[Samba] Failing to join existing AD as DC

Alexander Harm contact at aharm.de
Fri Aug 16 13:14:05 UTC 2019

First of all, thanks to you all for bearing with me. To answer the questions:

- Subnets: yes, different subnets, routing is fine, can connect to Windows DC via telnet (DNS), OpenSSL on 389 and 636

- Naming: I could not find any object in the existing AD with the same name of the Samba DC that I want to add

- Join existing: I try to join an existing Windows AD, not Samba AD

I wiped the installation (again) and here are the exact steps I did to set everything up.

1. Install from Debian 10 netinstall ISO with only SSH-server and system utils

2. apt update && apt install curl ntp sudo vim dnsutils open-vm-tools

3. add buster-backports

4. apt update && apt -t buster-backports install samba attr winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user smbclient

5. find /var/run/samba /var/lib/samba /var/cache/samba /var/lib/samba/private -name '*.tdb' -name '*.ldb' -delete

6. rm /etc/samba/smb.conf

7. samba-tool domain provision --use-rfc2307 --interactive (with internal dns)

8. cp /var/lib/samba/private/krb5.conf /etc/krb5.conf

9. unmask samba-ad-dc service

10. reboot

11. loads of DNS errors in the log like

[2019/08/16 15:02:45.925528,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate:   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run
[2019/08/16 15:02:45.925557,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate:     return self.run(*args, **kwargs)
[2019/08/16 15:02:45.925575,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate:   File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 945, in run
[2019/08/16 15:02:45.925594,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate:     raise e
[2019/08/16 15:02:45.958441,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate: ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
[2019/08/16 15:02:45.958512,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate:   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run
[2019/08/16 15:02:45.958531,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate:     return self.run(*args, **kwargs)
[2019/08/16 15:02:45.958548,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate:   File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 945, in run
[2019/08/16 15:02:45.958567,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate:     raise e
[2019/08/16 15:02:45.987725,  0] ../source4/dsdb/dns/dns_update.c:330(dnsupdate_nameupdate_done)
  ../source4/dsdb/dns/dns_update.c:330: Failed DNS update - with error code 29
[2019/08/16 15:02:46.489326,  0] ../source4/lib/tls/tlscert.c:170(tls_cert_generate)
  TLS self-signed keys generated OK

12. changed /etc/resolv.conf to point to itself, restarted samba-ad-dc -> log fine

13. output of your debug script

Collected config  --- 2019-08-16-15:07 -----------

Hostname: ka-h9-dc01
DNS Domain: samdom.example.com
FQDN: ka-h9-dc01.samdom.example.com


Kerberos SRV _kerberos._tcp.samdom.example.com record verified ok, sample output:

_kerberos._tcp.samdom.example.com	service = 0 100 88 ka-h9-dc01.samdom.example.com.
Samba is running as an AD DC

       Checking file: /etc/os-release

PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION="10 (buster)"


This computer is running Debian 10.0 x86_64

running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
    inet6 ::1/128 scope host
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:35:9c:84 brd ff:ff:ff:ff:ff:ff
    inet brd scope global ens192
    inet6 fe80::20c:29ff:fe35:9c84/64 scope link

       Checking file: /etc/hosts	localhost	ka-h9-dc01.samdom.example.com	ka-h9-dc01

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters


       Checking file: /etc/resolv.conf

search samdom.example.com


       Checking file: /etc/krb5.conf

	default_realm = SAMDOM.EXAMPLE.COM
	dns_lookup_realm = false
	dns_lookup_kdc = true


       Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files systemd
group:          files systemd
shadow:         files
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis


