[Samba] Failing to join existing AD as DC
Rowland penny
rpenny at samba.org
Fri Aug 16 13:37:58 UTC 2019
On 16/08/2019 14:14, Alexander Harm via samba wrote:
>
>
>
>
>
> 4. apt update && apt -t buster-backports install samba attr winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user smbclient
You are missing the 'acl' package
>
> 5. find /var/run/samba /var/lib/samba /var/cache/samba /var/lib/samba/private -name '*.tdb' -name '*.ldb' -delete
>
> 6. rm /etc/samba/smb.conf
>
> 7. samba-tool domain provision --use-rfc2307 --interactive (with internal dns)
I thought you were trying to 'join' another DC to an existing domain,
not create a new domain ?
> 11. loads of DNS errors in the log like
>
> [2019/08/16 15:02:45.925528, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
> /usr/sbin/samba_dnsupdate: File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run
> [2019/08/16 15:02:45.925557, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
> /usr/sbin/samba_dnsupdate: return self.run(*args, **kwargs)
> [2019/08/16 15:02:45.925575, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
> /usr/sbin/samba_dnsupdate: File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 945, in run
> [2019/08/16 15:02:45.925594, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
> /usr/sbin/samba_dnsupdate: raise e
> [2019/08/16 15:02:45.958441, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
> /usr/sbin/samba_dnsupdate: ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
> [2019/08/16 15:02:45.958512, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
> /usr/sbin/samba_dnsupdate: File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run
> [2019/08/16 15:02:45.958531, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
> /usr/sbin/samba_dnsupdate: return self.run(*args, **kwargs)
> [2019/08/16 15:02:45.958548, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
> /usr/sbin/samba_dnsupdate: File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 945, in run
> [2019/08/16 15:02:45.958567, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
> /usr/sbin/samba_dnsupdate: raise e
> [2019/08/16 15:02:45.987725, 0] ../source4/dsdb/dns/dns_update.c:330(dnsupdate_nameupdate_done)
> ../source4/dsdb/dns/dns_update.c:330: Failed DNS update - with error code 29
> [2019/08/16 15:02:46.489326, 0] ../source4/lib/tls/tlscert.c:170(tls_cert_generate)
> TLS self-signed keys generated OK
They are the records that samba_dnsupdate tries to create if they do not
exist, but from the error message 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS'
it looks like they already exists.
> 12. changed /etc/resolv.conf to point to itself, restarted samba-ad-dc -> log fine
>
> 13. output of your debug script
>
> Collected config --- 2019-08-16-15:07 -----------
>
> Hostname: ka-h9-dc01
> DNS Domain: samdom.example.com
> FQDN: ka-h9-dc01.samdom.example.com
> ipaddress: 10.0.1.250
>
> -----------
>
> Kerberos SRV _kerberos._tcp.samdom.example.com record verified ok, sample output:
> Server: 10.0.1.250
> Address: 10.0.1.250#53
>
> _kerberos._tcp.samdom.example.com service = 0 100 88 ka-h9-dc01.samdom.example.com.
