[Samba] Can't add DNS records when joining Windows DC (Was Can't find machine account)

Fri Jul 19 08:25:15 UTC 2019

Hi Tim,

Le 07/18/2019 à 04:24 AM, Tim Beale via samba a écrit :
> On 18/07/19 7:12 AM, Rowland penny via samba wrote:
>> On 17/07/2019 19:31, Robert A Wooldridge via samba wrote:
>>>
>>> Here's the full error:
>>>
>>> Could not find machine account in secrets database: Failed to fetch
>>> machine account password for EDM from both secrets.ldb (Could not
>>> find entry to match filter:
>>> '(&(flatname=EDM)(objectclass=primaryDomain))' base: 'cn=Primary
>>> Domains': No such object: dsdb_search at
>>> ../source4/dsdb/common/util.c:4705) and from
>>> /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
>> Problem is (so I have been told) neither secrets.tdb or secrets.ldb
>> will have been created at this point, so this could be a red herring.
>
> Yeah, I think that's a red herring. If we had more log context around
> the error, you'd probably see the following messages beforehand.
>
>>> Adding 1 remote DNS records for <blah-DC>
>>> Join failed - cleaning up
>>> Could not find machine account in secrets database: ...
>
> i.e. the 'machine account' message gets logged as part of the cleanup,
> after the join has already failed.
>
> A few people have noticed this problem. It mostly seems to occur when
> joining Samba to an older Windows DC.
>
> The join has basically completed successfully at this point, and
> samba-tool is trying to create DNS records on the Windows DC for the new
> Samba DC that's just joined. That part is failing, due to the Windows DC
> rejecting it.

from my past experience, the issue with joining win2k forest level 
server is that the DNS entries are still located on the main partition 
and not in DC=DomainDNSZones.

Before joining a Samba-AD successfully, one needs to upgrade forest 
level to 2k3 and then upgrade DNS zones to migrate the DNS entries from 
main zones to DC=DomainDNSZones and DC=ForestDNSZones [1]

I have successfully joined Samba-AD to aging win2k3 domain in the past, 
and it did work very well.

Cheers,

Denis

[1] 
https://www.itprotoday.com/windows-78/q-how-can-i-create-domaindnszones-directory-partition

>
> There's more details about the DNS records it's trying to add here:
> https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record
>
> One option might be to hack the join code to skip this step, and then
> try to fix up these DNS records manually later. To do so, apply the
> attached patch and retry the join, e.g.
> cd /usr/lib/python2.7/dist-packages/samba
> patch -p1 < join.patch
>
> However, it'd be good to understand what exactly Windows doesn't like
> about what Samba is telling it to do, so we could come up with a better
> solution.
>
>
>

-- 
Denis Cardon
Tranquil IT
12 avenue Jules Verne (Bat. A)
44230 Saint Sébastien sur Loire (FRANCE)
tel : +33 (0) 240 975 755
http://www.tranquil.it

Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/
Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr