaught exception - LDAP error 68 LDAP_ENTRY_ALREADY_EXISTS -
>  <00002071: ../lib/ldb/ldb_tdb/ldb_index.c:1216: Failed to re-index
> objectSid in CN=TESTES,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com -
> ../lib/ldb/ldb_tdb/ldb_index.c:1148: unique index violation on objectSid in
> CN=TESTES,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com> <>
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line
> 621, in run
>     machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
> 1183, in join_DC
>     ctx.do_join()
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
> 1086, in do_join
>     ctx.join_add_objects()
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
> 536, in join_add_objects
>     ctx.samdb.add(rec)
>
>
> sigh.
>
> *&@$^@&$(@*$&@^$@!)($#)(^)%@*%_
>
> Please advise.
>
> JS
>
> On Fri, Mar 25, 2016 at 1:19 PM, IT Admin <it at cliffbells.com> wrote:
>
>> "I expect you don't have just copied your VMs disks without changing VMs
>> hostname and FQDN. I expect you don't fully re-use smb.conf from another
>> DC
>> (you can do that but you must change hostname into smb.conf)."
>>
>> 1) These are new Ubuntu VMs, not cloned, built from scratch.  I tried
>> joining them with no smb.conf in /usr/local/samba/etc
>>
>> You have disabled SELinux too
>>
>> 2) AFAIK Ubuntu uses apparmor, not selinux.  I have not disabled apparmor.
>>
>> 3) --show-deleted reveals a single instance of cbadc02:
>>
>> twerks at filer:~$ sudo /usr/local/samba/bin/ldbsearch -H
>> /usr/local/samba/private/sam.ldb --cross-ncs --show-deleted >
>> ldbsearch_cross-ncs_deleted.txt
>> itwerks at filer:~$ cat ldbsearch_cross-ncs_deleted.txt | grep
>> cbadc
>> dNSHostName: cbadc02.cb.cliffbells.com
>> dNSHostName: cbadc01.cb.cliffbells.com
>> dn: DC=cbadc01,DC=cb.cliffbells.com
>> ,CN=MicrosoftDNS,DC=DomainDnsZones,DC=cb,DC=cliffbells,DC=com
>> name: cbadc01
>> dc: cbadc01
>> distinguishedName: DC=cbadc01,DC=cb.cliffbells.com
>> ,CN=MicrosoftDNS,DC=DomainDn
>> dNSHostName: cbadc01.cb.cliffbells.com
>> dNSHostName: cbadc01.cb.cliffbells.com
>> servicePrincipalName: HOST/cbadc01.cb.cliffbells.com
>> servicePrincipalName: GC/cbadc01.cb.cliffbells.com/cb.cliffbells.com
>> servicePrincipalName: HOST/cbadc01.cb.cliffbells.com/CB
>> servicePrincipalName: ldap/cbadc01.cb.cliffbells.com/CB
>> servicePrincipalName: ldap/cbadc01.cb.cliffbells.com
>> servicePrincipalName: HOST/cbadc01.cb.cliffbells.com/cb.cliffbells.com
>> servicePrincipalName: ldap/cbadc01.cb.cliffbells.com/cb.cliffbells.com
>> servicePrincipalName: RestrictedKrbHost/cbadc01.cb.cliffbells.com
>> servicePrincipalName: ldap/
>> cbadc01.cb.cliffbells.com/DomainDnsZones.cb.cliffbe
>> servicePrincipalName: ldap/
>> cbadc01.cb.cliffbells.com/ForestDnsZones.cb.cliffbe
>> dNSHostName: <http://cbadc02.cb.cliffbells.com>cbadc02.
>> <http://cbadc02.cb.cliffbells.com>cb.cliffbells.com
>> <http://cbadc02.cb.cliffbells.com>
>> itwerks at filer:~$
>>
>> This article seems to explain how to resolve this issue from a Windows
>> ADC:
>>
>> http://social.technet.microsoft.com/wiki/contents/articles/15435.active-directory-duplicate-object-name-resolution.aspx
>>
>> How could I replicate the approach in a Samba AD?
>>
>> Re: spinning up a new VM, I tried that with cbadc03... I'll try again
>> with a radically different hostname this weekend.
