[Samba] Failing to join existing AD as DC

Rowland penny rpenny at samba.org
Fri Aug 16 13:37:58 UTC 2019


On 16/08/2019 14:14, Alexander Harm via samba wrote:
>
>
>
>
>
> 4. apt update && apt -t buster-backports install samba attr winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user smbclient
You are missing the 'acl' package
>
> 5. find /var/run/samba /var/lib/samba /var/cache/samba /var/lib/samba/private -name '*.tdb' -name '*.ldb' -delete
>
> 6. rm /etc/samba/smb.conf
>
> 7. samba-tool domain provision --use-rfc2307 --interactive (with internal dns)
I thought you were trying to 'join' another DC to an existing domain, 
not create a new domain ?
> 11. loads of DNS errors in the log like
>
> [2019/08/16 15:02:45.925528,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
>    /usr/sbin/samba_dnsupdate:   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run
> [2019/08/16 15:02:45.925557,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
>    /usr/sbin/samba_dnsupdate:     return self.run(*args, **kwargs)
> [2019/08/16 15:02:45.925575,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
>    /usr/sbin/samba_dnsupdate:   File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 945, in run
> [2019/08/16 15:02:45.925594,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
>    /usr/sbin/samba_dnsupdate:     raise e
> [2019/08/16 15:02:45.958441,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
>    /usr/sbin/samba_dnsupdate: ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
> [2019/08/16 15:02:45.958512,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
>    /usr/sbin/samba_dnsupdate:   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run
> [2019/08/16 15:02:45.958531,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
>    /usr/sbin/samba_dnsupdate:     return self.run(*args, **kwargs)
> [2019/08/16 15:02:45.958548,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
>    /usr/sbin/samba_dnsupdate:   File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 945, in run
> [2019/08/16 15:02:45.958567,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
>    /usr/sbin/samba_dnsupdate:     raise e
> [2019/08/16 15:02:45.987725,  0] ../source4/dsdb/dns/dns_update.c:330(dnsupdate_nameupdate_done)
>    ../source4/dsdb/dns/dns_update.c:330: Failed DNS update - with error code 29
> [2019/08/16 15:02:46.489326,  0] ../source4/lib/tls/tlscert.c:170(tls_cert_generate)
>    TLS self-signed keys generated OK
They are the records that samba_dnsupdate tries to create if they do not 
exist, but from the error message 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS' 
it looks like they already exists.
> 12. changed /etc/resolv.conf to point to itself, restarted samba-ad-dc -> log fine
>
> 13. output of your debug script
>
> Collected config  --- 2019-08-16-15:07 -----------
>
> Hostname: ka-h9-dc01
> DNS Domain: samdom.example.com
> FQDN: ka-h9-dc01.samdom.example.com
> ipaddress: 10.0.1.250
>
> -----------
>
> Kerberos SRV _kerberos._tcp.samdom.example.com record verified ok, sample output:
> Server:		10.0.1.250
> Address:	10.0.1.250#53
>
> _kerberos._tcp.samdom.example.com	service = 0 100 88 ka-h9-dc01.samdom.example.com.
> Samba is running as an AD DC
>
> -----------
>         Checking file: /etc/os-release
>
> PRETTY_NAME="Debian GNU/Linux 10 (buster)"
> NAME="Debian GNU/Linux"
> VERSION_ID="10"
> VERSION="10 (buster)"
> VERSION_CODENAME=buster
> ID=debian
> HOME_URL="https://www.debian.org/"
> SUPPORT_URL="https://www.debian.org/support"
> BUG_REPORT_URL="https://bugs.debian.org/"
>
> -----------
>
>
> This computer is running Debian 10.0 x86_64
>
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
>      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>      inet 127.0.0.1/8 scope host lo
>      inet6 ::1/128 scope host
> 2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
>      link/ether 00:0c:29:35:9c:84 brd ff:ff:ff:ff:ff:ff
>      inet 10.0.1.250/24 brd 10.0.1.255 scope global ens192
>      inet6 fe80::20c:29ff:fe35:9c84/64 scope link
>
> -----------
>         Checking file: /etc/hosts
>
> 127.0.0.1	localhost
> 10.0.1.250	ka-h9-dc01.samdom.example.com	ka-h9-dc01
>
> # The following lines are desirable for IPv6 capable hosts
> ::1     localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> -----------
>
>         Checking file: /etc/resolv.conf
>
> search samdom.example.com
> nameserver 10.0.1.250
>
> -----------
>
>         Checking file: /etc/krb5.conf
>
> [libdefaults]
> 	default_realm = SAMDOM.EXAMPLE.COM
> 	dns_lookup_realm = false
> 	dns_lookup_kdc = true
>
> -----------
>
>         Checking file: /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd:         files systemd
> group:          files systemd
> shadow:         files
