[Samba] Failing to join existing AD as DC

L.P.H. van Belle belle at bazuin.nl
Fri Aug 16 13:56:44 UTC 2019


Hai, 

Well, Rowland was before me ... Again.. 
So i remove all part im agreeing with. 


> 
> - Naming: I could not find any object in the existing AD with 
> the same name of the Samba DC that I want to add
AD and DNS ?  You forgot the DNS is my guess.. 

[2019/08/16 15:02:45.958441,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate: ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') 


> 
> 9. unmask samba-ad-dc service

systemctl disable samba smbd nmbd winbind
But i think you know that/did that already. 



> 11. loads of DNS errors in the log like
...
> ../source4/lib/tls/tlscert.c:170(tls_cert_generate)
>   TLS self-signed keys generated OK

??
>   TLS self-signed keys generated OK  << 
But you did setup your CA on windows correct.?? 
Then why are you not using them? 

Create new certificate + Keyfile for this server and add these to samba's smb.conf

Like this : 

        # Add and Update TLS Key
        tls enabled = yes
        tls keyfile = /etc/ssl/private/xxxx.key.pem
        tls certfile = /etc/ssl/certs/xxxx.cert.pem
        tls cafile = /etc/ssl/certs/xxxx-ca.pem

Change the path/file names  to your needs. 
And add the Root CA to debian, how you do that was correct. 

> 
> 12. changed /etc/resolv.conf to point to itself, restarted 
> samba-ad-dc -> log fine

Yes, but its not syncing now between the windows DC and itself.  
And its the only AD-DC now, you created a new domain not joined. 


> 
> 13. output of your debug script
> 
> 
>        Checking file: /etc/nsswitch.conf

You installed the nss- and pam parts, but you did not enable it in /etc/nsswitch.conf 

> 
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages 
> installed, try:
> # `info libc "Name Service Switch"' for information about this file.
> 
> passwd:         files systemd
> group:          files systemd

passwd:         files systemd winbind
group:          files systemd winbind


> -----------
> 
>        Checking file: /etc/samba/smb.conf
> 
> # Global parameters
> [global]
> 	dns forwarder = 10.0.1.100
> 	netbios name = KA-H9-DC01
> 	realm = SAMDOM.EXAMPLE.COM
> 	server role = active directory domain controller
> 	workgroup = COMPANYNAME
> 	idmap_ldb:use rfc2307 = yes
> 
> [netlogon]
> 	path = /var/lib/samba/sysvol/samdom.example.com/scripts
> 	read only = No
> 
> [sysvol]
> 	path = /var/lib/samba/sysvol
> 	read only = No
> 
> -----------
> 
> BIND_DLZ not detected in smb.conf
> 
> -----------
> 
> Installed packages:
> ii  attr                           1:2.4.48-4                 
>  amd64        utilities for manipulating filesystem extended 
> attributes
> ii  krb5-config                    2.6                        
>  all          Configuration files for Kerberos Version 5
> ii  krb5-locales                   1.17-3                     
>  all          internationalization support for MIT Kerberos
> ii  krb5-user                      1.17-3                     
>  amd64        basic programs to authenticate using MIT Kerberos
> ii  libacl1:amd64                  2.2.53-4                   
>  amd64        access control list - shared library
> ii  libattr1:amd64                 1:2.4.48-4                 
>  amd64        extended attribute handling - shared library
> ii  libgssapi-krb5-2:amd64         1.17-3                     
>  amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
> ii  libkrb5-3:amd64                1.17-3                     
>  amd64        MIT Kerberos runtime libraries
> ii  libkrb5support0:amd64          1.17-3                     
>  amd64        MIT Kerberos runtime libraries - Support library
> ii  libnss-winbind:amd64           2:4.9.5+dfsg-5             
>  amd64        Samba nameservice integration plugins
> ii  libpam-krb5:amd64              4.8-2                      
>  amd64        PAM module for MIT Kerberos
> ii  libpam-winbind:amd64           2:4.9.5+dfsg-5             
>  amd64        Windows domain authentication integration plugin
> ii  libsmbclient:amd64             2:4.9.5+dfsg-5             
>  amd64        shared library for communication with SMB/CIFS servers
> ii  libwbclient0:amd64             2:4.9.5+dfsg-5             
>  amd64        Samba winbind client library
> ii  python-samba                   2:4.9.5+dfsg-5             
>  amd64        Python bindings for Samba
> ii  samba                          2:4.9.5+dfsg-5             
>  amd64        SMB/CIFS file, print, and login server for Unix
> ii  samba-common                   2:4.9.5+dfsg-5             
>  all          common files used by both the Samba server and client
> ii  samba-common-bin               2:4.9.5+dfsg-5             
>  amd64        Samba common files used by both the server and 
> the client
> ii  samba-dsdb-modules:amd64       2:4.9.5+dfsg-5             
>  amd64        Samba Directory Services Database
> ii  samba-libs:amd64               2:4.9.5+dfsg-5             
>  amd64        Samba core libraries
> ii  samba-vfs-modules:amd64        2:4.9.5+dfsg-5             
>  amd64        Samba Virtual FileSystem plugins
> ii  smbclient                      2:4.9.5+dfsg-5             
>  amd64        command-line SMB/CIFS clients for Unix
> ii  winbind                        2:4.9.5+dfsg-5             
>  amd64        service to resolve user and group information 
> from Windows NT servers
> 
> -----------
> 
> 14. samba-tool fsmo show -H ldap://$(hostname -d)
> 

> 
> 15. samba-tool fsmo show -H ldap://10.88.80.88 -U dcadmin
> 


Ok these outputs look ok but, the difference is the username. 

> 
> 16. Notice I don't have "Administrator" as user in my Windows 
> domain if that is an issue

Bingo,,..  we have a winner..  
But wait..  Read on.. 

> 

find /var/run/samba /var/lib/samba /var/cache/samba /var/lib/samba/private -name '*.tdb' -name '*.ldb' -delete

kinit dcadmin at REALM 

Now join.  ;-) 

samba-tool domain join samdom.example.com DC -U"dcadmin at REALM"
Or 
samba-tool domain join samdom.example.com DC -U"NTDOM\dcadmin"


Do note, if you windows server is to high, your not able to join.
So read this first: 
https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD



Greetz, 

Louis




More information about the samba mailing list