>>
>> JS
>>
>>
>> Hi JS,
>>
>> You said in your firt mail you have this very same behaviour with two new
>> VMs you tried to join in your AD domain.
>>
>> I expect you don't have just copied your VMs disks without changing VMs
>> hostname and FQDN. I expect you don't fully re-use smb.conf from another
>> DC
>> (you can do that but you must change hostname into smb.conf).
>>
>> You have disabled SELinux too.
>>
>> So you have 3 systems to be AD DC:
>> cbaddc01 (working and running)
>> cbaddc02 (one of the two new VMs which refuse to be joined to AD domain
>> hosted on cbaddc01)
>> cbaddc03 (the other one new VMs which also refuses to be joined)
>>
>> I found that few minutes ago speaking about LDB:
>> http://somewoman.com/?p=261
>> Here two options were interesting me about your issue:
>> --cross-ncs to search not only in main DIT
>> --show-deleted to show deleted objects
>>
>> In addition --show-binary switch can be used to decode base64 encoded
>> values when needed.
>>
>> As I have no real idea about your issue I would first try to set up a new
>> VM with a different name, very different name, to test if your domain
>> refuses to add all new DC (whatever is the name) or only DC with names
>> already used.
>>
>> 2016-03-21 22:25 GMT+01:00 IT Admin <it at cliffbells.com>:
>>
>> > No dice.
>> >
>> > Logged in to a workstation with RSAT installed.  Added computer to OU
>> > Domain Controllers, closed ADUC, attempted join again.
>> >
>> > itwerks at cbadc03:~$ kinit
>> > Administrator
>> > Password for Administrator at CB.CLIFFBELLS.COM:
>> > itwerks at cbadc03:~$ klist
>> > -e
>> > Ticket cache: FILE:/tmp/krb5cc_1000
>> > Default principal: Administrator at CB.CLIFFBELLS.COM
>> >
>> > Valid starting       Expires              Service principal
>> > 03/21/2016 17:21:42  03/22/2016 03:21:42  krbtgt/
>> > CB.CLIFFBELLS.COM at CB.CLIFFBELLS.COM
>> >         renew until 03/22/2016 17:21:29, Etype (skey, tkt):
>> > aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
>> > itwerks at cbadc03:~$ sudo /usr/local/samba/bin/samba-tool domain join
>> > cb.cliffbells.com DC -Uadministrator --realm=CB.CLIFFBELLS.COM
>> > --dns-backend=SAMBA_INTERNAL
>> > [sudo] password for itwerks:
>> > Finding a writeable DC for domain 'cb.cliffbells.com'
>> > Found DC filer.cb.cliffbells.com
>> > Password for [WORKGROUP\administrator]:
>> > workgroup is CB
>> > realm is cb.cliffbells.com
>> > checking sAMAccountName
>> > Deleted CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com
>> > Adding CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com
>> > Join failed - cleaning up
>> > checking sAMAccountName
>> > ERROR(ldb): uncaught exception - LDAP error 68
>> LDAP_ENTRY_ALREADY_EXISTS -
>> > <00002071: ../lib/ldb/ldb_tdb/ldb_index.c:1216: Failed to re-index
>> > objectSid in CN=CBADC03,OU=Domain
>> Controllers,DC=cb,DC=cliffbells,DC=com -
>> > ../lib/ldb/ldb_tdb/ldb_index.c:1148: unique index violation on
>> objectSid in
>> > CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com> <>
>> >   File
>> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>> > line 175, in _run
>> >     return self.run(*args, **kwargs)
>> >   File
>> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
>> line
>> > 621, in run
>> >     machinepass=machinepass, use_ntvfs=use_ntvfs,
>> dns_backend=dns_backend)
>> >   File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
>> line
>> > 1183, in join_DC
>> >     ctx.do_join()
>> >   File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
>> line
>> > 1086, in do_join
>> >     ctx.join_add_objects()
>> >   File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
>> line
>> > 536, in join_add_objects
>> >     ctx.samdb.add(rec)
>> > itwerks at cbadc03:~
>> >
>> > Please advise.
