[Samba] error with joining new DC to domain

peter grotz peter.grotz at grotz.org
Wed Dec 12 20:26:41 UTC 2018 

one last thing:
updating these 4.7-DCs  to 4.9.3 and all begins again.. no replication, no authentication...

omg - how should I go on now??







Am Mittwoch, 12. Dezember 2018 um 21:23 schrieben Sie:


may I extend the issue with some strange behaviour? Look here:

installing the sernet 4.7 as mentioned above I can´t join the domain in a regular way. ONLY it works when I asked BOTH of the working DCs with 4.9.3 before I try without explicit naming of a server... ^^
Follow me here:

[root at dc-02 etc]# samba-tool domain join obel.lan DC -U"OBEL\administrator" --realm=obel.lan --server=dc-10
Password for [OBEL\administrator]:
workgroup is OBEL
realm is obel.lan
Adding CN=DC-02,OU=Domain Controllers,DC=obel,DC=lan
Adding CN=DC-02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=obel,DC=lan
Join failed - cleaning up
Deleted CN=DC-02,OU=Domain Controllers,DC=obel,DC=lan
ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT -  <00002030: objectclass: Cannot add CN=DC-02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=obel,DC=lan, parent does not exist!> <>
 File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 176, in _run
   return self.run(*args, **kwargs)
 File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 661, in run
   machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
 File "/usr/lib64/python2.6/site-packages/samba/join.py", line 1474, in join_DC
   ctx.do_join()
 File "/usr/lib64/python2.6/site-packages/samba/join.py", line 1375, in do_join
   ctx.join_add_objects()
 File "/usr/lib64/python2.6/site-packages/samba/join.py", line 631, in join_add_objects
   ctx.samdb.add(rec)


Then:

[root at dc-02 etc]# samba-tool domain join obel.lan DC -U"OBEL\administrator" --realm=obel.lan --server=dc-11
Password for [OBEL\administrator]:
workgroup is OBEL
realm is obel.lan
Adding CN=DC-02,OU=Domain Controllers,DC=obel,DC=lan
Adding CN=DC-02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=obel,DC=lan
Join failed - cleaning up
Deleted CN=DC-02,OU=Domain Controllers,DC=obel,DC=lan
ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT -  <00002030: objectclass: Cannot add CN=DC-02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=obel,DC=lan, parent does not exist!> <>
 File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 176, in _run
   return self.run(*args, **kwargs)
 File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 661, in run
   machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
 File "/usr/lib64/python2.6/site-packages/samba/join.py", line 1474, in join_DC
   ctx.do_join()
 File "/usr/lib64/python2.6/site-packages/samba/join.py", line 1375, in do_join
   ctx.join_add_objects()
 File "/usr/lib64/python2.6/site-packages/samba/join.py", line 631, in join_add_objects
   ctx.samdb.add(rec)


at last:

[root at dc-02 etc]# samba-tool domain join obel.lan DC -Uadministrator --realm=obel.lan
Finding a writeable DC for domain 'obel.lan'
Found DC dc-10.obel.lan
Password for [OBEL\administrator]:
workgroup is OBEL
realm is obel.lan
Deleted CN=DC-02,CN=Servers,CN=Obel-und-Partner,CN=Sites,CN=Configuration,DC=obel,DC=lan
Adding CN=DC-02,OU=Domain Controllers,DC=obel,DC=lan
Adding CN=DC-02,CN=Servers,CN=Obel-und-Partner,CN=Sites,CN=Configuration,DC=obel,DC=lan
Adding CN=NTDS Settings,CN=DC-02,CN=Servers,CN=Obel-und-Partner,CN=Sites,CN=Configuration,DC=obel,DC=lan
Adding SPNs to CN=DC-02,OU=Domain Controllers,DC=obel,DC=lan
Setting account password for DC-02$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
Provision OK for domain DN DC=obel,DC=lan
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=obel,DC=lan] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=obel,DC=lan] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=obel,DC=lan] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=obel,DC=lan] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=obel,DC=lan] objects[402/1690] linked_values[0/0]
Partition[CN=Configuration,DC=obel,DC=lan] objects[804/1690] linked_values[0/0]
Partition[CN=Configuration,DC=obel,DC=lan] objects[1206/1690] linked_values[0/0]
Partition[CN=Configuration,DC=obel,DC=lan] objects[1608/1690] linked_values[0/1]
Partition[CN=Configuration,DC=obel,DC=lan] objects[1690/1690] linked_values[82/82]
Replicating critical objects from the base DN of the domain
Partition[DC=obel,DC=lan] objects[100/100] linked_values[34/34]
Partition[DC=obel,DC=lan] objects[503/710] linked_values[0/24]
Partition[DC=obel,DC=lan] objects[810/710] linked_values[585/585]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=obel,DC=lan
Partition[DC=DomainDnsZones,DC=obel,DC=lan] objects[236/236] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=obel,DC=lan
Partition[DC=ForestDnsZones,DC=obel,DC=lan] objects[43/43] linked_values[0/0]
WARNING: Unable to replicate own RID Set, as server dc-10.obel.lan (the server we joined) is not the RID Master.
NOTE: This is normal and expected, Samba will be able to create users after it contacts the RID Master at first startup.
Committing SAM database
Adding 1 remote DNS records for DC-02.obel.lan
Adding DNS A record DC-02.obel.lan for IPv4 IP: 192.168.1.100
Adding DNS CNAME record 6fbd7b7e-4d48-45df-a966-a4bebaa0ac5e._msdcs.obel.lan for DC-02.obel.lan
All other DNS records (like _ldap SRV records) will be created samba_dnsupdate on first startup
Replicating new DNS records in DC=DomainDnsZones,DC=obel,DC=lan
Partition[DC=DomainDnsZones,DC=obel,DC=lan] objects[2/2] linked_values[0/0]
Replicating new DNS records in DC=ForestDnsZones,DC=obel,DC=lan
Partition[DC=ForestDnsZones,DC=obel,DC=lan] objects[2/2] linked_values[0/0]
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain OBEL (SID S-1-5-21-1994583749-1469429152-1855221660) as a DC

