[Samba] Problem joining a samba Dc to a winbdows domain

me at tdiehl.org me at tdiehl.org
Thu Jun 21 17:23:49 UTC 2018 

Hi,

Sorry to reply to my own post but I have additional info.

I removed samba 4.8.2 and compiled samba 4.7.7 and the join succeeded
without error using the exact same configuration.

I am hesitant to upgrade to 4.8.2 for fear of breaking something and having
to forcibly remove the samba DC from the domain but I suppose now is the time
to do it since it is not really in production yet.

Suggestions?

Regards,

-- 
Tom			me at tdiehl.org

On Thu, 21 Jun 2018, Tom Diehl via samba wrote:

> Hi,
>
> I am trying to join a self compiled samba 4.8.2 DC to an existing Windows 
> domain
> using 
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller
> as instructions.
>
> The smb.conf looks like the following:
>
> [global]
>     netbios name = PHT-VDC1
>     realm = EXAMPLE.COM
>     server role = active directory domain controller
>     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>     winbindd, ntp_signd, kcc, dnsupdate
>     workgroup = EXAMPLE
>
> [netlogon]
>     path = /usr/local/samba/var/locks/sysvol/example.com/scripts
>     read only = No
>
> [sysvol]
>     path = /usr/local/samba/var/locks/sysvol
>     read only = No
>
> The above was generated by the following samba-tool command line:
> samba-tool domain join example.com DC -U"example\admin" 
> --dns-backend=BIND9_DLZ
>
> When I run samba-tool I get the following output:
> (pht-vdc1 pts10) # samba-tool domain join example.com DC -U"example\admin" 
> --dns-backend=BIND9_DLZ
> Finding a writeable DC for domain 'example.com'
> Found DC PHT1.example.com
> Password for [EXAMPLE\admin]:
> workgroup is EXAMPLE
> realm is example.com
> Adding CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com
> Adding 
> CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> Adding CN=NTDS 
> Settings,CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> Adding SPNs to CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com
> Setting account password for PHT-VDC1$
> Enabling account
> Adding DNS account CN=dns-PHT-VDC1,CN=Users,DC=example,DC=com with dns/ SPN
> Setting account password for dns-PHT-VDC1
> Calling bare provision
> Looking up IPv4 addresses
> Looking up IPv6 addresses
> No IPv6 address will be assigned
> Setting up share.ldb
> Setting up secrets.ldb
> Setting up the registry
> Setting up the privileges database
> Setting up idmap db
> Setting up SAM db
> Setting up sam.ldb partitions and settings
> Setting up sam.ldb rootDSE
> Pre-loading the Samba 4 and AD schema
> Unable to determine the DomainSID, can not enforce uniqueness constraint on 
> local domainSIDs
>
> A Kerberos configuration suitable for Samba AD has been generated at 
> /usr/local/samba/private/krb5.conf
> Merge the contents of this file with your system krb5.conf or replace it with 
> this one. Do not create a symlink!
> Provision OK for domain DN DC=example,DC=com
> Starting replication
> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[402/4383] 
> linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[804/4383] 
> linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[1206/4383] 
> linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[1608/4383] 
> linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[2010/4383] 
> linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[2412/4383] 
> linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[2814/4383] 
> linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[3216/4383] 
> linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[3618/4383] 
> linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[3735/4383] 
> linked_values[0/0]
> Analyze and apply schema objects
> Partition[CN=Configuration,DC=example,DC=com] objects[402/7722] 
> linked_values[0/355]
> Partition[CN=Configuration,DC=example,DC=com] objects[804/7722] 
> linked_values[0/355]
> ...
> Partition[CN=Configuration,DC=example,DC=com] objects[6376/7722] 
> linked_values[0/355]
> Partition[CN=Configuration,DC=example,DC=com] objects[6510/7722] 
> linked_values[12/355]
> Replicating critical objects from the base DN of the domain
> Partition[DC=example,DC=com] objects[105/156] linked_values[42/388]
> Partition[DC=example,DC=com] objects[296/7902] linked_values[1/388]
> Partition[DC=example,DC=com] objects[466/7902] linked_values[72/388]
> Failed to commit objects: DOS code 0x000021bf
> Join failed - cleaning up
> Deleted CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com
> Deleted CN=dns-PHT-VDC1,CN=Users,DC=example,DC=com
> Deleted CN=NTDS 
> Settings,CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> Deleted 
> CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> ERROR(<type 'exceptions.AttributeError'>): uncaught exception - 
> 'drsuapi.DsGetNCChangesRequest8' object has no attribute 'more_flags'
>   File
>   "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
>   line 176, in _run
>     return self.run(*args, **kwargs)
>   File
>   "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py",
>   line 706, in run
>     plaintext_secrets=plaintext_secrets)
>   File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
>   1482, in join_DC
>     ctx.do_join()
>   File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
>   1383, in do_join
>     ctx.join_replicate()
>   File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
>   942, in join_replicate
>     replica_flags=ctx.domain_replica_flags)
>   File "/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py",
>   line 322, in replicate
>     if self._should_retry_with_get_tgt(e[0], req):
>   File "/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py",
>   line 213, in _should_retry_with_get_tgt
>     (req.more_flags & drsuapi.DRSUAPI_DRS_GET_TGT) == 0 and
>
> As can be seen from above there is an error that says "Unable to determine 
> the DomainSID, can not enforce uniqueness constraint on local domainSIDs"
> and then of course the join fails.
>
> In case anyone is wondering yes, the domain is really in the form of
> example.com. This domain was created over 10 years ago and upgraded several
> times using MS based DC's. We are trying to move away from MS DC's but would
> like to be spared the pain of creating a whole new domain.
>
> Anyone have any idea how to fix this?

More information about the samba mailing list