[Samba] Failing to join existing AD as DC

Alexander Harm contact at aharm.de
Fri Aug 16 13:14:05 UTC 2019


First of all, thanks to you all for bearing with me. To answer the questions:

- Subnets: yes, different subnets, routing is fine, can connect to Windows DC via telnet (DNS), OpenSSL on 389 and 636

- Naming: I could not find any object in the existing AD with the same name of the Samba DC that I want to add

- Join existing: I try to join an existing Windows AD, not Samba AD



I wiped the installation (again) and here are the exact steps I did to set everything up.

1. Install from Debian 10 netinstall ISO with only SSH-server and system utils

2. apt update && apt install curl ntp sudo vim dnsutils open-vm-tools

3. add buster-backports

4. apt update && apt -t buster-backports install samba attr winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user smbclient

5. find /var/run/samba /var/lib/samba /var/cache/samba /var/lib/samba/private -name '*.tdb' -name '*.ldb' -delete

6. rm /etc/samba/smb.conf

7. samba-tool domain provision --use-rfc2307 --interactive (with internal dns)

8. cp /var/lib/samba/private/krb5.conf /etc/krb5.conf

9. unmask samba-ad-dc service

10. reboot

11. loads of DNS errors in the log like

[2019/08/16 15:02:45.925528,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate:   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run
[2019/08/16 15:02:45.925557,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate:     return self.run(*args, **kwargs)
[2019/08/16 15:02:45.925575,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate:   File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 945, in run
[2019/08/16 15:02:45.925594,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate:     raise e
[2019/08/16 15:02:45.958441,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate: ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
[2019/08/16 15:02:45.958512,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate:   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run
[2019/08/16 15:02:45.958531,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate:     return self.run(*args, **kwargs)
[2019/08/16 15:02:45.958548,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate:   File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 945, in run
[2019/08/16 15:02:45.958567,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate:     raise e
[2019/08/16 15:02:45.987725,  0] ../source4/dsdb/dns/dns_update.c:330(dnsupdate_nameupdate_done)
  ../source4/dsdb/dns/dns_update.c:330: Failed DNS update - with error code 29
[2019/08/16 15:02:46.489326,  0] ../source4/lib/tls/tlscert.c:170(tls_cert_generate)
  TLS self-signed keys generated OK

12. changed /etc/resolv.conf to point to itself, restarted samba-ad-dc -> log fine

13. output of your debug script

Collected config  --- 2019-08-16-15:07 -----------

Hostname: ka-h9-dc01
DNS Domain: samdom.example.com
FQDN: ka-h9-dc01.samdom.example.com
ipaddress: 10.0.1.250

-----------

Kerberos SRV _kerberos._tcp.samdom.example.com record verified ok, sample output:
Server:		10.0.1.250
Address:	10.0.1.250#53

_kerberos._tcp.samdom.example.com	service = 0 100 88 ka-h9-dc01.samdom.example.com.
Samba is running as an AD DC

-----------
       Checking file: /etc/os-release

PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

-----------


This computer is running Debian 10.0 x86_64

-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:35:9c:84 brd ff:ff:ff:ff:ff:ff
    inet 10.0.1.250/24 brd 10.0.1.255 scope global ens192
    inet6 fe80::20c:29ff:fe35:9c84/64 scope link

-----------
       Checking file: /etc/hosts

127.0.0.1	localhost
10.0.1.250	ka-h9-dc01.samdom.example.com	ka-h9-dc01

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

-----------

       Checking file: /etc/resolv.conf

search samdom.example.com
nameserver 10.0.1.250

-----------

       Checking file: /etc/krb5.conf

[libdefaults]
	default_realm = SAMDOM.EXAMPLE.COM
	dns_lookup_realm = false
	dns_lookup_kdc = true

-----------

       Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files systemd
group:          files systemd
shadow:         files
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

-----------

       Checking file: /etc/samba/smb.conf

# Global parameters
[global]
	dns forwarder = 10.0.1.100
	netbios name = KA-H9-DC01
	realm = SAMDOM.EXAMPLE.COM
	server role = active directory domain controller
	workgroup = COMPANYNAME
	idmap_ldb:use rfc2307 = yes

[netlogon]
	path = /var/lib/samba/sysvol/samdom.example.com/scripts
	read only = No