WTF?????

-Peter




Am Mittwoch, 12. Dezember 2018 um 16:36 schrieben Sie:

RPvs> On Wed, 12 Dec 2018 16:01:52 +0100
RPvs> "peter.grotz--- via samba" <samba at lists.samba.org> wrote:

>> Thanks Rowland for your answer. 

>> these are sernet-packages from their subscription. 

>> There are 4 DCs (all with last sernet-rpms) 2 are demoted with probs
>> (dc-01 and dc-02 both centos6) and 2 are running (dc-10 and  dc-11 on
>> centos 7) 

>> dc-11 has all  fsmo. joining with the old dc-01 and dc-02 doesn´t even
>> work. 

>> dc-01 joins but gives me this: 

>> Deleted
>> CN=DC-01,CN=Servers,CN=Obel-und-Partner,CN=Sites,CN=Configuration,DC=obel,DC=lan
>> Adding CN=DC-01,OU=Domain Controllers,DC=obel,DC=lan
>> Adding
>> CN=DC-01,CN=Servers,CN=Obel-und-Partner,CN=Sites,CN=Configuration,DC=obel,DC=lan
>> Adding CN=NTDS
>> Settings,CN=DC-01,CN=Servers,CN=Obel-und-Partner,CN=Sites,CN=Configuration,DC=obel,DC=lan
>> Adding SPNs to CN=DC-01,OU=Domain Controllers,DC=obel,DC=lan
>> Setting account password for DC-01$
>> Enabling account
>> Calling bare provision
>> Looking up IPv4 addresses
>> Looking up IPv6 addresses
>> No IPv6 address will be assigned
>> Setting up share.ldb
>> Setting up secrets.ldb
>> Setting up the registry
>> Setting up the privileges database
>> Setting up idmap db
>> Setting up SAM db
>> Setting up sam.ldb partitions and settings
>> Setting up sam.ldb rootDSE
>> Pre-loading the Samba 4 and AD schema
>> Unable to determine the DomainSID, can not enforce uniqueness
>> constraint on local domainSIDs

