[Samba] Problem joining a samba DC to a windows domain

Rowland Penny rpenny at samba.org
Fri Jun 22 07:51:15 UTC 2018 

On Thu, 21 Jun 2018 23:28:06 -0400 (EDT)
me at tdiehl.org wrote:

> Hi Tim Andrew and Rowland,
> 
> Thanks for taking the time to look into this.
> 
> On Fri, 22 Jun 2018, Tim Beale via samba wrote:
> 
> > Hi Tom,
> >
> > The problem here is due to fundamental implementation differences
> > in the way Windows and Samba store linked attributes. Your DB is
> > likely fine (no corruptions).
> 
> That is great to hear!
> 
> > During replication (i.e. the join), Windows can sometimes send
> > linked attributes before Samba knows about the source/target
> > objects involved. As Andrew said, historically Samba has handled
> > this by silently dropping these links, which isn't ideal. So on
> > Samba 4.7, after the join succeeds, it's probably worth running
> > 'samba-tool drs replicate --full-sync' to make sure the new DC has
> > all the linked attributes.
> 
> I ran "samba-tool drs replicate PHT-VDC1 PHT1 dc=example,dc=com
> --full-sync" and it returned "Replicate from PHT1 to PHT-VDC1 was
> successful".
> 
> > In Samba 4.8, instead of dropping the link, we added code that used
> > the GET_TGT flag in the DRS message to force the Windows DC to send
> > all the link target objects. This meant Samba could successfully
> > process all the links. The problem is that the GET_TGT flag is a
> > reasonably new addition to the Windows protocol, and the code in
> > this case thinks it's not supported. GET_TGT (GETCHGREQ_V10) should
> > be supported in Windows Server 2008 R2 onwards - what version of
> > Windows are you running?
> 
> Well based on your explanation above this problem makes perfect sense.
> The existing DC is sbs2008 which is running 2008 SP2. I guess I need
> to remember that anything older then 2008 R2 needs to start with 4.7
> until there is a better solution.
> 
> > Rowland's idea of joining a 4.7 DC (and then doing a 'drs replicate
> > --full-sync'), then joining a 4.8 DC to the 4.7 DC should work. I'll
> > have a think what else we could do to handle this situation better.
> 
> Would it make sense to add a warning to the wiki until there is a
> better solution?

If you can supply me with brief notes once you have everything working,
I will add something to the wiki.

Rowland

More information about the samba mailing list