[Samba] Problems joining Samba 4 in the domain

Marcio Demetrio Bacci marciobacci at gmail.com
Mon Aug 12 14:52:09 UTC 2019


Hi,

I created a new Samba 4 with a different name from the previous one.

I followed your configuration guidelines for the /etc/ hosts and
/etc/resolv.conf files. I also removed the smb.conf file of the new DC

I did maintenance on Samba 4 DC1:

samba-tool dbcheck --cross-ncs  --fix --yes
Checking 6340 objects
Checked 6340 objects (0 errors)

I cleaned up DNS records.

However, the following error occurred:

root at samba4-new-dc:/etc/samba# samba-tool domain join empresa.com.br DC -k
yes -d 3
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Finding a writeable DC for domain 'empresa.com.br'
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._
tcp.empresa.com.br<0x0>
Found DC win-dc2.empresa.com.br
resolve_lmhosts: Attempting lmhosts lookup for name win-dc2.empresa.com.br
<0x20>
workgroup is EMPRESA
realm is empresa.com.br
Adding CN=SAMBA4-NEW-DC,OU=Domain Controllers,DC=empresa,DC=com,DC=br
Adding
CN=SAMBA4-NEW-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
Adding CN=NTDS
Settings,CN=SAMBA4-NEW-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
Using binding ncacn_ip_tcp:win-dc2.empresa.com.br[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name win-dc2.empresa.com.br
<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name win-dc2.empresa.com.br
<0x20>
Join failed - cleaning up
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch machine
account password for EMPRESA from both secrets.ldb (Could not find entry to
match filter: '(&(flatname=EMPRESA)(objectclass=primaryDomain))' base:
'cn=Primary Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4691) and from
/var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Deleted CN=SAMBA4-NEW-DC,OU=Domain Controllers,DC=empresa,DC=com,DC=br
Deleted CN=NTDS
Settings,CN=SAMBA4-NEW-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
Deleted
CN=SAMBA4-NEW-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL -  <0000202B:
RefErr: DSID-030A0AEB, data 0, 1 access points
ref 1: 'a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br'
> <ldap://a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br>
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661,
in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in
join_DC
    ctx.do_join()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in
do_join
    ctx.join_add_objects()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 668, in
join_add_objects
    ctx.samdb.modify(m)

Do I need to manually enter information (ldap and kerberos) about the new
DC in the DNS entries in the msdcs.empresa.com.br e empresa.com.br trees?

Regards,

Márcio Bacci

Em qui, 8 de ago de 2019 às 11:48, L.P.H. van Belle via samba <
samba at lists.samba.org> escreveu:

> Hai marcio,
>
> As far i can see, most look ok to me.
>
> A few very small points.
>
> First change this :
> > cat /etc/hosts
> > 192.168.1.19   samba4-dc2.empresa.com.br  samba4-dc2
> > 192.168.1.20   samba4-dc1.empresa.com.br. samba4-dc1
> > 10.133.84.135  win-dc2.empresa.com.br.    wind-dc2
> >
> >
> > cat /etc/resolv.conf
> > domain empresa.com.br
> > search empresa.com.br
> > nameserver 192.168.1.20
>
> To
>
> /etc/hosts
> 192.168.1.19   samba4-dc2.empresa.com.br  samba4-dc2
> 192.168.1.20   samba4-dc1.empresa.com.br samba4-dc1
> 10.133.84.135  win-dc2.empresa.com.br   wind-dc2
>
>
> /etc/resolv.conf
> search empresa.com.br
> nameserver 10.133.84.135
> nameserver 192.168.1.20
> nameserver 192.168.1.19
>
> Now, question.
> If this the first attempt to join this server? Of not, what guess based on
> the output below.
>
> - Then verify in the dns and AD if the old server is completely removed.
>         And take you time for this.
> - cleanup /var/lib/samba ( remove all files there and in subfolders, keep
> the folders )
> - cleanup /var/cache/samba ( remove all files there and in subfolders,
> keep the folders )
> - remove /etc/samba/smb.conf
>
> > Failed to get kerberos credentials (kerberos required): kinit for
> > SAMBA4-DC2$@EMPRESA.COM.BR failed (Clients credentials have
> > been revoked)
> So this really looks like leftovers from previous attempt, so there must
> be something in the AD domain with that hostname.
> That that one is revoked.
>
>
> Then, after a good cleanup, you can try to join again.
>
> After the join, reboot Then change :
>
> /etc/resolv.conf
> search empresa.com.br
> nameserver 192.168.1.19
> nameserver 192.168.1.20
> nameserver 10.133.84.135
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Marcio Demetrio Bacci via samba
> > Verzonden: donderdag 8 augustus 2019 16:26
> > Aan: sambalist
> > Onderwerp: [Samba] Problems joining Samba 4 in the domain
> >
> > Hi,
> >
> > I have 2 DC in my network.
> >
> > DC master is a Samba 4 and the secondary is Windows Server 2008.
> >
> > I want to put another Samba 4 as DC to replace Windows
> > Server, however the
> > following errors are emerging:
> >
> > root at samba4-dc2:~# samba-tool domain join empresa.com.br DC
> > -k yes -d 3
> > lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> > GENSEC backend 'gssapi_spnego' registered
> > GENSEC backend 'gssapi_krb5' registered
> > GENSEC backend 'gssapi_krb5_sasl' registered
> > GENSEC backend 'spnego' registered
> > GENSEC backend 'schannel' registered
> > GENSEC backend 'naclrpc_as_system' registered
> > GENSEC backend 'sasl-EXTERNAL' registered
> > GENSEC backend 'ntlmssp' registered
> > GENSEC backend 'ntlmssp_resume_ccache' registered
> > GENSEC backend 'http_basic' registered
> > GENSEC backend 'http_ntlm' registered
> > GENSEC backend 'krb5' registered
> > GENSEC backend 'fake_gssapi_krb5' registered
> > Finding a writeable DC for domain 'empresa.com.br'
> > resolve_lmhosts: Attempting lmhosts lookup for name _ldap._
> > tcp.empresa.com.br<0x0>
> > Found DC win-dc2.empresa.com.br
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > win-dc2.empresa.com.br
> > <0x20>
> > workgroup is EMPRESA
> > realm is empresa.com.br
> > Adding CN=SAMBA4-DC2,OU=Domain Controllers,DC=empresa,DC=com,DC=br
> > Adding
> > CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
> N=Configuration,DC=empresa,DC=com,DC=br
> > Adding CN=NTDS
> > Settings,CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,C
> N=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
> > Using binding ncacn_ip_tcp:win-dc2.empresa.com.br[,seal]
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > win-dc2.empresa.com.br
> > <0x20>
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > win-dc2.empresa.com.br
> > <0x20>
> > Join failed - cleaning up
> > ldb_wrap open of secrets.ldb
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > win-dc2.empresa.com.br
> > <0x20>
> > Failed to get kerberos credentials (kerberos required): kinit for
> > SAMBA4-DC2$@EMPRESA.COM.BR failed (Clients credentials have
> > been revoked)
> >
> > Account locked out: kinit for SAMBA4-DC2$@EMPRESA.COM.BR
> > failed (Clients
> > credentials have been revoked)
> >
> > SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for
> > ldap/win-dc2.empresa.com.br
> > failed (next[(null)]): NT_STATUS_ACCOUNT_LOCKED_OUT
> > Failed to bind - LDAP client internal error:
> > NT_STATUS_ACCOUNT_LOCKED_OUT