>> A Kerberos configuration suitable for Samba AD has been generated at
>> /var/lib/samba/private/krb5.conf
>> Merge the contents of this file with your system krb5.conf or replace
>> it with this one. Do not create a symlink!
>> Provision OK for domain DN DC=obel,DC=lan
>> Starting replication
>> Schema-DN[CN=Schema,CN=Configuration,DC=obel,DC=lan] objects[402/1550]
>> linked_values[0/0]
>> Schema-DN[CN=Schema,CN=Configuration,DC=obel,DC=lan] objects[804/1550]
>> linked_values[0/0]
>> Schema-DN[CN=Schema,CN=Configuration,DC=obel,DC=lan]
>> objects[1206/1550] linked_values[0/0]
>> Schema-DN[CN=Schema,CN=Configuration,DC=obel,DC=lan]
>> objects[1550/1550] linked_values[0/0]
>> Analyze and apply schema objects
>> Partition[CN=Configuration,DC=obel,DC=lan] objects[402/1646]
>> linked_values[0/0]
>> Partition[CN=Configuration,DC=obel,DC=lan] objects[804/1646]
>> linked_values[0/0]
>> Partition[CN=Configuration,DC=obel,DC=lan] objects[1206/1646]
>> linked_values[0/0]
>> Partition[CN=Configuration,DC=obel,DC=lan] objects[1608/1646]
>> linked_values[0/0]
>> Partition[CN=Configuration,DC=obel,DC=lan] objects[1646/1646]
>> linked_values[44/44]
>> Failed to commit objects: DOS code 0x000021bf
>> Missing target object - retrying with DRS_GET_TGT
>> Partition[CN=Configuration,DC=obel,DC=lan] objects[2048/1646]
>> linked_values[0/0]
>> Partition[CN=Configuration,DC=obel,DC=lan] objects[2450/1646]
>> linked_values[0/0]
>> Partition[CN=Configuration,DC=obel,DC=lan] objects[2852/1646]
>> linked_values[0/0]
>> Partition[CN=Configuration,DC=obel,DC=lan] objects[3254/1646]
>> linked_values[0/0]
>> Partition[CN=Configuration,DC=obel,DC=lan] objects[3292/1646]
>> linked_values[44/44]
>> Replicating critical objects from the base DN of the domain
>> Partition[DC=obel,DC=lan] objects[98/98] linked_values[34/34]
>> Partition[DC=obel,DC=lan] objects[501/669] linked_values[0/24]
>> Partition[DC=obel,DC=lan] objects[767/669] linked_values[585/585]
>> Done with always replicated NC (base, config, schema)
>> Replicating DC=DomainDnsZones,DC=obel,DC=lan
>> Partition[DC=DomainDnsZones,DC=obel,DC=lan] objects[229/229]
>> linked_values[0/0]
>> Replicating DC=ForestDnsZones,DC=obel,DC=lan
>> Partition[DC=ForestDnsZones,DC=obel,DC=lan] objects[35/35]
>> linked_values[0/0]
>> WARNING: Unable to replicate own RID Set, as server dc-10.obel.lan
>> (the server we joined) is not the RID Master.
>> NOTE: This is normal and expected, Samba will be able to create users
>> after it contacts the RID Master at first startup.
>> Committing SAM database
>> Adding 1 remote DNS records for DC-01.obel.lan
>> Adding DNS A record DC-01.obel.lan for IPv4 IP: 192.168.0.101
>> Adding DNS CNAME record
>> 96ed5e12-99b8-4f8d-b9bf-f58b9c82eaa5._msdcs.obel.lan for
>> DC-01.obel.lan All other DNS records (like _ldap SRV records) will be
>> created samba_dnsupdate on first startup
>> Replicating new DNS records in DC=DomainDnsZones,DC=obel,DC=lan
>> Partition[DC=DomainDnsZones,DC=obel,DC=lan] objects[2/2]
>> linked_values[0/0]
>> Replicating new DNS records in DC=ForestDnsZones,DC=obel,DC=lan
>> Partition[DC=ForestDnsZones,DC=obel,DC=lan] objects[2/2]
>> linked_values[0/0]
>> Sending DsReplicaUpdateRefs for all the replicated partitions
>> Setting isSynchronized and dsServiceName
>> Setting up secrets database
>> Joined domain OBEL (SID S-1-5-21-1994583749-1469429152-1855221660) as
>> a DC 

>> Then he joined but is not really working (now drs replicatin on
>> samba-tool drs showrepl 

>> demoting dc-01 brings me the following: 

>> [root at dc-01 samba]# samba-tool domain demote --server=dc-10
>> -Uadministrator
>> Using dc-10 as partner server for the demotion
>> Password for [OBEL\administrator]:
>> Deactivating inbound replication
>> Asking partner server dc-10 to synchronize from us
>> Error while replicating out last local changes from
>> 'CN=Schema,CN=Configuration,DC=obel,DC=lan' for demotion, re-enabling
>> inbound replication
>> ERROR(<class 'samba.WERRORError'>): Error while sending a
>> DsReplicaSync for partition
>> 'CN=Schema,CN=Configuration,DC=obel,DC=lan' - (2,
>> 'WERR_FILE_NOT_FOUND') File
>> "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line
>> 855, in run drsuapiBind.DsReplicaSync(drsuapi_handle, 1, req1)
>> [root at dc-01 samba]# samba-tool domain demote --server=dc-10
>> -Uadministrator
>> Using dc-10 as partner server for the demotion
>> Password for [OBEL\administrator]:
>> Deactivating inbound replication
>> Asking partner server dc-10 to synchronize from us
>> Error while replicating out last local changes from
>> 'CN=Schema,CN=Configuration,DC=obel,DC=lan' for demotion, re-enabling
>> inbound replication
>> ERROR(<class 'samba.WERRORError'>): Error while sending a
>> DsReplicaSync for partition
>> 'CN=Schema,CN=Configuration,DC=obel,DC=lan' - (2,
>> 'WERR_FILE_NOT_FOUND') File
>> "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line
>> 855, in run drsuapiBind.DsReplicaSync(drsuapi_handle, 1, req1) 

>> Peter

>> Am 12.12.2018 15:53, schrieb Rowland Penny via samba:

>> > On Wed, 12 Dec 2018 15:43:09 +0100
>> > peter grotz via samba <samba at lists.samba.org> wrote:
>> > 
>> >> I forgot: this is samba 4.9.3 on centos 7
>> > 
>> > Where did you get Samba 4.9.3 from ?
>> > 
>> >> Thanks
>> >> 
>> >> Hello,
>> >> 
>> >> I got a problem with adding an new dc to a domain. when I try to
>> >> join I get the following:
>> > 
>> > What are the other DC(s) ?
>> > 
>> > Rowland

RPvs> There was a similar thread here:

RPvs> https://lists.samba.org/archive/samba/2018-June/216543.html

RPvs> Rowland




-- 
Mit freundlichen Grüßen
Peter Grotz

mailto:peter.grotz at grotz.org



-- 
Mit freundlichen Grüßen
Peter Grotz

 mailto:peter.grotz at grotz.org

More information about the samba mailing list