[Samba] Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC'

René Schmidt rene at schmidthome-sh.de
Sat Jul 20 14:59:47 UTC 2019


Hello,

 I have now set up a new Windows Server 2012 R2 and configured as an AD.

"kinit administrator" works.

Now when I try to accept the AD with a Samba DC I still get the following error message:
samba-tool domain join mydom.local DC -U "MYDOM\ dministrator"
INFO 2019-07-20 16: 55: 53,030 pid: 1280 /usr/local/samba/lib/python3.6/site-packages/samba/join.py # 103: Finding a writeable DC for domain mydom.local'
INFO 2019-07-20 16: 55: 53,064 pid: 1280 /usr/local/samba/lib/python3.6/site-packages/samba/join.py # 105: Found DC WDC. mydom.local
Password for [MYDOM \ administrator]:
INFO 2019-07-20 16: 55: 56,210 pid: 1280 /usr/local/samba/lib/python3.6/site-packages/samba/join.py # 1519: workgroup is MYDOM
INFO 2019-07-20 16: 55: 56,215 pid: 1280 /usr/local/samba/lib/python3.6/site-packages/samba/join.py # 1522: realm is mydom.local
Adding CN = SAD, OU = domain controllers, DC = mydom, DC = local
Adding CN = SAD, CN = Servers, CN = Default First Site Name, CN = Sites, CN = Configuration, DC = mydom, DC = local
Adding CN = NTDS Settings, CN = SAD, CN = Servers, CN = Default First Site Name, CN = Sites, CN = Configuration, DC = mydom, DC = local
DsAddEntry failed with status WERR_ACCESS_DENIED info (8363, 'WERR_DS_NO_CROSSREF_FOR_NC')
Join failed - cleaning up
Deleted CN = SAD, OU = domain controllers, DC = mydom, DC = local
Deleted CN = SAD, CN = Servers, CN = Default First Site Name, CN = Sites, CN = Configuration, DC = mydom, DC = local
ERROR (runtime): uncaught exception - DsAddEntry failed
  File "/usr/local/samba/lib/python3.6/site-packages/samba/netcmd/__init__.py", line 185, in _run
    return self.run (* args, ** kwargs)
  File "/usr/local/samba/lib/python3.6/site-packages/samba/netcmd/domain.py", line 700, in run
    backend_store = backend_store)
  File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 1535, in join_DC
    ctx.do_join ()
  File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 1427, in do_join
    ctx.join_add_objects ()
  File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 669, in join_add_objects
    ctx.join_add_ntdsdsa ()
  File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 594, in join_add_ntdsdsa
    ctx.DsAddEntry ([REC])
  File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 543, in DsAddEntry
    raise RuntimeError ("DsAddEntry failed")

As described in the wiki, I have set the functional levels to 2008 R2:
Set-ADForestMode -Identity "mydom.local" -ForestMode Windows2008R2Forest
Set-ADForestMode -Identity "mydom.local" domainMode Windows2008R2Forest

Do you have another idea?

René

-----Ursprüngliche Nachricht-----
Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland penny via samba
Gesendet: Freitag, 19. Juli 2019 19:48
An: sambalist <samba at lists.samba.org>
Betreff: Re: [Samba] Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC'

On 19/07/2019 18:13, René Schmidt wrote:
> Hello,
>
> would it work with Windows Server 2016?
> It is a completely new AD, so I could reinstall the server again?
>
> Does not it work even though I have set ForestMode to Windows2008R2Forest?
> is foreseeable when this could work?

No, you 'might' be able to get 2012R2 to work, try reading this:

https://wiki.samba.org/index.php/Windows_2012_Server_compatibility

Rowland




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba




More information about the samba mailing list