[Samba] Unable to add additional domain controller - uncaught exception - LDAP error 10 on join

Fabio Fantoni fabio.fantoni at m2r.biz
Tue Oct 2 13:21:03 UTC 2018 

Il 02/10/2018 11:03, Rowland Penny via samba ha scritto:
> On Tue, 2 Oct 2018 10:33:35 +0200
> Fabio Fantoni <fabio.fantoni at m2r.biz> wrote:
>
>> Il 01/10/2018 17:33, Rowland Penny via samba ha scritto:
>>> On Mon, 1 Oct 2018 17:14:09 +0200
>>> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
>>>
>>>> Hai Fabio,
>>>>
>>>> We dont mind crappy english...
>>>> At least not me, I'm the same, lots of typos. You will learn it,
>>>> the more you type it. ;-)
>>>>
>>>> https://lists.samba.org/archive/samba/2018-February/214118.html
>>>> Shows exact the same, but not solution.
>>>>
>>>> Looks like a left over from an other DC.
>> Thanks for your reply, as explained I already did some search and
>> solve/workaround 2 previous fails with different error but I not
>> found solution for this :(
>>>>> ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL -
>>>>> <0000202B: RefErr: DSID-030A0B09, data 0, 1 access points
>>>>>            ref 1:
>>>>> 'a45ce9be-c350-4429-964b-a10c1dd92af5._msdcs.m2r.local'
>>>>>    > <ldap://a45ce9be-c350-4429-964b-a10c1dd92af5._msdcs.m2r.local>
>>>> Try to find : a45ce9be-c350-4429-964b-a10c1dd92af5._msdcs.m2r.local
>>>> And check what that is, any old server, a running one?
>> a45ce9be-c350-4429-964b-a10c1dd92af5._msdcs.m2r.local is a cname of
>> the actual and correct pdc d7npdc.m2r.local (with same version samba)
>>
>>>>
>>>>
>>>> Greetz,
>>>>
>>>> Louis
>>>>
>>>>
>>> I wonder if this is sort of self inflicted ?
>>> The OP tried to join as a second DC, but this failed, he then tried
>>> again. I wonder if the first try set up something (and didn't remove
>>> it) that the second attempt doesn't like ?
>>>
>>> Rowland
>>>
>> Sorry for my bad english but here I not understand what you mean.
> Your English isn't that bad, I just phrased the comment in a away you
> didn't understand ;-)
>
> What I was trying to say was, did the first attempt to join the second
> DC to the first DC (NOTE: please don't call it a pdc, it isn't a pdc)
> create something in AD that the second join attempt didn't like.
>
> Can I suggest this:
> go here: http://apt.van-belle.nl/
>
> Upgrade your first DC to 4.8.5 using Louis's packages.
> Clean up and rename the PC that will become the second DC and then,
> using Louis's 4.8.5 packages try again.
>
> The debian 4.5.x packages are EOL as far as Samba is concerned and
> there have been many changes since they were released.
>
> Rowland
>
I updated both the linux domain controllers to samba 4.8.5, changed the 
hostname of server I tried to add as dc but same error:

> samba-tool domain join m2r.local DC -Uadministrator --realm=m2r.local 
> --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes'
> Finding a writeable DC for domain 'm2r.local'
> Found DC DUO-ADD-DC.m2r.local
> Password for [WORKGROUP\administrator]:
> workgroup is M2R
> realm is m2r.local
> Adding CN=D9NDC,OU=Domain Controllers,DC=m2r,DC=local
> Adding 
> CN=D9NDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
> Adding CN=NTDS 
> Settings,CN=D9NDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
> Join failed - cleaning up
> Deleted CN=D9NDC,OU=Domain Controllers,DC=m2r,DC=local
> Deleted CN=NTDS 
> Settings,CN=D9NDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
> Deleted 
> CN=D9NDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
> ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL - 
> <0000202B: RefErr: DSID-030A0B09, data 0, 1 access points
>  ref 1: 'a45ce9be-c350-4429-964b-a10c1dd92af5._msdcs.m2r.local'
> > <ldap://a45ce9be-c350-4429-964b-a10c1dd92af5._msdcs.m2r.local>
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 
> 706, in run
>     plaintext_secrets=plaintext_secrets)
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1482, in 
> join_DC
>     ctx.do_join()
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1381, in 
> do_join
>     ctx.join_add_objects()
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 673, in 
> join_add_objects
>     ctx.samdb.modify(m)


