[Samba] Unable to Join the Active Directory as a Domain Controller

Thu Dec 21 14:35:33 UTC 2017

Hi Marc-Henri Pamiseux,
>
> I am trying to use Samba in version 4.7.0 as a replication of an Active
> Directory running on Windows 2012-R2.
>
> For that, I execute the process described on this page:
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
>
> When I run the command to join the domain controller, samba-tool returns
> the following error:
> DsAddEntry failed with status WERR_ACCESS_DENIED info (8567,
> 'WERR_DS_INCOMPATIBLE_VERSION')
>
> I read the documentation that specifies which version of Samba is
> compatible with the version of the Active Directory schema:
> https://wiki.samba.org/index.php/AD_Schema_Version_Support
>
> I was able to check on the Windows 2012-R2 server that the Active
> Directory schema is in version 69, so theoretically compatible with
> Samba 4.7.

in the small prints, one can read "69 :* Experimental support. To report 
problems,  click https://bugzilla.samba.org". With such warning I 
wouldn't put that in production...

> User "MYDOMAIN\marcori" is a domain admin.
> Do you have a way to explore further?

I think you can explore the page 
https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD

TL;DR : with current samba releases, it is not possible to join a 
win2k12 or above Active Directory to a Samba AD. Stick to 2k8r2 or wait 
for Gaming/Douglas work on that subject.

Cheers,

Denis

>
> Respectfully,
>
> Marc-Henri Pamiseux
>
> PS: Here is the command invoked and its error message:
>
> # samba-tool domain join example.com DC -U"MYDOMAIN\marcori"
> --dns-backend=SAMBA_INTERNAL --realm=EXAMPLE.COM -W MYDOMAIN
> Finding a writeable DC for domain 'example.com'
> Found DC SRV-ADM1.example.com
> Password for [MYDOMAIN\marcori]:
> workgroup is MYDOMAIN
> realm is example.com
> Adding CN=SRVSMB-DC1,OU=Domain Controllers,DC=example,DC=com
> Adding
> CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> Adding CN=NTDS
> Settings,CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DsAddEntry failed with status WERR_ACCESS_DENIED info (8567,
> 'WERR_DS_INCOMPATIBLE_VERSION')
> Join failed - cleaning up
> Deleted CN=SRVSMB-DC1,OU=Domain Controllers,DC=example,DC=com
> Deleted
> CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> ERROR(runtime): uncaught exception - DsAddEntry failed
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
> 661, in run
>     machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in
> join_DC
>     ctx.do_join()
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in
> do_join
>     ctx.join_add_objects()
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 639, in
> join_add_objects
>     ctx.join_add_ntdsdsa()
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 570, in
> join_add_ntdsdsa
>     ctx.DsAddEntry([rec])
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 521, in
> DsAddEntry
>     raise RuntimeError("DsAddEntry failed")
>
> # samba -V
> Version 4.7.0-Debian
>

-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr