[Samba] Unable to join Windows 2008 R2 server DC to Samba DC

Thu Apr 26 01:07:39 UTC 2018

Hi,

It definitely appears to be the case that 4.0 should have been
provisioned with the correct link. It could have been some other bug
which meant it was lost somehow that we've probably fixed, or it was
accidentally deleted (or redirected in some way). I'm glad you were able
to identify the problem, Windows generally doesn't make it easy to debug
faults which occur during the join like this.

It seems to me that there needs to be a check in samba-tool dbcheck for
this perhaps (and maybe some of the other well known objects, if they're
that important). I don't suppose you have any interest in trying to do
that? Otherwise, file a bug for now.

Cheers,

Garming

On 26/04/18 03:43, Justin Foreman via samba wrote:
> I have identified and fixed the problem!
>
> The wellKnownObject for the default computer container was missing! I’m wondering if this was a bug from an old version of Samba, as we provisioned the domain with Samba 4.0.3.
>
> I used ldbedit to manually modify the directory and add CN=Computers as the wellKnownObject default computer container. Windows 2008 R2 now joins successfully.
>
> Thanks,
> Justin
>
>> On Apr 3, 2018, at 11:05 PM, Justin Foreman <jforeman at dignitastechnologies.com> wrote:
>>
>> I’m unable to successfully join a Windows 2008 R2 server DC to my Samba4 domain.
>>
>> I’ve followed the steps on the wiki of joining a Server 2008 R2 DC to a Samba domain. After I reboot the domain controller, I receive a blue screen in regards to a corrupt AD database. I’ve tried Samba v4.6.7 and Samba 4.9.0pre1.
>>
>> Prior to the reboot, I see the following three events on the Windows DC:
>> ----- 
>> Attempt to update DNS Host Name of the computer object in Active Directory failed. The updated value was 'DC8.us.dignitastech.com'. The following error occurred:
>> Access is denied.
>> ----- 
>> Attempt to update HOST Service Principal Names (SPNs) of the computer object in Active Directory failed. The updated values were 'RestrictedKrbHost/DC8.us.dignitastech.com' and 'RestrictedKrbHost/DC8'. The following error occurred:
>> Access is denied.
>> ----- 
>> Internal error: An Active Directory Domain Services error has occurred.
>>
>> Additional Data
>> Error value (decimal):
>> 8374
>> Error value (hex):
>> 20b6
>> Internal ID:
>> 30d07c5
>> —— 
>>
>> On the samba server, the only error that I can pick out in the log.samba (at debug 4) is the following DNS update failure:
>>
>>  ../source4/dsdb/dns/dns_update.c:330: Failed DNS update - with error code 110
>>
>> Any assistance is greatly appreciated as we have an (unfortunate) impending organizational requirement to use Windows domain controllers.
>>
>> Thanks,
>> Justin
>