[Samba] Setup a Samba AD DC as an additional DC

Barry D. Adkins Barry at daram.com
Wed Dec 5 02:58:17 UTC 2018 

I have been dealing with this same error in the same circumstance for about 3 weeks with no solution, so I have undertaken to build samba and debug it.

To see if your error is really the same as mine although your output is the same...

>Regarding:
>9601, 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST'

Do this:
sudo ldbedit -e nano -H /var/lib/samba/private/secrets.ldb

You should get 3 records in the secret file.  I have only been getting the first 2 and the Machine Secret (record 3) has not been written to the file.

You can re-run the join with a -d8 which sets the debug level to 8  and you should see something like (if we are seeing the same error)  Rowland and Luis have been trying to help me figure this out:

Could not find machine account in secrets database: Failed to fetch machine account password for DARAM from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DARAM)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4702) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO

If you see a log that it "could not find machine account in secrets database..." then we are having the same problem I believe.

Our AD Domain is Functional Level 2012 and we do have Exchange.  We were thinking that might be the problem.  I do know that even if I can get a join Exchange may prevent replication, but I'd be happy to get a join, and we are working on replacing Exchange.

I'm not wishing bad luck on you, but it is useful to know that our AD is not the only one that this happens with.

We are trying to use on Ubuntu Server 18.04.  I even thought about trying 16.xx  to see if it was an Ubuntu 18 problem.

I've been working on this so much that I've been sidelined due to lack of sleep.  Hope to have my own build of Samba in the next few days and then get a debugger going.  I am certain it is a fairly small problem.

Also check your Windows AD Event log.  Are you getting any errors showing a connection from your attempted server is failing?  Samba was able to write to our AD with all the schema entries to add the Samba DC because I could see that happening, but then when it "cleans up" it deletes them all.

Let's see if we are dealing with the same problem.  Maybe we can help each other.

-Barry Adkins

More information about the samba mailing list