> > Failed to connect to 'ldap://win-dc2.empresa.com.br' with
> > backend 'ldap':
> > LDAP client internal error: NT_STATUS_ACCOUNT_LOCKED_OUT
> > Deleted CN=SAMBA4-DC2,OU=Domain Controllers,DC=empresa,DC=com,DC=br
> > Deleted CN=NTDS
> > Settings,CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,C
> N=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
> > Deleted
> > CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
> N=Configuration,DC=empresa,DC=com,DC=br
> > ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL
> > -  <0000202B:
> > RefErr: DSID-030A0AEB, data 0, 1 access points
> > ref 1: 'a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br'
> > > <ldap://a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br>
> >   File
> > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> > 176, in _run
> >     return self.run(*args, **kwargs)
> >   File
> > "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661,
> > in run
> >     machinepass=machinepass, use_ntvfs=use_ntvfs,
> > dns_backend=dns_backend)
> >   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in
> > join_DC
> >     ctx.do_join()
> >   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in
> > do_join
> >     ctx.join_add_objects()
> >   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 668, in
> > join_add_objects
> >     ctx.samdb.modify(m)
> >
> > ##############################################################
> > ###############################################
> >
> >
> > root at samba4-dc2:~# samba-tool domain join empresa.com.br DC
> > -U"EMPRESA\administrator" -d 3
> > lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> > GENSEC backend 'gssapi_spnego' registered
> > GENSEC backend 'gssapi_krb5' registered
> > GENSEC backend 'gssapi_krb5_sasl' registered
> > GENSEC backend 'spnego' registered
> > GENSEC backend 'schannel' registered
> > GENSEC backend 'naclrpc_as_system' registered
> > GENSEC backend 'sasl-EXTERNAL' registered
> > GENSEC backend 'ntlmssp' registered
> > GENSEC backend 'ntlmssp_resume_ccache' registered
> > GENSEC backend 'http_basic' registered
> > GENSEC backend 'http_ntlm' registered
> > GENSEC backend 'krb5' registered
> > GENSEC backend 'fake_gssapi_krb5' registered
> > Finding a writeable DC for domain 'empresa.com.br'
> > resolve_lmhosts: Attempting lmhosts lookup for name _ldap._
> > tcp.empresa.com.br<0x0>
> > Found DC win-dc2.empresa.com.br
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > win-dc2.empresa.com.br
> > <0x20>
> > Password for [EMPRESA\administrador]:
> > Cannot reach a KDC we require to contact (null) : kinit for
> > administrador at EMPRESA failed (Cannot contact any KDC for
> > requested realm)
> >
> > SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for
> > ldap/win-dc2.empresa.com.br
> > failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS
> > Got challenge flags:
> > Got NTLMSSP neg_flags=0x62898235
> > NTLMSSP: Set final flags:
> > Got NTLMSSP neg_flags=0x62088235
> > NTLMSSP Sign/Seal - Initialising with flags:
> > Got NTLMSSP neg_flags=0x62088235
> > NTLMSSP Sign/Seal - Initialising with flags:
> > Got NTLMSSP neg_flags=0x62088235
> > workgroup is EMPRESA
> > realm is empresa.com.br
> > Adding CN=SAMBA4-DC2,OU=Domain Controllers,DC=empresa,DC=com,DC=br
> > Adding
> > CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
> N=Configuration,DC=empresa,DC=com,DC=br
> > Adding CN=NTDS
> > Settings,CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,C
> N=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
> > Using binding ncacn_ip_tcp:win-dc2.empresa.com.br[,seal]
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > win-dc2.empresa.com.br
> > <0x20>
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > win-dc2.empresa.com.br
> > <0x20>
> > Cannot reach a KDC we require to contact (null) : kinit for
> > administrador at EMPRESA failed (Cannot contact any KDC for
> > requested realm)
> >
> > SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for
> > ldap/WIN-DC2.EMPRESA.COM.BR
> > failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS
> > Got challenge flags:
> > Got NTLMSSP neg_flags=0x62898235
> > NTLMSSP: Set final flags:
> > Got NTLMSSP neg_flags=0x62088235
> > NTLMSSP Sign/Seal - Initialising with flags:
> > Got NTLMSSP neg_flags=0x62088235
> > NTLMSSP Sign/Seal - Initialising with flags:
> > Got NTLMSSP neg_flags=0x62088235
> > Join failed - cleaning up
> > ldb_wrap open of secrets.ldb
