[Samba] Unable to add additional domain controller - uncaught exception - LDAP error 10 on join

Fabio Fantoni fabio.fantoni at m2r.biz
Wed Oct 3 15:17:51 UTC 2018 

Il 03/10/2018 13:00, Alexey Sheplyakov via samba ha scritto:
>
>
> On 10/02/2018 05:21 PM, Fabio Fantoni via samba wrote:
>> I updated both the linux domain controllers to samba 4.8.5, changed 
>> the hostname of server I tried to add as dc but same error:
>>
>>> samba-tool domain join m2r.local DC -Uadministrator 
>>> --realm=m2r.local --dns-backend=SAMBA_INTERNAL 
>>> --option='idmap_ldb:use rfc2307 = yes'
>>> Finding a writeable DC for domain 'm2r.local'
>>> Found DC DUO-ADD-DC.m2r.local
>>> Password for [WORKGROUP\administrator]:
>>> workgroup is M2R
>>> realm is m2r.local
>>> Adding CN=D9NDC,OU=Domain Controllers,DC=m2r,DC=local
>>> Adding 
>>> CN=D9NDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
>>> Adding CN=NTDS 
>>> Settings,CN=D9NDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
>>> Join failed - cleaning up
>>> Deleted CN=D9NDC,OU=Domain Controllers,DC=m2r,DC=local
>>> Deleted CN=NTDS 
>>> Settings,CN=D9NDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
>>> Deleted 
>>> CN=D9NDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
>>> ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL - 
>>> <0000202B: RefErr: DSID-030A0B09, data 0, 1 access points
>>>  ref 1: 'a45ce9be-c350-4429-964b-a10c1dd92af5._msdcs.m2r.local'
>>> > <ldap://a45ce9be-c350-4429-964b-a10c1dd92af5._msdcs.m2r.local>
>>>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
>>> line 176, in _run
>>>     return self.run(*args, **kwargs)
>>>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", 
>>> line 706, in run
>>>     plaintext_secrets=plaintext_secrets)
>>>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1482, 
>>> in join_DC
>>>     ctx.do_join()
>>>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1381, 
>>> in do_join
>>>     ctx.join_add_objects()
>>>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 673, 
>>> in join_add_objects
>>>     ctx.samdb.modify(m)
>>
>>
>> d7npdc have all roles:
>>
>>> samba-tool fsmo show
>>> SchemaMasterRole owner: CN=NTDS 
>>> Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
>>> InfrastructureMasterRole owner: CN=NTDS 
>>> Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
>>> RidAllocationMasterRole owner: CN=NTDS 
>>> Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
>>> PdcEmulationMasterRole owner: CN=NTDS 
>>> Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
>>> DomainNamingMasterRole owner: CN=NTDS 
>>> Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
>>> DomainDnsZonesMasterRole owner: CN=NTDS 
>>> Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
>>> ForestDnsZonesMasterRole owner: CN=NTDS 
>>> Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local
>>
>> DUO-ADD-DC.m2r.local is additional dc w2008r2 added recently, d7npdc 
>> what at samba 4.5 at the windows dc join.
>
> We have been experiencing a similar (same?) problem when joining 
> samba4 DC's to windows (2008 r2)
> ones, see this thread for more details: 
> https://lists.samba.org/archive/samba-technical/2018-June/128672.html
>
> As far as I understand the problem is caused by 3 factors
>
> 1) samba-tool prefers to pick a windows DC to perform the join
> 2) when joining as a DC samba-tool tries to modify the application 
> directory partition (presumably describing DNS zone) via LDAP (as 
> opposed to DRS RPC)
> 3) windows strictly obeys FSMO roles and returns an error (or rather a 
> referral) if  (to a DC holding `Domain naming master` FSMO role)
>
> To solve the problem one can instruct samba-tool to talk with a DC 
> holding `Domain naming master' FSMO role
> (d7npdc in your example), something like this:
>
> samba-tool domain join m2r.local DC --server=D7NPDC.m2r.local 
> -Uadministrator --realm=m2r.local --dns-backend=SAMBA_INTERNAL 
> --option='idmap_ldb:use rfc2307 = yes'
>
> Or apply a patch which does this automatically (attached), and (if you 
> feel lucky) convince samba developers
> to merge it (so people won't face this problem ever and ever again).
>
Thanks for help me to solve the issue (the new dc join is now 
completed), I also suppose is good apply your patch upstream, you 
already posted it but was rejected?

---
Questa e-mail è stata controllata per individuare virus con Avast antivirus.
https://www.avast.com/antivirus

More information about the samba mailing list