[Samba] Problem joining a samba Dc to a winbdows domain

me at tdiehl.org me at tdiehl.org
Thu Jun 21 20:01:32 UTC 2018 

On Thu, 21 Jun 2018, Rowland Penny via samba wrote:

> On Thu, 21 Jun 2018 14:32:49 -0400 (EDT)
> me at tdiehl.org wrote:
>
>> Hi Rowland,
>>
>> On Thu, 21 Jun 2018, Rowland Penny via samba wrote:
>>
>>> On Thu, 21 Jun 2018 12:02:41 -0400 (EDT)
>>> Tom Diehl via samba <samba at lists.samba.org> wrote:
>>>
>>>> Hi,
>>>>
>>>> I am trying to join a self compiled samba 4.8.2 DC to an existing
>>>> Windows domain using
>>>> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller
>>>> as instructions.
>>>>
>>>> The smb.conf looks like the following:
>>>>
>>>> [global]
>>>>      netbios name = PHT-VDC1
>>>>      realm = EXAMPLE.COM
>>>>      server role = active directory domain controller
>>>>      server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>>>> drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = EXAMPLE
>>>>
>>>> [netlogon]
>>>>      path = /usr/local/samba/var/locks/sysvol/example.com/scripts
>>>>      read only = No
>>>>
>>>> [sysvol]
>>>>      path = /usr/local/samba/var/locks/sysvol
>>>>      read only = No
>>>>
>>>> The above was generated by the following samba-tool command line:
>>>> samba-tool domain join example.com DC -U"example\admin"
>>>> --dns-backend=BIND9_DLZ
>>>>
>>>> When I run samba-tool I get the following output:
>>>> (pht-vdc1 pts10) # samba-tool domain join example.com DC
>>>> -U"example\admin" --dns-backend=BIND9_DLZ Finding a writeable DC
>>>> for domain 'example.com' Found DC PHT1.example.com
>>>> Password for [EXAMPLE\admin]:
>>>> workgroup is EXAMPLE
>>>> realm is example.com
>>>> Adding CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com
>>>> Adding
>>>> CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
>>>> Adding CN=NTDS
>>>> Settings,CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
>>>> Adding SPNs to CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com
>>>> Setting account password for PHT-VDC1$ Enabling account Adding DNS
>>>> account CN=dns-PHT-VDC1,CN=Users,DC=example,DC=com with dns/ SPN
>>>> Setting account password for dns-PHT-VDC1 Calling bare provision
>>>> Looking up IPv4 addresses
>>>> Looking up IPv6 addresses
>>>> No IPv6 address will be assigned
>>>> Setting up share.ldb
>>>> Setting up secrets.ldb
>>>> Setting up the registry
>>>> Setting up the privileges database
>>>> Setting up idmap db
>>>> Setting up SAM db
>>>> Setting up sam.ldb partitions and settings
>>>> Setting up sam.ldb rootDSE
>>>> Pre-loading the Samba 4 and AD schema
>>>> Unable to determine the DomainSID, can not enforce uniqueness
>>>> constraint on local domainSIDs
>>>>
>>>> A Kerberos configuration suitable for Samba AD has been generated
>>>> at /usr/local/samba/private/krb5.conf Merge the contents of this
>>>> file with your system krb5.conf or replace it with this one. Do
>>>> not create a symlink! Provision OK for domain DN DC=example,DC=com
>>>> Starting replication
>>>> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com]
>>>> objects[402/4383] linked_values[0/0]
>>>> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com]
>>>> objects[804/4383] linked_values[0/0]
>>>> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com]
>>>> objects[1206/4383] linked_values[0/0]
>>>> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com]
>>>> objects[1608/4383] linked_values[0/0]
>>>> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com]
>>>> objects[2010/4383] linked_values[0/0]
>>>> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com]
>>>> objects[2412/4383] linked_values[0/0]
>>>> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com]
>>>> objects[2814/4383] linked_values[0/0]
>>>> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com]
>>>> objects[3216/4383] linked_values[0/0]
>>>> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com]
>>>> objects[3618/4383] linked_values[0/0]
>>>> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com]
>>>> objects[3735/4383] linked_values[0/0] Analyze and apply schema
>>>> objects Partition[CN=Configuration,DC=example,DC=com]
>>>> objects[402/7722] linked_values[0/355]
>>>> Partition[CN=Configuration,DC=example,DC=com] objects[804/7722]
>>>> linked_values[0/355] ...
>>>> Partition[CN=Configuration,DC=example,DC=com] objects[6376/7722]
>>>> linked_values[0/355] Partition[CN=Configuration,DC=example,DC=com]
>>>> objects[6510/7722] linked_values[12/355] Replicating critical
>>>> objects from the base DN of the domain
>>>> Partition[DC=example,DC=com] objects[105/156]
>>>> linked_values[42/388] Partition[DC=example,DC=com]
>>>> objects[296/7902] linked_values[1/388]
>>>> Partition[DC=example,DC=com] objects[466/7902]
>>>> linked_values[72/388] Failed to commit objects: DOS code
>>>> 0x000021bf Join failed - cleaning up
>>>
>>> This is where it seems to fail and 0x000021bf is this:
>>>
>>> The replication operation failed because the target object
>>> referenced by a link value is recycled.
>>>
>>> So it might be an idea to check the DC you are trying to join to.
>>
>> Check it for what? If I understand correctly the error is saying that
>> the target object is not there. The problem is I do not understand
>> what the target object is or how to find it. Assuming that the error
>> is referring to Partition[DC=example,DC=com] objects[466/7952]
>> linked_values[72/388] How do I figure out what the error is referring
>> to?
>>
>> As I said in a separate message, I can successfully join using 4.7.7.
>> If this is a problem with the existing MS DC, why does 4.7.7 join
>> without error?
>>
>> To be clear I am not doubting your advice and I do appreciate it. I
>> am just trying to understand.
>>
>> Regards,
>>
>
> The index mode changed at 4.8.0, this might be more picky i.e. it wont
> allow things that 4.7.x would.
>
> If this was a Samba DC, I would suggest running 'samba-tool
> dbcheck' on it, but is there a windows version of this tool ?

Apparently there is
http://www.rebeladmin.com/2018/03/integrity-check-detect-low-level-active-directory-database-corruption/

Huh, learn something new every day!! :-)

I am going to give that a try.

>
> If 4.7.7 joins and works successfully, have you considered using this
> as the main DC and try joining the 4.8.2 to it ?

That also sounds like a good idea.

Thanks for the help.

Regards,

-- 
Tom			me at tdiehl.org

More information about the samba mailing list