> Samba is running as an AD DC
>
> -----------
> Checking file: /etc/os-release
>
> PRETTY_NAME="Debian GNU/Linux 10 (buster)"
> NAME="Debian GNU/Linux"
> VERSION_ID="10"
> VERSION="10 (buster)"
> VERSION_CODENAME=buster
> ID=debian
> HOME_URL="https://www.debian.org/"
> SUPPORT_URL="https://www.debian.org/support"
> BUG_REPORT_URL="https://bugs.debian.org/"
>
> -----------
>
>
> This computer is running Debian 10.0 x86_64
>
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> 2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
> link/ether 00:0c:29:35:9c:84 brd ff:ff:ff:ff:ff:ff
> inet 10.0.1.250/24 brd 10.0.1.255 scope global ens192
> inet6 fe80::20c:29ff:fe35:9c84/64 scope link
>
> -----------
> Checking file: /etc/hosts
>
> 127.0.0.1 localhost
> 10.0.1.250 ka-h9-dc01.samdom.example.com ka-h9-dc01
>
> # The following lines are desirable for IPv6 capable hosts
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> -----------
>
> Checking file: /etc/resolv.conf
>
> search samdom.example.com
> nameserver 10.0.1.250
>
> -----------
>
> Checking file: /etc/krb5.conf
>
> [libdefaults]
> default_realm = SAMDOM.EXAMPLE.COM
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> -----------
>
> Checking file: /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd: files systemd
> group: files systemd
> shadow: files
> gshadow: files
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
> -----------
>
> Checking file: /etc/samba/smb.conf
>
> # Global parameters
> [global]
> dns forwarder = 10.0.1.100
> netbios name = KA-H9-DC01
> realm = SAMDOM.EXAMPLE.COM
> server role = active directory domain controller
> workgroup = COMPANYNAME
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /var/lib/samba/sysvol/samdom.example.com/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> -----------
>
> BIND_DLZ not detected in smb.conf
>
> -----------
>
> Installed packages:
> ii attr 1:2.4.48-4 amd64 utilities for manipulating filesystem extended attributes
> ii krb5-config 2.6 all Configuration files for Kerberos Version 5
> ii krb5-locales 1.17-3 all internationalization support for MIT Kerberos
> ii krb5-user 1.17-3 amd64 basic programs to authenticate using MIT Kerberos
> ii libacl1:amd64 2.2.53-4 amd64 access control list - shared library
> ii libattr1:amd64 1:2.4.48-4 amd64 extended attribute handling - shared library
> ii libgssapi-krb5-2:amd64 1.17-3 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
> ii libkrb5-3:amd64 1.17-3 amd64 MIT Kerberos runtime libraries
> ii libkrb5support0:amd64 1.17-3 amd64 MIT Kerberos runtime libraries - Support library
> ii libnss-winbind:amd64 2:4.9.5+dfsg-5 amd64 Samba nameservice integration plugins
> ii libpam-krb5:amd64 4.8-2 amd64 PAM module for MIT Kerberos
> ii libpam-winbind:amd64 2:4.9.5+dfsg-5 amd64 Windows domain authentication integration plugin
> ii libsmbclient:amd64 2:4.9.5+dfsg-5 amd64 shared library for communication with SMB/CIFS servers
> ii libwbclient0:amd64 2:4.9.5+dfsg-5 amd64 Samba winbind client library
> ii python-samba 2:4.9.5+dfsg-5 amd64 Python bindings for Samba
> ii samba 2:4.9.5+dfsg-5 amd64 SMB/CIFS file, print, and login server for Unix
> ii samba-common 2:4.9.5+dfsg-5 all common files used by both the Samba server and client
> ii samba-common-bin 2:4.9.5+dfsg-5 amd64 Samba common files used by both the server and the client
> ii samba-dsdb-modules:amd64 2:4.9.5+dfsg-5 amd64 Samba Directory Services Database
> ii samba-libs:amd64 2:4.9.5+dfsg-5 amd64 Samba core libraries
> ii samba-vfs-modules:amd64 2:4.9.5+dfsg-5 amd64 Samba Virtual FileSystem plugins
> ii smbclient 2:4.9.5+dfsg-5 amd64 command-line SMB/CIFS clients for Unix
> ii winbind 2:4.9.5+dfsg-5 amd64 service to resolve user and group information from Windows NT servers
>
> -----------
>
> 14. samba-tool fsmo show -H ldap://$(hostname -d)
>
> SchemaMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> InfrastructureMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> RidAllocationMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> PdcEmulationMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> DomainNamingMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
>
> 15. samba-tool fsmo show -H ldap://10.88.80.88 -U dcadmin
>
> SchemaMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> InfrastructureMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> RidAllocationMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> PdcEmulationMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> DomainNamingMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
>
> 16. Notice I don't have "Administrator" as user in my Windows domain if that is an issue
Then who do you have ? Not that it makes much difference 'KA-H9-DC01'
isn't a member of your Windows domain, even if does appear to have the
same dns domain.
>
> So far everything looks fine to me, should I now point resolv.conf to Windows DC and attempt the join again?
Not until you kill the Samba domain and remove all traces of it from
'KA-H9-DC01'
Rowland
More information about the samba
mailing list