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > win-dc2.empresa.com.br
> > <0x20>
> > Account locked out: kinit for SAMBA4-DC2$@EMPRESA.COM.BR
> > failed (Clients
> > credentials have been revoked)
> >
> > SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for
> > ldap/win-dc2.empresa.com.br
> > failed (next[ntlmssp]): NT_STATUS_ACCOUNT_LOCKED_OUT
> > Got challenge flags:
> > Got NTLMSSP neg_flags=0x62898235
> > NTLMSSP: Set final flags:
> > Got NTLMSSP neg_flags=0x62088235
> > NTLMSSP Sign/Seal - Initialising with flags:
> > Got NTLMSSP neg_flags=0x62088235
> > Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -  <8009030C:
> > LdapErr: DSID-0C09052B, comment: AcceptSecurityContext error,
> > data 52e,
> > v1773> <>
> > Failed to connect to 'ldap://win-dc2.empresa.com.br' with
> > backend 'ldap':
> > LDAP error 49 LDAP_INVALID_CREDENTIALS -  <8009030C: LdapErr:
> > DSID-0C09052B, comment: AcceptSecurityContext error, data
> > 52e, v1773> <>
> > Deleted CN=SAMBA4-DC2,OU=Domain Controllers,DC=empresa,DC=com,DC=br
> > Deleted CN=NTDS
> > Settings,CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,C
> N=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
> > Deleted
> > CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
> N=Configuration,DC=empresa,DC=com,DC=br
> > ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL
> > -  <0000202B:
> > RefErr: DSID-030A0AEB, data 0, 1 access points
> > ref 1: 'a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br'
> > > <ldap://a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br>
> >   File
> > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> > 176, in _run
> >     return self.run(*args, **kwargs)
> >   File
> > "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661,
> > in run
> >     machinepass=machinepass, use_ntvfs=use_ntvfs,
> > dns_backend=dns_backend)
> >   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in
> > join_DC
> >     ctx.do_join()
> >   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in
> > do_join
> >     ctx.join_add_objects()
> >   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 668, in
> > join_add_objects
> >     ctx.samdb.modify(m)
> >
> > ##############################################################
> > ###############################
> >
> > I did some tests in the new Samaba4 DC and it seems OK as below:
> >
> > root at samba4-dc2:~# kinit Administrator
> > Password for marcio at EMPRESA.COM.BR:
> >
> >
> > root at samba4-dc2:~# klist -l
> > Principal name                 Cache name
> > --------------                 ----------
> > Administrator at EMPRESA.COM.BR      FILE:/tmp/krb5cc_0
> >
> > root at samba4-dc2:~# host -t SRV _kerberos._udp.EMPRESA.COM.BR
> > _kerberos._udp.EMPRESA.COM.BR has SRV record 0 100 88
> > samba4-dc1.empresa.com.br.
> > _kerberos._udp.EMPRESA.COM.BR has SRV record 0 100 88
> > win-dc2.empresa.com.br
> > .
> > root at samba4-dc2:~#
> > root at samba4-dc2:~#
> > root at samba4-dc2:~# host -t SRV _ldap._tcp.EMPRESA.COM.BR
> > _ldap._tcp.EMPRESA.COM.BR has SRV record 0 100 389
> > win-dc2.empresa.com.br.
> > _ldap._tcp.EMPRESA.COM.BR has SRV record 0 100 389
> > samba4-dc1.empresa.com.br
> > .
> > root at samba4-dc2:~#
> > root at samba4-dc2:~# cat /etc/krb5.conf
> > [libdefaults]
> >     dns_lookup_realm = false
> >     dns_lookup_kdc = true
> >     default_realm = EMPRESA.COM.BR
> > root at samba4-dc2:~# host -t EMPRESA.COM.BR
> > host: invalid type: EMPRESA.COM.BR
> >
> > root at samba4-dc2:~# host -t A EMPRESA.COM.BR
> > EMPRESA.COM.BR has address 10.133.84.135 # Wind-DC2
> > EMPRESA.COM.BR has address 192.168.1.20 # Samba4-DC1
> > EMPRESA.COM.BR has address 192.168.1.19 #  Samba4-DC2 . I did not
> > understand why. He hasn't joined in the domain yet.
> >
> >
> > My kerberos configurations:
> >
> > cat /etc/krb5.conf
> >
> > [libdefaults]
> >     dns_lookup_realm = false
> >     dns_lookup_kdc = true
> >     default_realm = EMPRESA.COM.BR
> >
> >
> > Another configurations:
> >
> > cat /etc/hosts
> > 192.168.1.19   samba4-dc2.empresa.com.br  samba4-dc2
> > 192.168.1.20   samba4-dc1.empresa.com.br. samba4-dc1
> > 10.133.84.135  win-dc2.empresa.com.br.    wind-dc2
> >
> >
> > cat /etc/resolv.conf
> > domain empresa.com.br
> > search empresa.com.br
> > nameserver 192.168.1.20
> > nameserver 10.133.84.135
> >
> > Could anybody help me?
> >
> > Regards,
> >
> > Márcio Bacci
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list