[Samba] Problem joining a samba Dc to a winbdows domain
me at tdiehl.org
me at tdiehl.org
Thu Jun 21 17:23:49 UTC 2018
Hi,
Sorry to reply to my own post but I have additional info.
I removed samba 4.8.2 and compiled samba 4.7.7 and the join succeeded
without error using the exact same configuration.
I am hesitant to upgrade to 4.8.2 for fear of breaking something and having
to forcibly remove the samba DC from the domain but I suppose now is the time
to do it since it is not really in production yet.
Suggestions?
Regards,
--
Tom me at tdiehl.org
On Thu, 21 Jun 2018, Tom Diehl via samba wrote:
> Hi,
>
> I am trying to join a self compiled samba 4.8.2 DC to an existing Windows
> domain
> using
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller
> as instructions.
>
> The smb.conf looks like the following:
>
> [global]
> netbios name = PHT-VDC1
> realm = EXAMPLE.COM
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
> workgroup = EXAMPLE
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/example.com/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
> The above was generated by the following samba-tool command line:
> samba-tool domain join example.com DC -U"example\admin"
> --dns-backend=BIND9_DLZ
>
> When I run samba-tool I get the following output:
> (pht-vdc1 pts10) # samba-tool domain join example.com DC -U"example\admin"
> --dns-backend=BIND9_DLZ
> Finding a writeable DC for domain 'example.com'
> Found DC PHT1.example.com
> Password for [EXAMPLE\admin]:
> workgroup is EXAMPLE
> realm is example.com
> Adding CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com
> Adding
> CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> Adding CN=NTDS
> Settings,CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> Adding SPNs to CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com
> Setting account password for PHT-VDC1$
> Enabling account
> Adding DNS account CN=dns-PHT-VDC1,CN=Users,DC=example,DC=com with dns/ SPN
> Setting account password for dns-PHT-VDC1
> Calling bare provision
> Looking up IPv4 addresses
> Looking up IPv6 addresses
> No IPv6 address will be assigned
> Setting up share.ldb
> Setting up secrets.ldb
> Setting up the registry
> Setting up the privileges database
> Setting up idmap db
> Setting up SAM db
> Setting up sam.ldb partitions and settings
> Setting up sam.ldb rootDSE
> Pre-loading the Samba 4 and AD schema
> Unable to determine the DomainSID, can not enforce uniqueness constraint on
> local domainSIDs
>
> A Kerberos configuration suitable for Samba AD has been generated at
> /usr/local/samba/private/krb5.conf
> Merge the contents of this file with your system krb5.conf or replace it with
> this one. Do not create a symlink!
> Provision OK for domain DN DC=example,DC=com
> Starting replication
> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[402/4383]
> linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[804/4383]
> linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[1206/4383]
> linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[1608/4383]
> linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[2010/4383]
> linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[2412/4383]
> linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[2814/4383]
> linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[3216/4383]
> linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[3618/4383]
> linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[3735/4383]
> linked_values[0/0]
> Analyze and apply schema objects
> Partition[CN=Configuration,DC=example,DC=com] objects[402/7722]
> linked_values[0/355]
> Partition[CN=Configuration,DC=example,DC=com] objects[804/7722]
> linked_values[0/355]
> ...
> Partition[CN=Configuration,DC=example,DC=com] objects[6376/7722]
> linked_values[0/355]
> Partition[CN=Configuration,DC=example,DC=com] objects[6510/7722]
> linked_values[12/355]
> Replicating critical objects from the base DN of the domain
> Partition[DC=example,DC=com] objects[105/156] linked_values[42/388]
> Partition[DC=example,DC=com] objects[296/7902] linked_values[1/388]
> Partition[DC=example,DC=com] objects[466/7902] linked_values[72/388]
> Failed to commit objects: DOS code 0x000021bf
> Join failed - cleaning up
> Deleted CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com
> Deleted CN=dns-PHT-VDC1,CN=Users,DC=example,DC=com
> Deleted CN=NTDS
> Settings,CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> Deleted
> CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> ERROR(<type 'exceptions.AttributeError'>): uncaught exception -
> 'drsuapi.DsGetNCChangesRequest8' object has no attribute 'more_flags'
> File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py",
> line 706, in run
> plaintext_secrets=plaintext_secrets)
> File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
> 1482, in join_DC
> ctx.do_join()
> File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
> 1383, in do_join
> ctx.join_replicate()
> File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
> 942, in join_replicate
> replica_flags=ctx.domain_replica_flags)
> File "/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py",
> line 322, in replicate
> if self._should_retry_with_get_tgt(e[0], req):
> File "/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py",
> line 213, in _should_retry_with_get_tgt
> (req.more_flags & drsuapi.DRSUAPI_DRS_GET_TGT) == 0 and
>
> As can be seen from above there is an error that says "Unable to determine
> the DomainSID, can not enforce uniqueness constraint on local domainSIDs"
> and then of course the join fails.
>
> In case anyone is wondering yes, the domain is really in the form of
> example.com. This domain was created over 10 years ago and upgraded several
> times using MS based DC's. We are trying to move away from MS DC's but would
> like to be spared the pain of creating a whole new domain.
>
> Anyone have any idea how to fix this?
More information about the samba
mailing list