> gshadow:        files
>
> hosts:          files dns
> networks:       files
>
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis
>
> -----------
>
>         Checking file: /etc/samba/smb.conf
>
> # Global parameters
> [global]
> 	dns forwarder = 10.0.1.100
> 	netbios name = KA-H9-DC01
> 	realm = SAMDOM.EXAMPLE.COM
> 	server role = active directory domain controller
> 	workgroup = COMPANYNAME
> 	idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> 	path = /var/lib/samba/sysvol/samdom.example.com/scripts
> 	read only = No
>
> [sysvol]
> 	path = /var/lib/samba/sysvol
> 	read only = No
>
> -----------
>
> BIND_DLZ not detected in smb.conf
>
> -----------
>
> Installed packages:
> ii  attr                           1:2.4.48-4                  amd64        utilities for manipulating filesystem extended attributes
> ii  krb5-config                    2.6                         all          Configuration files for Kerberos Version 5
> ii  krb5-locales                   1.17-3                      all          internationalization support for MIT Kerberos
> ii  krb5-user                      1.17-3                      amd64        basic programs to authenticate using MIT Kerberos
> ii  libacl1:amd64                  2.2.53-4                    amd64        access control list - shared library
> ii  libattr1:amd64                 1:2.4.48-4                  amd64        extended attribute handling - shared library
> ii  libgssapi-krb5-2:amd64         1.17-3                      amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
> ii  libkrb5-3:amd64                1.17-3                      amd64        MIT Kerberos runtime libraries
> ii  libkrb5support0:amd64          1.17-3                      amd64        MIT Kerberos runtime libraries - Support library
> ii  libnss-winbind:amd64           2:4.9.5+dfsg-5              amd64        Samba nameservice integration plugins
> ii  libpam-krb5:amd64              4.8-2                       amd64        PAM module for MIT Kerberos
> ii  libpam-winbind:amd64           2:4.9.5+dfsg-5              amd64        Windows domain authentication integration plugin
> ii  libsmbclient:amd64             2:4.9.5+dfsg-5              amd64        shared library for communication with SMB/CIFS servers
> ii  libwbclient0:amd64             2:4.9.5+dfsg-5              amd64        Samba winbind client library
> ii  python-samba                   2:4.9.5+dfsg-5              amd64        Python bindings for Samba
> ii  samba                          2:4.9.5+dfsg-5              amd64        SMB/CIFS file, print, and login server for Unix
> ii  samba-common                   2:4.9.5+dfsg-5              all          common files used by both the Samba server and client
> ii  samba-common-bin               2:4.9.5+dfsg-5              amd64        Samba common files used by both the server and the client
> ii  samba-dsdb-modules:amd64       2:4.9.5+dfsg-5              amd64        Samba Directory Services Database
> ii  samba-libs:amd64               2:4.9.5+dfsg-5              amd64        Samba core libraries
> ii  samba-vfs-modules:amd64        2:4.9.5+dfsg-5              amd64        Samba Virtual FileSystem plugins
> ii  smbclient                      2:4.9.5+dfsg-5              amd64        command-line SMB/CIFS clients for Unix
> ii  winbind                        2:4.9.5+dfsg-5              amd64        service to resolve user and group information from Windows NT servers
>
> -----------
>
> 14. samba-tool fsmo show -H ldap://$(hostname -d)
>
> SchemaMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> InfrastructureMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> RidAllocationMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> PdcEmulationMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> DomainNamingMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
>
> 15. samba-tool fsmo show -H ldap://10.88.80.88 -U dcadmin
>
> SchemaMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> InfrastructureMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> RidAllocationMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> PdcEmulationMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> DomainNamingMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
>
> 16. Notice I don't have "Administrator" as user in my Windows domain if that is an issue
Then who do you have ? Not that it makes much difference 'KA-H9-DC01' 
isn't a member of your Windows domain, even if  does appear to have the 
same dns domain.
>
> So far everything looks fine to me, should I now point resolv.conf to Windows DC and attempt the join again?

Not until you kill the Samba domain and remove all traces of it from 
'KA-H9-DC01'

Rowland





More information about the samba mailing list