d7npdc have all roles:

> samba-tool fsmo show
> SchemaMasterRole owner: CN=NTDS 
> Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
> InfrastructureMasterRole owner: CN=NTDS 
> Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
> RidAllocationMasterRole owner: CN=NTDS 
> Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
> PdcEmulationMasterRole owner: CN=NTDS 
> Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
> DomainNamingMasterRole owner: CN=NTDS 
> Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
> DomainDnsZonesMasterRole owner: CN=NTDS 
> Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
> ForestDnsZonesMasterRole owner: CN=NTDS 
> Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local

DUO-ADD-DC.m2r.local is additional dc w2008r2 added recently, d7npdc 
what at samba 4.5 at the windows dc join.

Initially there was "s4pdc" debian 6 server with samba 4.0 beta or rc 
when I did provisioning, after I upgraded it to 4.0, added d7npdc 
(initially with debian 7 and it samba official backports packages), 
upgraded both to latest samba 4.1 and migrated all roles to d7npdc, 
after I upgraded them to debian 8, removed s4pdc, upgraded d7npdc to 
debian 9 and added the windows dc, previous week I tried to add 
additional debian 9 dc and today I upgraded samba to 4.8.

I also did dbcheck and other things after any samba upgrade until today 
that after 4.8 there are error that fail to fix:

> ERROR: incorrect DN SID component for member in object CN=Domain 
> Users,CN=Users,DC=m2r,DC=local - 
> <GUID=6fcff21c-b468-4417-99f9-a1a766708b06>;<RMD_ADDTIME=131758801250000000>;<RMD_CHANGETIME=131775157830000000>;<RMD_FLAGS=1>;<RMD_INVOCID=725f5ec4-75c7-4888-89a6-4fc935c7eb63>;<RMD_LOCAL_USN=101925>;<RMD_ORIGINATING_USN=101925>;<RMD_VERSION=11>;CN=Fabio 
> Fantoni,OU=Accounts,DC=m2r,DC=local
> Change DN to 
> <GUID=6fcff21c-b468-4417-99f9-a1a766708b06>;<SID=S-1-5-21-2277923408-2990964511-2040291283-1126>;CN=Fabio 
> Fantoni,OU=Accounts,DC=m2r,DC=local? [y/N/all/none] all
> Failed to fix incorrect DN SID on attribute member : (68, 'samldb: 
> member CN=Fabio Fantoni,OU=Accounts,DC=m2r,DC=local already set via 
> primaryGroupID 513')
> ERROR: incorrect DN SID component for member in object CN=Domain 
> Users,CN=Users,DC=m2r,DC=local - 
> <GUID=6d68eb67-0fec-4cd2-bd1f-f374538c9f37>;<RMD_ADDTIME=131758801350000000>;<RMD_CHANGETIME=131775157700000000>;<RMD_FLAGS=1>;<RMD_INVOCID=725f5ec4-75c7-4888-89a6-4fc935c7eb63>;<RMD_LOCAL_USN=101922>;<RMD_ORIGINATING_USN=101922>;<RMD_VERSION=13>;CN=Amministrazione,OU=Accounts,DC=m2r,DC=local

And others are same type.


Thanks for any reply.



---
Questa e-mail è stata controllata per individuare virus con Avast antivirus.
https://www.avast.com/antivirus

More information about the samba mailing list