>> >
>> > JS
>> > On Mar 21, 2016 3:54 PM, "Rowland penny" <rpenny at samba.org> wrote:
>> >
>> > > On 21/03/16 04:26, IT Admin wrote:
>> > >
>> > >> I cannot join two new VMs to my domain, I receive the following
>> error on
>> > >> both machines:
>> > >>
>> > >> twerks at cbadc03:~$ kinit
>> > >> Administrator
>> > >> Password for Administrator at CB.CLIFFBELLS.COM:
>> > >> itwerks at cbadc03:~$ klist -e
>> > >> Ticket cache: FILE:/tmp/krb5cc_1000
>> > >> Default principal: Administrator at CB.CLIFFBELLS.COM
>> > >>
>> > >> Valid starting       Expires              Service principal
>> > >> 03/21/2016 00:19:56  03/21/2016 10:19:56  krbtgt/
>> > >> CB.CLIFFBELLS.COM at CB.CLIFFBELLS.COM
>> > >>          renew until 03/22/2016 00:19:41, Etype (skey, tkt):
>> > >> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
>> > >> itwerks at cbadc03:~$ sudo /usr/local/samba/bin/samba-tool domain join
>> > >> cb.cliffbells.com DC -Uadministrator --realm=CB.CLIFFBELLS.COM
>> > >> --dns-backend=SAMBA_INTERNAL
>> > >> Finding a writeable DC for domain 'cb.cliffbells.com'
>> > >> Found DC filer.cb.cliffbells.com
>> > >> Password for [WORKGROUP\administrator]:
>> > >> workgroup is CB
>> > >> realm is cb.cliffbells.com
>> > >> checking sAMAccountName
>> > >> Adding CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com
>> > >> Join failed - cleaning up
>> > >> checking sAMAccountName
>> > >> ERROR(ldb): uncaught exception - LDAP error 68
>> > LDAP_ENTRY_ALREADY_EXISTS -
>> > >> <00002071: ../lib/ldb/ldb_tdb/ldb_index.c:1216: Failed to re-index
>> > >> objectSid in CN=CBADC03,OU=Domain
>> > Controllers,DC=cb,DC=cliffbells,DC=com -
>> > >> ../lib/ldb/ldb_tdb/ldb_index.c:1148: unique index violation on
>> objectSid
>> > >> in
>> > >> CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com> <>
>> > >>    File
>> > >>
>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>> > >> line 175, in _run
>> > >>      return self.run(*args, **kwargs)
>> > >>    File
>> > >>
>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
>> > >> line
>> > >> 621, in run
>> > >>      machinepass=machinepass, use_ntvfs=use_ntvfs,
>> > >> dns_backend=dns_backend)
>> > >>    File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
>> > line
>> > >> 1183, in join_DC
>> > >>      ctx.do_join()
>> > >>    File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
>> > line
>> > >> 1086, in do_join
>> > >>      ctx.join_add_objects()
>> > >>    File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
>> > line
>> > >> 536, in join_add_objects
>> > >>      ctx.samdb.add(rec)
>> > >> itwerks at cbadc03:~$
>> > >>
>> > >> Neither machine exists in ADUC on either of my current DCs.  Neither
>> > >> machine has any records in DNS.  I ran ldbsearch and dumped it's
>> output
>> > to
>> > >> a text file, there are no references to either machine name in the
>> file.
>> > >>
>> > >> Please advise.
>> > >>
>> > >> JS
>> > >>
>> > >
>> > > The join seems to be failing because it seems to be trying to add an
>> > > objectsid that already exists:
>> > >
>> > > unique index violation on objectSid in CN=CBADC03,OU=Domain
>> > > Controllers,DC=cb,DC=cliffbells,DC=com
>> > >
>> > > Try pre-creating the computer in 'OU=Domain
>> > > Controllers,DC=cb,DC=cliffbells,DC=com' and then try joining again.
>> > >
>> > > Rowland
>> > >
>> > >
>> > >
>> > > --
>> > > To unsubscribe from this list go to the following URL and read the
>> > > instructions:  https://lists.samba.org/mailman/options/samba
>> > >
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions:  https://lists.samba.org/mailman/options/samba
>> >
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>


More information about the samba mailing list