[Samba] domain join RODC failed

Evgeniy Semenov sem at unn.ru
Wed Jun 7 17:24:15 UTC 2017 

Hello,

I try to test joining new RODC (samba-tool domain join unn.global RODC 
-U Administrator -d5) and it's fail with message:

Could not find machine account in secrets database: Failed to fetch 
machine account password for UNN from both secrets.ldb (Could not find 
entry to match filter: '(&(flatname=UNN)(objectclass=primaryDomain))' 
base: 'cn=Primary Domains': No such object: dsdb_search at 
../source4/dsdb/common/util.c:4576) and from 
/root/rodc/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
ERROR(runtime): uncaught exception - (8453, 'WERR_DS_DRA_ACCESS_DENIED')
   File 
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", 
line 176, in _run
     return self.run(*args, **kwargs)
   File 
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py", 
line 667, in run
     dns_backend=dns_backend)
   File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", 
line 1239, in join_RODC
     ctx.do_join()
   File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", 
line 1177, in do_join
     ctx.join_replicate()
   File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", 
line 903, in join_replicate
     replica_flags=ctx.domain_replica_flags)
   File 
"/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py", 
line 254, in replicate
     (level, ctr) = self.drs.DsGetNCChanges(self.drs_handle, req_level, 
req)
Adding CN=DCG3RO-TEST,OU=Domain Controllers,DC=unn,DC=global
Adding CN=krbtgt_DCG3RO-TEST,CN=Users,DC=unn,DC=global
Got krbtgt_name=krbtgt_24698
Renaming CN=krbtgt_DCG3RO-TEST,CN=Users,DC=unn,DC=global to 
CN=krbtgt_24698,CN=Users,DC=unn,DC=global
Adding 
CN=DCG3RO-TEST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=unn,DC=global
Adding CN=NTDS 
Settings,CN=DCG3RO-TEST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=unn,DC=global
Adding CN=RODC Connection (FRS),CN=NTDS 
Settings,CN=DCG3RO-TEST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=unn,DC=global
Adding SPNs to CN=DCG3RO-TEST,OU=Domain Controllers,DC=unn,DC=global
Setting account password for DCG3RO-TEST$
Enabling account
Calling bare provision
Provision OK for domain DN DC=unn,DC=global
Starting replication
Replicating critical objects from the base DN of the domain
Join failed - cleaning up
Deleted CN=DCG3RO-TEST,OU=Domain Controllers,DC=unn,DC=global
Deleted CN=RODC Connection (FRS),CN=NTDS 
Settings,CN=DCG3RO-TEST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=unn,DC=global
Deleted CN=NTDS 
Settings,CN=DCG3RO-TEST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=unn,DC=global
Deleted 
CN=DCG3RO-TEST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=unn,DC=global

My test environment:

dcg1.unn.global  192.168.59.23 DC (CentOS 7.3.1611, 3.10.0-514.6.1  x64, 
firewall stoped, selinux disabled, Samba 4.6.4, DNS=SAMBA_INTERNAL)

dcg2.unn.global 192.168.59.29  DC FSMO (CentOS 7.3.1611, 3.10.0-514.6.1  
x64,  firewall stoped, selinux disabled, Samba 4.6.4, DNS=SAMBA_INTERNAL)

dcg3ro-test.unn.global 192.168.59.233 It does not want to become RODC 
(CentOS 7.3.1611,   3.10.0-514.21.1  x64,  firewall stoped, selinux 
disabled, Samba 4.6.4)

Samba configure options: --exec-prefix=/usr --sysconfdir=/etc 
--libdir=/usr/lib64 --localstatedir=/var --enable-fhs 
--with-lockdir=/var/cache/samba --with-modulesdir=/usr/lib64/samba

There are ~54000 objects in domain.

Can you give me some advice?

-- 
Best Wishes,
Evgeniy Semenov

More information about the samba mailing list