       Checking file: /etc/samba/smb.conf

# Global parameters
	dns forwarder =
	netbios name = KA-H9-DC01
	server role = active directory domain controller
	workgroup = COMPANYNAME
	idmap_ldb:use rfc2307 = yes

	path = /var/lib/samba/sysvol/samdom.example.com/scripts
	read only = No

	path = /var/lib/samba/sysvol
	read only = No


BIND_DLZ not detected in smb.conf


Installed packages:
ii  attr                           1:2.4.48-4                  amd64        utilities for manipulating filesystem extended attributes
ii  krb5-config                    2.6                         all          Configuration files for Kerberos Version 5
ii  krb5-locales                   1.17-3                      all          internationalization support for MIT Kerberos
ii  krb5-user                      1.17-3                      amd64        basic programs to authenticate using MIT Kerberos
ii  libacl1:amd64                  2.2.53-4                    amd64        access control list - shared library
ii  libattr1:amd64                 1:2.4.48-4                  amd64        extended attribute handling - shared library
ii  libgssapi-krb5-2:amd64         1.17-3                      amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-3:amd64                1.17-3                      amd64        MIT Kerberos runtime libraries
ii  libkrb5support0:amd64          1.17-3                      amd64        MIT Kerberos runtime libraries - Support library
ii  libnss-winbind:amd64           2:4.9.5+dfsg-5              amd64        Samba nameservice integration plugins
ii  libpam-krb5:amd64              4.8-2                       amd64        PAM module for MIT Kerberos
ii  libpam-winbind:amd64           2:4.9.5+dfsg-5              amd64        Windows domain authentication integration plugin
ii  libsmbclient:amd64             2:4.9.5+dfsg-5              amd64        shared library for communication with SMB/CIFS servers
ii  libwbclient0:amd64             2:4.9.5+dfsg-5              amd64        Samba winbind client library
ii  python-samba                   2:4.9.5+dfsg-5              amd64        Python bindings for Samba
ii  samba                          2:4.9.5+dfsg-5              amd64        SMB/CIFS file, print, and login server for Unix
ii  samba-common                   2:4.9.5+dfsg-5              all          common files used by both the Samba server and client
ii  samba-common-bin               2:4.9.5+dfsg-5              amd64        Samba common files used by both the server and the client
ii  samba-dsdb-modules:amd64       2:4.9.5+dfsg-5              amd64        Samba Directory Services Database
ii  samba-libs:amd64               2:4.9.5+dfsg-5              amd64        Samba core libraries
ii  samba-vfs-modules:amd64        2:4.9.5+dfsg-5              amd64        Samba Virtual FileSystem plugins
ii  smbclient                      2:4.9.5+dfsg-5              amd64        command-line SMB/CIFS clients for Unix
ii  winbind                        2:4.9.5+dfsg-5              amd64        service to resolve user and group information from Windows NT servers


14. samba-tool fsmo show -H ldap://$(hostname -d)

SchemaMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
InfrastructureMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
RidAllocationMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
PdcEmulationMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
DomainNamingMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com

15. samba-tool fsmo show -H ldap:// -U dcadmin

SchemaMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
InfrastructureMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
RidAllocationMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
PdcEmulationMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
DomainNamingMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com

16. Notice I don't have "Administrator" as user in my Windows domain if that is an issue

So far everything looks fine to me, should I now point resolv.conf to Windows DC and attempt the join again?

On 16. August 2019 at 14:34:55, Rowland penny via samba (samba at lists.samba.org) wrote:

On 16/08/2019 12:52, Rowland penny via samba wrote:  
> On 16/08/2019 12:05, L.P.H. van Belle via samba wrote:  
>> It's windows that is not allowing samba to join.  
>> This should make thing more clear in my opinion.  
>> samba-tool fsmo show -H ldap://$(hostname -d)  
>> And  
>> samba-tool fsmo show -H ldap:// -U Administrator  
>> These both work agains my Samba AD-DC's (ldap://$(hostname -d))  
>> And my windows DC -H ldap:// -U "NTDOM\Administrator"  
> It may be windows that is not allowing the join, but he is going  
> nowhere until 'kinit Administrator' works ;-)  
> Rowland  
Andrew may have a point here, we have only been supplied with the 'join'  
command and a portion of the resulting join output and anything after  
'join failed' is an artefact of the failure and is meaningless. We need  
to see everything between the 'join' command and 'join failed'.  


To unsubscribe from this list go to the following URL and read the  
instructions: https://lists.samba.org/mailman/options/samba  

More information about the samba mailing list