[Samba] Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC'

René Schmidt rene at schmidthome-sh.de
Sun Jul 21 09:22:47 UTC 2019 

Hello Rowland,

I have started again:
- new Window Server 2012 R2 installed
- DNS server set up
- once again the Ubunut 18.04 freshly installed
- entered the IP of the Windows server as DNS server
- Installed the Samba Packet from the official Ubunut source:
dpkg -l | grep samba
ii  python-samba                          	2:4.7.6+dfsg~ubuntu-0ubuntu2.11   amd64        Python bindings for Samba
ii  samba                                 	2:4.7.6+dfsg~ubuntu-0ubuntu2.11   amd64        SMB/CIFS file, print, and login server for Unix
ii  samba-common                          2:4.7.6+dfsg~ubuntu-0ubuntu2.11   all          common files used by both the Samba server and client
ii  samba-common-bin                  2:4.7.6+dfsg~ubuntu-0ubuntu2.11   amd64        Samba common files used by both the server and the client
ii  samba-dsdb-modules	2:4.7.6+dfsg~ubuntu-0ubuntu2.11   amd64        Samba Directory Services Database
ii  samba-libs:amd64		2:4.7.6+dfsg~ubuntu-0ubuntu2.11   amd64        Samba core libraries
ii  samba-vfs-modules		2:4.7.6+dfsg~ubuntu-0ubuntu2.11   amd64        Samba Virtual FileSystem plugins


if I am now
samba-tool domain join mydom.local DC -U "MYDOM\administrator" -d3
I get the following message:
Adding 1 remote DNS records for SAD. mydom.local
Using binding ncacn_ip_tcp: WAD. mydom.local [, sign]
resolve_lmhosts: Attempting lmhosts lookup for name WAD. mydom.local <0x20>
resolve_lmhosts: Attempting lmhosts lookup for name WAD. mydom.local <0x20>
Adding DNS A record WAD.schmidthome.local for IPv4 IP: 192.168.159.98
Join failed - cleaning up
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch machine account password for MYDOM from both secrets.ldb (Could not find entry to match filter: '(& (flatname = MYDOM) (objectclass = primaryDomain))' base: 'cn = Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4636) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Deleted CN = RID Set, CN = SAD, OU = Domain Controller, DC = mydom, DC = local
Deleted CN = SAD, OU = domain controllers, DC = myadmon, DC = local
Deleted CN = NTDS Settings, CN = SAD, CN = Servers, CN = Default First Site Name, CN = Sites, CN = Configuration, DC = mydom, DC = local
Deleted CN = SAD, CN = Servers, CN = Default First Site Name, CN = Sites, CN = Configuration, DC = mydom, DC = local
ERROR (runtime): uncaught exception - (9003, 'WERR_DNS_ERROR_RCODE_NAME_ERROR')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run (* args, ** kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, in run
    machinepass = machinepass, use_ntvfs = use_ntvfs, dns_backend = dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in join_DC
    ctx.do_join ()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1384, in do_join
    ctx.join_add_dns_records ()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1116, in join_add_dns_records
    dns_partition = domaindns_zone_dn)
  File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 939, in dns_lookup
    dns_partition = dns_partition)

Do you have an idea?
The DNS entry is created on the Windows server for the Samba server.

René



-----Ursprüngliche Nachricht-----
Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland penny via samba
Gesendet: Samstag, 20. Juli 2019 22:56
An: sambalist <samba at lists.samba.org>
Betreff: Re: [Samba] Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC'

