[Samba] Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC'

René Schmidt rene at schmidthome-sh.de
Sat Jul 20 20:20:57 UTC 2019 

Hello Rowland,

I also tried that again.

Even now I get exactly the same mistake again:
DsAddEntry failed with status WERR_ACCESS_DENIED info (8363, 'WERR_DS_NO_CROSSREF_FOR_NC')

To your question:
I look after a number of clubs, e.g. to use a web application for time recording, to work partly on a terminal server, or to have an Exchange mailbox in the future. However, the Exchange mailboxes should be hosted at Microsoft in the cloud. For this I need a sync to Office365. Unfortunately, this only works conditionally with Samba.
I found out that there are quite a few problems with the Azure AD Connector:
- the password sync does not work at all
- Group memberships are not synced
- Restriction to sync groups does not work
Since these problems do not occur with a Windows server, I would like to have a Windows server as domaincontoler on which runs the sync.

Do you have any idea what else could be a problem?

René
-----Ursprüngliche Nachricht-----
Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland penny via samba
Gesendet: Samstag, 20. Juli 2019 17:21
An: sambalist <samba at lists.samba.org>
Betreff: Re: [Samba] Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC'

On 20/07/2019 15:59, René Schmidt wrote:
> Hello,
>
>   I have now set up a new Windows Server 2012 R2 and configured as an AD.
>
> "kinit administrator" works.
>
> Now when I try to accept the AD with a Samba DC I still get the following error message:
> samba-tool domain join mydom.local DC -U "MYDOM\ dministrator"
> INFO 2019-07-20 16: 55: 53,030 pid: 1280 /usr/local/samba/lib/python3.6/site-packages/samba/join.py # 103: Finding a writeable DC for domain mydom.local'
> INFO 2019-07-20 16: 55: 53,064 pid: 1280 
> /usr/local/samba/lib/python3.6/site-packages/samba/join.py # 105: Found DC WDC. mydom.local Password for [MYDOM \ administrator]:
> INFO 2019-07-20 16: 55: 56,210 pid: 1280 
> /usr/local/samba/lib/python3.6/site-packages/samba/join.py # 1519: 
> workgroup is MYDOM INFO 2019-07-20 16: 55: 56,215 pid: 1280 
> /usr/local/samba/lib/python3.6/site-packages/samba/join.py # 1522: 
> realm is mydom.local Adding CN = SAD, OU = domain controllers, DC = 
> mydom, DC = local Adding CN = SAD, CN = Servers, CN = Default First 
> Site Name, CN = Sites, CN = Configuration, DC = mydom, DC = local 
> Adding CN = NTDS Settings, CN = SAD, CN = Servers, CN = Default First 
> Site Name, CN = Sites, CN = Configuration, DC = mydom, DC = local 
> DsAddEntry failed with status WERR_ACCESS_DENIED info (8363, 
> 'WERR_DS_NO_CROSSREF_FOR_NC') Join failed - cleaning up Deleted CN = 
> SAD, OU = domain controllers, DC = mydom, DC = local Deleted CN = SAD, 
> CN = Servers, CN = Default First Site Name, CN = Sites, CN = 
> Configuration, DC = mydom, DC = local ERROR (runtime): uncaught 
> exception - DsAddEntry failed
>    File 
> "/usr/local/samba/lib/python3.6/site-packages/samba/netcmd/__init__.py
> ", line 185, in _run
>      return self.run (* args, ** kwargs)
>    File 
> "/usr/local/samba/lib/python3.6/site-packages/samba/netcmd/domain.py", 
> line 700, in run
>      backend_store = backend_store)
>    File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", 
> line 1535, in join_DC
>      ctx.do_join ()
>    File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", 
> line 1427, in do_join
>      ctx.join_add_objects ()
>    File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", 
> line 669, in join_add_objects
>      ctx.join_add_ntdsdsa ()
>    File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", 
> line 594, in join_add_ntdsdsa
>      ctx.DsAddEntry ([REC])
>    File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", 
> line 543, in DsAddEntry
>      raise RuntimeError ("DsAddEntry failed")
>
> As described in the wiki, I have set the functional levels to 2008 R2:
> Set-ADForestMode -Identity "mydom.local" -ForestMode 
> Windows2008R2Forest Set-ADForestMode -Identity "mydom.local" 
> domainMode Windows2008R2Forest
>
> Do you have another idea?
>
> René
>
> -----Ursprüngliche Nachricht-----
> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von 
> Rowland penny via samba
> Gesendet: Freitag, 19. Juli 2019 19:48
> An: sambalist <samba at lists.samba.org>
> Betreff: Re: [Samba] Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC'
>
> On 19/07/2019 18:13, René Schmidt wrote:
>> Hello,
>>
>> would it work with Windows Server 2016?
>> It is a completely new AD, so I could reinstall the server again?
>>
>> Does not it work even though I have set ForestMode to Windows2008R2Forest?
>> is foreseeable when this could work?
> No, you 'might' be able to get 2012R2 to work, try reading this:
>
> https://wiki.samba.org/index.php/Windows_2012_Server_compatibility
>
> Rowland
>
>
>
>
I did say 'might' ;-)

Try this way:

go here: http://apt.van-belle.nl/

Set up the repo for 18.04 as described on that page

Install these packages: attr samba smbclient dnsutils acl krb5-user winbind libpam-winbind libpam-krb5 libnss-winbind bind9utils

Ensure /etc/samba/smb.conf does not exist and try again.

Can I ask, what is the burning need to join a computer as a Samba DC to a Windows DC ?

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list