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No

-----------

BIND_DLZ not detected in smb.conf

-----------

Installed packages:
ii  attr                           1:2.4.48-4                  amd64        utilities for manipulating filesystem extended attributes
ii  krb5-config                    2.6                         all          Configuration files for Kerberos Version 5
ii  krb5-locales                   1.17-3                      all          internationalization support for MIT Kerberos
ii  krb5-user                      1.17-3                      amd64        basic programs to authenticate using MIT Kerberos
ii  libacl1:amd64                  2.2.53-4                    amd64        access control list - shared library
ii  libattr1:amd64                 1:2.4.48-4                  amd64        extended attribute handling - shared library
ii  libgssapi-krb5-2:amd64         1.17-3                      amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-3:amd64                1.17-3                      amd64        MIT Kerberos runtime libraries
ii  libkrb5support0:amd64          1.17-3                      amd64        MIT Kerberos runtime libraries - Support library
ii  libnss-winbind:amd64           2:4.9.5+dfsg-5              amd64        Samba nameservice integration plugins
ii  libpam-krb5:amd64              4.8-2                       amd64        PAM module for MIT Kerberos
ii  libpam-winbind:amd64           2:4.9.5+dfsg-5              amd64        Windows domain authentication integration plugin
ii  libsmbclient:amd64             2:4.9.5+dfsg-5              amd64        shared library for communication with SMB/CIFS servers
ii  libwbclient0:amd64             2:4.9.5+dfsg-5              amd64        Samba winbind client library
ii  python-samba                   2:4.9.5+dfsg-5              amd64        Python bindings for Samba
ii  samba                          2:4.9.5+dfsg-5              amd64        SMB/CIFS file, print, and login server for Unix
ii  samba-common                   2:4.9.5+dfsg-5              all          common files used by both the Samba server and client
ii  samba-common-bin               2:4.9.5+dfsg-5              amd64        Samba common files used by both the server and the client
ii  samba-dsdb-modules:amd64       2:4.9.5+dfsg-5              amd64        Samba Directory Services Database
ii  samba-libs:amd64               2:4.9.5+dfsg-5              amd64        Samba core libraries
ii  samba-vfs-modules:amd64        2:4.9.5+dfsg-5              amd64        Samba Virtual FileSystem plugins
ii  smbclient                      2:4.9.5+dfsg-5              amd64        command-line SMB/CIFS clients for Unix
ii  winbind                        2:4.9.5+dfsg-5              amd64        service to resolve user and group information from Windows NT servers

-----------

14. samba-tool fsmo show -H ldap://$(hostname -d)

SchemaMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
InfrastructureMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
RidAllocationMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
PdcEmulationMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
DomainNamingMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com

15. samba-tool fsmo show -H ldap://10.88.80.88 -U dcadmin

SchemaMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
InfrastructureMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
RidAllocationMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
PdcEmulationMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
DomainNamingMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com

16. Notice I don't have "Administrator" as user in my Windows domain if that is an issue

So far everything looks fine to me, should I now point resolv.conf to Windows DC and attempt the join again?

On 16. August 2019 at 14:34:55, Rowland penny via samba (samba at lists.samba.org) wrote:

On 16/08/2019 12:52, Rowland penny via samba wrote:  
> On 16/08/2019 12:05, L.P.H. van Belle via samba wrote:  
>> It's windows that is not allowing samba to join.  
>>  
>> This should make thing more clear in my opinion.  
>>  
>> samba-tool fsmo show -H ldap://$(hostname -d)  
>> And  
>> samba-tool fsmo show -H ldap://10.88.80.88 -U Administrator  
>>  
>> These both work agains my Samba AD-DC's (ldap://$(hostname -d))  
>> And my windows DC -H ldap://10.88.80.88 -U "NTDOM\Administrator"  
>>  
>>  
> It may be windows that is not allowing the join, but he is going  
> nowhere until 'kinit Administrator' works ;-)  
>  
> Rowland  
>  
>  
>  
Andrew may have a point here, we have only been supplied with the 'join'  
command and a portion of the resulting join output and anything after  
'join failed' is an artefact of the failure and is meaningless. We need  
to see everything between the 'join' command and 'join failed'.  

Rowland  



--  
To unsubscribe from this list go to the following URL and read the  
instructions: https://lists.samba.org/mailman/options/samba  


More information about the samba mailing list