[Samba] Failing to join existing AD as DC
L.P.H. van Belle
belle at bazuin.nl
Fri Aug 16 13:56:44 UTC 2019
Hai,
Well, Rowland was before me ... Again..
So i remove all part im agreeing with.
>
> - Naming: I could not find any object in the existing AD with
> the same name of the Samba DC that I want to add
AD and DNS ? You forgot the DNS is my guess..
[2019/08/16 15:02:45.958441, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
>
> 9. unmask samba-ad-dc service
systemctl disable samba smbd nmbd winbind
But i think you know that/did that already.
> 11. loads of DNS errors in the log like
...
> ../source4/lib/tls/tlscert.c:170(tls_cert_generate)
> TLS self-signed keys generated OK
??
> TLS self-signed keys generated OK <<
But you did setup your CA on windows correct.??
Then why are you not using them?
Create new certificate + Keyfile for this server and add these to samba's smb.conf
Like this :
# Add and Update TLS Key
tls enabled = yes
tls keyfile = /etc/ssl/private/xxxx.key.pem
tls certfile = /etc/ssl/certs/xxxx.cert.pem
tls cafile = /etc/ssl/certs/xxxx-ca.pem
Change the path/file names to your needs.
And add the Root CA to debian, how you do that was correct.
>
> 12. changed /etc/resolv.conf to point to itself, restarted
> samba-ad-dc -> log fine
Yes, but its not syncing now between the windows DC and itself.
And its the only AD-DC now, you created a new domain not joined.
>
> 13. output of your debug script
>
>
> Checking file: /etc/nsswitch.conf
You installed the nss- and pam parts, but you did not enable it in /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages
> installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd: files systemd
> group: files systemd
passwd: files systemd winbind
group: files systemd winbind
> -----------
>
> Checking file: /etc/samba/smb.conf
>
> # Global parameters
> [global]
> dns forwarder = 10.0.1.100
> netbios name = KA-H9-DC01
> realm = SAMDOM.EXAMPLE.COM
> server role = active directory domain controller
> workgroup = COMPANYNAME
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /var/lib/samba/sysvol/samdom.example.com/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> -----------
>
> BIND_DLZ not detected in smb.conf
>
> -----------
>
> Installed packages:
> ii attr 1:2.4.48-4
> amd64 utilities for manipulating filesystem extended
> attributes
> ii krb5-config 2.6
> all Configuration files for Kerberos Version 5
> ii krb5-locales 1.17-3
> all internationalization support for MIT Kerberos
> ii krb5-user 1.17-3
> amd64 basic programs to authenticate using MIT Kerberos
> ii libacl1:amd64 2.2.53-4
> amd64 access control list - shared library
> ii libattr1:amd64 1:2.4.48-4
> amd64 extended attribute handling - shared library
> ii libgssapi-krb5-2:amd64 1.17-3
> amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
> ii libkrb5-3:amd64 1.17-3
> amd64 MIT Kerberos runtime libraries
> ii libkrb5support0:amd64 1.17-3
> amd64 MIT Kerberos runtime libraries - Support library
> ii libnss-winbind:amd64 2:4.9.5+dfsg-5
> amd64 Samba nameservice integration plugins
> ii libpam-krb5:amd64 4.8-2
> amd64 PAM module for MIT Kerberos
> ii libpam-winbind:amd64 2:4.9.5+dfsg-5
> amd64 Windows domain authentication integration plugin
> ii libsmbclient:amd64 2:4.9.5+dfsg-5
> amd64 shared library for communication with SMB/CIFS servers
> ii libwbclient0:amd64 2:4.9.5+dfsg-5
> amd64 Samba winbind client library
> ii python-samba 2:4.9.5+dfsg-5
> amd64 Python bindings for Samba
> ii samba 2:4.9.5+dfsg-5
> amd64 SMB/CIFS file, print, and login server for Unix
> ii samba-common 2:4.9.5+dfsg-5
> all common files used by both the Samba server and client
> ii samba-common-bin 2:4.9.5+dfsg-5
> amd64 Samba common files used by both the server and
> the client
> ii samba-dsdb-modules:amd64 2:4.9.5+dfsg-5
> amd64 Samba Directory Services Database
> ii samba-libs:amd64 2:4.9.5+dfsg-5
> amd64 Samba core libraries
> ii samba-vfs-modules:amd64 2:4.9.5+dfsg-5
> amd64 Samba Virtual FileSystem plugins
> ii smbclient 2:4.9.5+dfsg-5
> amd64 command-line SMB/CIFS clients for Unix
> ii winbind 2:4.9.5+dfsg-5
> amd64 service to resolve user and group information
> from Windows NT servers
>
> -----------
>
> 14. samba-tool fsmo show -H ldap://$(hostname -d)
>
>
> 15. samba-tool fsmo show -H ldap://10.88.80.88 -U dcadmin
>
Ok these outputs look ok but, the difference is the username.
>
> 16. Notice I don't have "Administrator" as user in my Windows
> domain if that is an issue
Bingo,,.. we have a winner..
But wait.. Read on..
>
find /var/run/samba /var/lib/samba /var/cache/samba /var/lib/samba/private -name '*.tdb' -name '*.ldb' -delete
kinit dcadmin at REALM
Now join. ;-)
samba-tool domain join samdom.example.com DC -U"dcadmin at REALM"
Or
samba-tool domain join samdom.example.com DC -U"NTDOM\dcadmin"
Do note, if you windows server is to high, your not able to join.
So read this first:
https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD
Greetz,
Louis
More information about the samba
mailing list