[Samba] Convert Member Server to DC

Sun Dec 31 02:58:28 UTC 2017

On 12/30/2017 05:22 PM, Paul R. Ganci via samba wrote:
> 1.) net ads leave -U administrator
> 2.) Remove the machine entry on the 1st DC (used ldbedit)
> 3.) mv /var/lib/samba /var/lib/samba-client
> 4.) mv /etc/krb5.keytab /etc/krb5.keytab-client
> 5.) samba-tool domain join 2nd DC
I tried this procedure and it just doesn't want to work. I have this error:

 >samba-tool domain join mydc.mydom.com DC -U"MYDC\administrator" 
--dns-backend=SAMBA_INTERNAL
Password for [MYDC\administrator]:
workgroup is MYDC
realm is mydc.mydom.com
Deleted CN=DC2,CN=Computers,DC=mydc,DC=mydom,DC=com
Adding CN=DC2,OU=Domain Controllers,DC=mydc,DC=mydom,DC=com
Adding 
CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydc,DC=mydom,DC=com
Adding CN=NTDS 
Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydc,DC=mydom,DC=com
Adding SPNs to CN=DC2,OU=Domain Controllers,DC=mydc,DC=mydom,DC=com
Setting account password for DC2$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba AD has been generated at 
/var/lib/samba/private/krb5.conf
Join failed - cleaning up
Deleted CN=DC2,OU=Domain Controllers,DC=mydc,DC=mydom,DC=com
Deleted CN=NTDS 
Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydc,DC=mydom,DC=com
Deleted 
CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydc,DC=mydom,DC=com
ERROR(ldb): uncaught exception - Failed to setup krb5_context: Invalid 
argument
   File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", 
line 176, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", 
line 661, in run
     machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
   File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1474, 
in join_DC
     ctx.do_join()
   File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1376, 
in do_join
     ctx.join_provision()
   File "/usr/lib64/python2.7/site-packages/samba/join.py", line 840, in 
join_provision
     use_ntvfs=ctx.use_ntvfs, dns_backend=ctx.dns_backend)
   File 
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 
2199, in provision
     secrets_ldb.transaction_commit()

The kerberos setup is per the wiki and seems to be correct:

 > kinit administrator
Password for administrator at MYDC.MYDOM.COM:
 > klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at MYDC.MYDOM.COM

Valid starting       Expires              Service principal
12/30/2017 19:43:53  12/31/2017 05:43:53 
krbtgt/MYDC>MYDOM.COM at MYDC.MYDOM.COM

I don't have a clue as to why this join would have failed. I put back 
the member server setup and have no problems joining the domain. Any 
clues as to what else I have to remove in order to turn this member 
server into a DC? Should I just delete everything including the Sernet 
samba distro and re-install from scratch?

-- 
Paul (ganci at nurdog.com)
Cell: (303)257-5208