[Samba] Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC'
Tim Beale
timbeale at catalyst.net.nz
Fri Jul 26 02:25:49 UTC 2019
On 22/07/19 5:18 PM, Tim Beale via samba wrote:
> On 21/07/19 2:59 AM, René Schmidt via samba wrote:
>> Adding CN = SAD, CN = Servers, CN = Default First Site Name, CN = Sites, CN = Configuration, DC = mydom, DC = local
>> Adding CN = NTDS Settings, CN = SAD, CN = Servers, CN = Default First Site Name, CN = Sites, CN = Configuration, DC = mydom, DC = local
>> DsAddEntry failed with status WERR_ACCESS_DENIED info (8363, 'WERR_DS_NO_CROSSREF_FOR_NC')
>> Join failed - cleaning up
>> Deleted CN = SAD, OU = domain controllers, DC = mydom, DC = local
>> Deleted CN = SAD, CN = Servers, CN = Default First Site Name, CN = Sites, CN = Configuration, DC = mydom, DC = local
>> ERROR (runtime): uncaught exception - DsAddEntry failed
>> File "/usr/local/samba/lib/python3.6/site-packages/samba/netcmd/__init__.py", line 185, in _run
>> return self.run (* args, ** kwargs)
>> File "/usr/local/samba/lib/python3.6/site-packages/samba/netcmd/domain.py", line 700, in run
>> backend_store = backend_store)
>> File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 1535, in join_DC
>> ctx.do_join ()
>> File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 1427, in do_join
>> ctx.join_add_objects ()
>> File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 669, in join_add_objects
>> ctx.join_add_ntdsdsa ()
>> File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 594, in join_add_ntdsdsa
>> ctx.DsAddEntry ([REC])
>> File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 543, in DsAddEntry
>> raise RuntimeError ("DsAddEntry failed")
> I see this problem trying to join Windows too. I think this is broken on
> Samba v4.10 and v4.11/master. Using v4.7 and v4.9 seems to work OK.
>
> It looks like the problem might be a python2 vs python3 issue. So if
> anyone else hits this on v4.10 and has the samba python2 packages
> installed, then they could try running the samba-tool command under
> python2, e.g. '$(which python2) samba-tool domain join...'.
>
> Our current suspicion is that it's a list/dictionary ordering problem,
> so alternatively if you run the command enough times with python3 it
> might also eventually work...
FYI, in case anyone else hits this problem, I've raised the following
bug. It's now fixed in master and should hopefully be fixed in 4.10.7.
https://bugzilla.samba.org/show_bug.cgi?id=14046
More information about the samba
mailing list