[Samba] Problem joining a samba DC to a windows domain

me at tdiehl.org me at tdiehl.org
Fri Jun 22 03:28:06 UTC 2018


Hi Tim Andrew and Rowland,

Thanks for taking the time to look into this.

On Fri, 22 Jun 2018, Tim Beale via samba wrote:

> Hi Tom,
>
> The problem here is due to fundamental implementation differences in the
> way Windows and Samba store linked attributes. Your DB is likely fine
> (no corruptions).

That is great to hear!

> During replication (i.e. the join), Windows can sometimes send linked
> attributes before Samba knows about the source/target objects involved.
> As Andrew said, historically Samba has handled this by silently dropping
> these links, which isn't ideal. So on Samba 4.7, after the join
> succeeds, it's probably worth running 'samba-tool drs replicate
> --full-sync' to make sure the new DC has all the linked attributes.

I ran "samba-tool drs replicate PHT-VDC1 PHT1 dc=example,dc=com --full-sync"
and it returned "Replicate from PHT1 to PHT-VDC1 was successful".

> In Samba 4.8, instead of dropping the link, we added code that used the
> GET_TGT flag in the DRS message to force the Windows DC to send all the
> link target objects. This meant Samba could successfully process all the
> links. The problem is that the GET_TGT flag is a reasonably new addition
> to the Windows protocol, and the code in this case thinks it's not
> supported. GET_TGT (GETCHGREQ_V10) should be supported in Windows Server
> 2008 R2 onwards - what version of Windows are you running?

Well based on your explanation above this problem makes perfect sense.
The existing DC is sbs2008 which is running 2008 SP2. I guess I need to remember
that anything older then 2008 R2 needs to start with 4.7 until there is a better
solution.

> Rowland's idea of joining a 4.7 DC (and then doing a 'drs replicate
> --full-sync'), then joining a 4.8 DC to the 4.7 DC should work. I'll
> have a think what else we could do to handle this situation better.

Would it make sense to add a warning to the wiki until there is a better
solution?

Is this something that can be done while the 2008 SP2 DC is still on line
or should I wait until after it is retired?

Regards and Thanks again!!

-- 
Tom			me at tdiehl.org

>
> Thanks,
> Tim
>
> On 22/06/18 08:22, Andrew Bartlett via samba wrote:
>> On Thu, 2018-06-21 at 18:46 +0100, Rowland Penny via samba wrote:
>>> On Thu, 21 Jun 2018 12:02:41 -0400 (EDT)
>>> Tom Diehl via samba <samba at lists.samba.org> wrote:
>>>
>>>> Hi,
>>>>
>>>> I am trying to join a self compiled samba 4.8.2 DC to an existing
>>>> Windows domain using
>>>> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller
>>>> as instructions.
>>>>
>>>> The smb.conf looks like the following:
>>>>
>>>> [global]
>>>>      netbios name = PHT-VDC1
>>>>      realm = EXAMPLE.COM
>>>>      server role = active directory domain controller
>>>>      server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>>>> drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = EXAMPLE
>>>>
>>>> [netlogon]
>>>>      path = /usr/local/samba/var/locks/sysvol/example.com/scripts
>>>>      read only = No
>>>>
>>>> [sysvol]
>>>>      path = /usr/local/samba/var/locks/sysvol
>>>>      read only = No
>>>>
>>>> The above was generated by the following samba-tool command line:
>>>> samba-tool domain join example.com DC -U"example\admin"
>>>> --dns-backend=BIND9_DLZ
>>>>
>>>> When I run samba-tool I get the following output:
>>>> (pht-vdc1 pts10) # samba-tool domain join example.com DC
>>>> -U"example\admin" --dns-backend=BIND9_DLZ Finding a writeable DC for
>>>> domain 'example.com' Found DC PHT1.example.com
>>>> Password for [EXAMPLE\admin]:
>> ....
>>
>>>> Partition[CN=Configuration,DC=example,DC=com] objects[804/7722]
>>>> linked_values[0/355] ...
>>>> Partition[CN=Configuration,DC=example,DC=com] objects[6376/7722]
>>>> linked_values[0/355] Partition[CN=Configuration,DC=example,DC=com]
>>>> objects[6510/7722] linked_values[12/355] Replicating critical objects
>>>> from the base DN of the domain Partition[DC=example,DC=com]
>>>> objects[105/156] linked_values[42/388] Partition[DC=example,DC=com]
>>>> objects[296/7902] linked_values[1/388] Partition[DC=example,DC=com]
>>>> objects[466/7902] linked_values[72/388] Failed to commit objects: DOS
>>>> code 0x000021bf Join failed - cleaning up
>>> This is where it seems to fail and 0x000021bf is this:
>>>
>>> The replication operation failed because the target object referenced
>>> by a link value is recycled.
>>>
>>> So it might be an idea to check the DC you are trying to join to.
>> Thanks Rowland,
>>
>> What is happening here is that Samba is trying to find the end of a
>> link that it has been given, so as to be able to set the backlink.
>> This used to just result in the backlink being dropped, and now we have
>> fixed that (never dropping the link).  However it seems that goes a bit
>> wrong here against Windows.
>>
>> The reason this works with 4.7 is that the backlink is just ignored and
>> dropped in this case.
>>
>> I've CC'ed Tim Beale who was the developer of that code, who may have
>> some insights.
>>
>> Thanks,
>>
>> Andrew Bartlett
>
>
>



More information about the samba mailing list