[Samba] Problem joining a samba Dc to a winbdows domain
me at tdiehl.org
me at tdiehl.org
Thu Jun 21 16:02:41 UTC 2018
Hi,
I am trying to join a self compiled samba 4.8.2 DC to an existing Windows domain
using https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller
as instructions.
The smb.conf looks like the following:
[global]
netbios name = PHT-VDC1
realm = EXAMPLE.COM
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = EXAMPLE
[netlogon]
path = /usr/local/samba/var/locks/sysvol/example.com/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
The above was generated by the following samba-tool command line:
samba-tool domain join example.com DC -U"example\admin" --dns-backend=BIND9_DLZ
When I run samba-tool I get the following output:
(pht-vdc1 pts10) # samba-tool domain join example.com DC -U"example\admin" --dns-backend=BIND9_DLZ
Finding a writeable DC for domain 'example.com'
Found DC PHT1.example.com
Password for [EXAMPLE\admin]:
workgroup is EXAMPLE
realm is example.com
Adding CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com
Adding CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
Adding CN=NTDS Settings,CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
Adding SPNs to CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com
Setting account password for PHT-VDC1$
Enabling account
Adding DNS account CN=dns-PHT-VDC1,CN=Users,DC=example,DC=com with dns/ SPN
Setting account password for dns-PHT-VDC1
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs
A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba/private/krb5.conf
Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
Provision OK for domain DN DC=example,DC=com
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[402/4383] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[804/4383] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[1206/4383] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[1608/4383] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[2010/4383] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[2412/4383] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[2814/4383] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[3216/4383] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[3618/4383] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[3735/4383] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=example,DC=com] objects[402/7722] linked_values[0/355]
Partition[CN=Configuration,DC=example,DC=com] objects[804/7722] linked_values[0/355]
...
Partition[CN=Configuration,DC=example,DC=com] objects[6376/7722] linked_values[0/355]
Partition[CN=Configuration,DC=example,DC=com] objects[6510/7722] linked_values[12/355]
Replicating critical objects from the base DN of the domain
Partition[DC=example,DC=com] objects[105/156] linked_values[42/388]
Partition[DC=example,DC=com] objects[296/7902] linked_values[1/388]
Partition[DC=example,DC=com] objects[466/7902] linked_values[72/388]
Failed to commit objects: DOS code 0x000021bf
Join failed - cleaning up
Deleted CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com
Deleted CN=dns-PHT-VDC1,CN=Users,DC=example,DC=com
Deleted CN=NTDS Settings,CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
Deleted CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
ERROR(<type 'exceptions.AttributeError'>): uncaught exception - 'drsuapi.DsGetNCChangesRequest8' object has no attribute 'more_flags'
File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 706, in run
plaintext_secrets=plaintext_secrets)
File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line 1482, in join_DC
ctx.do_join()
File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line 1383, in do_join
ctx.join_replicate()
File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line 942, in join_replicate
replica_flags=ctx.domain_replica_flags)
File "/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py", line 322, in replicate
if self._should_retry_with_get_tgt(e[0], req):
File "/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py", line 213, in _should_retry_with_get_tgt
(req.more_flags & drsuapi.DRSUAPI_DRS_GET_TGT) == 0 and
As can be seen from above there is an error that says
"Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs"
and then of course the join fails.
In case anyone is wondering yes, the domain is really in the form of
example.com. This domain was created over 10 years ago and upgraded several
times using MS based DC's. We are trying to move away from MS DC's but would
like to be spared the pain of creating a whole new domain.
Anyone have any idea how to fix this?
Regards,
--
Tom me at tdiehl.org
More information about the samba
mailing list