On 20/07/2019 21:20, René Schmidt wrote:
> Hello Rowland,
>
> I also tried that again.
>
> Even now I get exactly the same mistake again:
> DsAddEntry failed with status WERR_ACCESS_DENIED info (8363, 
> 'WERR_DS_NO_CROSSREF_FOR_NC')
>
> To your question:
> I look after a number of clubs, e.g. to use a web application for time recording, to work partly on a terminal server, or to have an Exchange mailbox in the future. However, the Exchange mailboxes should be hosted at Microsoft in the cloud. For this I need a sync to Office365. Unfortunately, this only works conditionally with Samba.
> I found out that there are quite a few problems with the Azure AD Connector:
> - the password sync does not work at all
> - Group memberships are not synced
> - Restriction to sync groups does not work Since these problems do not 
> occur with a Windows server, I would like to have a Windows server as domaincontoler on which runs the sync.
>
> Do you have any idea what else could be a problem?
>
> René
> -----Ursprüngliche Nachricht-----
> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von 
> Rowland penny via samba
> Gesendet: Samstag, 20. Juli 2019 17:21
> An: sambalist <samba at lists.samba.org>
> Betreff: Re: [Samba] Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC'
>
> On 20/07/2019 15:59, René Schmidt wrote:
>> Hello,
>>
>>    I have now set up a new Windows Server 2012 R2 and configured as an AD.
>>
>> "kinit administrator" works.
>>
>> Now when I try to accept the AD with a Samba DC I still get the following error message:
>> samba-tool domain join mydom.local DC -U "MYDOM\ dministrator"
>> INFO 2019-07-20 16: 55: 53,030 pid: 1280 /usr/local/samba/lib/python3.6/site-packages/samba/join.py # 103: Finding a writeable DC for domain mydom.local'
>> INFO 2019-07-20 16: 55: 53,064 pid: 1280 
>> /usr/local/samba/lib/python3.6/site-packages/samba/join.py # 105: Found DC WDC. mydom.local Password for [MYDOM \ administrator]:
>> INFO 2019-07-20 16: 55: 56,210 pid: 1280 
>> /usr/local/samba/lib/python3.6/site-packages/samba/join.py # 1519:
>> workgroup is MYDOM INFO 2019-07-20 16: 55: 56,215 pid: 1280 
>> /usr/local/samba/lib/python3.6/site-packages/samba/join.py # 1522:
>> realm is mydom.local Adding CN = SAD, OU = domain controllers, DC = 
>> mydom, DC = local Adding CN = SAD, CN = Servers, CN = Default First 
>> Site Name, CN = Sites, CN = Configuration, DC = mydom, DC = local 
>> Adding CN = NTDS Settings, CN = SAD, CN = Servers, CN = Default First 
>> Site Name, CN = Sites, CN = Configuration, DC = mydom, DC = local 
>> DsAddEntry failed with status WERR_ACCESS_DENIED info (8363,
>> 'WERR_DS_NO_CROSSREF_FOR_NC') Join failed - cleaning up Deleted CN = 
>> SAD, OU = domain controllers, DC = mydom, DC = local Deleted CN = 
>> SAD, CN = Servers, CN = Default First Site Name, CN = Sites, CN = 
>> Configuration, DC = mydom, DC = local ERROR (runtime): uncaught 
>> exception - DsAddEntry failed
>>     File
>> "/usr/local/samba/lib/python3.6/site-packages/samba/netcmd/__init__.p
>> y
>> ", line 185, in _run
>>       return self.run (* args, ** kwargs)
>>     File
>> "/usr/local/samba/lib/python3.6/site-packages/samba/netcmd/domain.py"
>> ,
>> line 700, in run
>>       backend_store = backend_store)
>>     File 
>> "/usr/local/samba/lib/python3.6/site-packages/samba/join.py",
>> line 1535, in join_DC
>>       ctx.do_join ()
>>     File 
>> "/usr/local/samba/lib/python3.6/site-packages/samba/join.py",
>> line 1427, in do_join
>>       ctx.join_add_objects ()
>>     File 
>> "/usr/local/samba/lib/python3.6/site-packages/samba/join.py",
>> line 669, in join_add_objects
>>       ctx.join_add_ntdsdsa ()
>>     File 
>> "/usr/local/samba/lib/python3.6/site-packages/samba/join.py",
>> line 594, in join_add_ntdsdsa
>>       ctx.DsAddEntry ([REC])
>>     File 
>> "/usr/local/samba/lib/python3.6/site-packages/samba/join.py",
>> line 543, in DsAddEntry
>>       raise RuntimeError ("DsAddEntry failed")
>>
>> As described in the wiki, I have set the functional levels to 2008 R2:
>> Set-ADForestMode -Identity "mydom.local" -ForestMode 
>> Windows2008R2Forest Set-ADForestMode -Identity "mydom.local"
>> domainMode Windows2008R2Forest
>>
>> Do you have another idea?
>>
>> René
>>
>> -----Ursprüngliche Nachricht-----
>> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von 
>> Rowland penny via samba
>> Gesendet: Freitag, 19. Juli 2019 19:48
>> An: sambalist <samba at lists.samba.org>
>> Betreff: Re: [Samba] Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC'
>>
>> On 19/07/2019 18:13, René Schmidt wrote:
>>> Hello,
>>>
>>> would it work with Windows Server 2016?
>>> It is a completely new AD, so I could reinstall the server again?
>>>
>>> Does not it work even though I have set ForestMode to Windows2008R2Forest?
>>> is foreseeable when this could work?
>> No, you 'might' be able to get 2012R2 to work, try reading this:
>>
>> https://wiki.samba.org/index.php/Windows_2012_Server_compatibility
>>
>> Rowland
>>
>>
>>
>>
> I did say 'might' ;-)
>
> Try this way:
>
> go here: http://apt.van-belle.nl/
>
> Set up the repo for 18.04 as described on that page
>
> Install these packages: attr samba smbclient dnsutils acl krb5-user 
> winbind libpam-winbind libpam-krb5 libnss-winbind bind9utils
>
> Ensure /etc/samba/smb.conf does not exist and try again.
>
> Can I ask, what is the burning need to join a computer as a Samba DC to a Windows DC ?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
OK, but you might think it a bit strange, try joining Samba 4.7.X instead, if this works, walk Samba up the minor versions, 4.7.x --> 4.8.x --> 4.9.x --> 4.10.x

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list