[Samba] Unable to add additional domain controller - uncaught exception - LDAP error 10 on join

Alexey Sheplyakov asheplyakov at basealt.ru
Wed Oct 3 11:00:08 UTC 2018 


On 10/02/2018 05:21 PM, Fabio Fantoni via samba wrote:
> I updated both the linux domain controllers to samba 4.8.5, changed 
> the hostname of server I tried to add as dc but same error:
>
>> samba-tool domain join m2r.local DC -Uadministrator --realm=m2r.local 
>> --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes'
>> Finding a writeable DC for domain 'm2r.local'
>> Found DC DUO-ADD-DC.m2r.local
>> Password for [WORKGROUP\administrator]:
>> workgroup is M2R
>> realm is m2r.local
>> Adding CN=D9NDC,OU=Domain Controllers,DC=m2r,DC=local
>> Adding 
>> CN=D9NDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
>> Adding CN=NTDS 
>> Settings,CN=D9NDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
>> Join failed - cleaning up
>> Deleted CN=D9NDC,OU=Domain Controllers,DC=m2r,DC=local
>> Deleted CN=NTDS 
>> Settings,CN=D9NDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
>> Deleted 
>> CN=D9NDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
>> ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL - 
>> <0000202B: RefErr: DSID-030A0B09, data 0, 1 access points
>>  ref 1: 'a45ce9be-c350-4429-964b-a10c1dd92af5._msdcs.m2r.local'
>> > <ldap://a45ce9be-c350-4429-964b-a10c1dd92af5._msdcs.m2r.local>
>>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
>> line 176, in _run
>>     return self.run(*args, **kwargs)
>>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", 
>> line 706, in run
>>     plaintext_secrets=plaintext_secrets)
>>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1482, 
>> in join_DC
>>     ctx.do_join()
>>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1381, 
>> in do_join
>>     ctx.join_add_objects()
>>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 673, in 
>> join_add_objects
>>     ctx.samdb.modify(m)
>
>
> d7npdc have all roles:
>
>> samba-tool fsmo show
>> SchemaMasterRole owner: CN=NTDS 
>> Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
>> InfrastructureMasterRole owner: CN=NTDS 
>> Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
>> RidAllocationMasterRole owner: CN=NTDS 
>> Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
>> PdcEmulationMasterRole owner: CN=NTDS 
>> Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
>> DomainNamingMasterRole owner: CN=NTDS 
>> Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
>> DomainDnsZonesMasterRole owner: CN=NTDS 
>> Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
>> ForestDnsZonesMasterRole owner: CN=NTDS 
>> Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
>
> DUO-ADD-DC.m2r.local is additional dc w2008r2 added recently, d7npdc 
> what at samba 4.5 at the windows dc join.

We have been experiencing a similar (same?) problem when joining samba4 
DC's to windows (2008 r2)
ones, see this thread for more details: 
https://lists.samba.org/archive/samba-technical/2018-June/128672.html

As far as I understand the problem is caused by 3 factors

1) samba-tool prefers to pick a windows DC to perform the join
2) when joining as a DC samba-tool tries to modify the application 
directory partition (presumably describing DNS zone) via LDAP (as 
opposed to DRS RPC)
3) windows strictly obeys FSMO roles and returns an error (or rather a 
referral) if  (to a DC holding `Domain naming master` FSMO role)

To solve the problem one can instruct samba-tool to talk with a DC 
holding `Domain naming master' FSMO role
(d7npdc in your example), something like this:

samba-tool domain join m2r.local DC --server=D7NPDC.m2r.local 
-Uadministrator --realm=m2r.local --dns-backend=SAMBA_INTERNAL 
--option='idmap_ldb:use rfc2307 = yes'

Or apply a patch which does this automatically (attached), and (if you 
feel lucky) convince samba developers
to merge it (so people won't face this problem ever and ever again).



-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-join.py-automatically-connect-to-domain-naming-maste.patch
Type: text/x-patch
Size: 4453 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20181003/aeb9b4f8/0001-join.py-automatically-connect-to-domain-naming-maste.bin>

More information about the samba mailing list