[Samba] Problem to join Samba 4 DC an existing Windows AD
L.P.H. van Belle
belle at bazuin.nl
Wed Jun 26 07:48:59 UTC 2019
Hai,
this part.
Adding CN=NTDS Settings,CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC-com,DC=br
DsAddEntry failed with status WERR_ACCESS_DENIED info (8363, 'WERR_DS_NO_CROSSREF_FOR_NC')
Join failed - cleaning up
Deleted CN=SAMBA4DC,OU=Domain Controllers,DC=empresa,DC-com,DC=br
I just noticed the same question, (30 may 2019) https://www.spinics.net/lists/samba/msg157397.html
I looks like a bug in samba and its not reported in bugzilla.
Can you run this for me so i can have a good look at this.
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
Just to make sure the linux side is setup correctly, anonymise where needed if needed.
Can you report it, @ https://bugzilla.samba.org or i can report it for you, but i do want the requested info of the script also in the bugreport, then its much more complete.
And the windows version was?
Greetz,
louis
Van: Marcio Demetrio Bacci [mailto:marciobacci at gmail.com]
Verzonden: woensdag 26 juni 2019 5:54
Aan: L.P.H. van Belle
Onderwerp: Re: [Samba] Problem to join Samba 4 DC an existing Windows AD
Hi,
>Question, does the Windows AD domain contain MS Exchange also?
No.
>and what does the wiki tell me.
>https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
>There are three authentication methods you can us:
>samba-tool domain join samdom.example.com DC -U"SAMDOM\administrator"
>samba-tool domain join samdom.example.com DC -k yes
>samba-tool domain join samdom.example.com DC --krb5-ccache=/tmp/krb5cc_0
I tried the 3 ways above.
>I suggest this.
>Kinit Administrator
>Then you know kerberos auth also works.
Kerberos is working properly.
root at samba4dc:~# kinit administrator at EMPRESA.COM.BR
Password for administrator at EMPRESA.COM.BR:
root at samba4dc:~# klist -l
Principal name Cache name
-------------- ----------
administrator at EMPRESA.COM.BR FILE:/tmp/krb5cc_0
cat /etc/krb5.conf
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = true
default_realm = EMPRESA.COM.BR
>Now, if you keep having problems with it, and your using own compiled setup,
>Then show the compile parameters, or ..
>Remove the compiled version and use my repo (http://apt.van-belle.nl)
>And you can install 4.10.5 also on stretch with apt-get.
Now, I have installed by Repository:
apt-get install apt-transport-https
wget -O - http://apt.van-belle.nl/louis-van-belle.gpg-key.asc | apt-key add -
echo "# AptVanBelle repo for samba." | tee /etc/apt/sources.list.d/van-belle.list
echo "deb http://apt.van-belle.nl/debian stretch-samba410 main contrib non-free" | tee -a /etc/apt/sources.list.d/van-belle.list
apt-get update
apt-get install -t o=AptVanBelle samba attr winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user
samba -V
Version 4.10.5-Debian
netstat -lntup
Conexões Internet Ativas (sem os servidores)
Proto Recv-Q Send-Q Endereço Local Endereço Remoto Estado PID/Program name
tcp 0 0 MailScanner warning: numerical links are often malicious: 0.0.0.0:10050 0.0.0.0:* OUÇA 398/zabbix_agentd
tcp 0 0 MailScanner warning: numerical links are often malicious: 0.0.0.0:139 0.0.0.0:* OUÇA 23945/smbd
tcp 0 0 MailScanner warning: numerical links are often malicious: 0.0.0.0:81 0.0.0.0:* OUÇA 550/lighttpd
tcp 0 0 MailScanner warning: numerical links are often malicious: 127.0.0.1:25 0.0.0.0:* OUÇA 655/master
tcp 0 0 MailScanner warning: numerical links are often malicious: 0.0.0.0:445 0.0.0.0:* OUÇA 23945/smbd
tcp 0 0 MailScanner warning: numerical links are often malicious: 0.0.0.0:20000 0.0.0.0:* OUÇA 517/sshd
tcp6 0 0 :::10050 :::* OUÇA 398/zabbix_agentd
tcp6 0 0 :::139 :::* OUÇA 23945/smbd
tcp6 0 0 :::81 :::* OUÇA 550/lighttpd
tcp6 0 0 ::1:25 :::* OUÇA 655/master
tcp6 0 0 :::445 :::* OUÇA 23945/smbd
tcp6 0 0 :::20000 :::* OUÇA 517/sshd
udp 0 0 MailScanner warning: numerical links are often malicious: 0.0.0.0:42969 0.0.0.0:* 394/rsyslogd
udp 0 0 MailScanner warning: numerical links are often malicious: 0.0.0.0:68 0.0.0.0:* 383/dhclient
udp 0 0 MailScanner warning: numerical links are often malicious: 192.168.255.255:137 0.0.0.0:* 23992/nmbd
udp 0 0 MailScanner warning: numerical links are often malicious: 192.168.1.39:137 0.0.0.0:* 23992/nmbd
udp 0 0 MailScanner warning: numerical links are often malicious: 0.0.0.0:137 0.0.0.0:* 23992/nmbd
udp 0 0 MailScanner warning: numerical links are often malicious: 192.168.255.255:138 0.0.0.0:* 23992/nmbd
udp 0 0 MailScanner warning: numerical links are often malicious: 192.168.1.39:138 0.0.0.0:* 23992/nmbd
udp 0 0 MailScanner warning: numerical links are often malicious: 0.0.0.0:138 0.0.0.0:* 23992/nmbd
But the problems continue:
root at samba4dc:~# samba-tool domain join empresa.com.br DC -U"EMPRESA\administrator"
INFO 2019-06-26 00:22:49,231 pid:658 /usr/lib/python3/dist-packages/samba/join.py #103: Finding a writeable DC for domain 'empresa.com.br'
INFO 2019-06-26 00:22:49,241 pid:658 /usr/lib/python3/dist-packages/samba/join.py #105: Found DC windc1.empresa.com.br
Password for [EMPRESA\administrator]:
INFO 2019-06-26 00:22:58,016 pid:658 /usr/lib/python3/dist-packages/samba/join.py #1519: workgroup is EMPRESA
INFO 2019-06-26 00:22:58,016 pid:658 /usr/lib/python3/dist-packages/samba/join.py #1522: realm is empresa.com.br
Adding CN=SAMBA4DC,OU=Domain Controllers,DC=empresa,DC-com,DC=br
Adding CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC-com,DC=br
Adding CN=NTDS Settings,CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC-com,DC=br
DsAddEntry failed with status WERR_ACCESS_DENIED info (8363, 'WERR_DS_NO_CROSSREF_FOR_NC')
Join failed - cleaning up
Deleted CN=SAMBA4DC,OU=Domain Controllers,DC=empresa,DC-com,DC=br
Deleted CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC-com,DC=br
ERROR(runtime): uncaught exception - DsAddEntry failed
File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line 699, in run
backend_store=backend_store)
File "/usr/lib/python3/dist-packages/samba/join.py", line 1535, in join_DC
ctx.do_join()
File "/usr/lib/python3/dist-packages/samba/join.py", line 1427, in do_join
ctx.join_add_objects()
File "/usr/lib/python3/dist-packages/samba/join.py", line 669, in join_add_objects
ctx.join_add_ntdsdsa()
File "/usr/lib/python3/dist-packages/samba/join.py", line 594, in join_add_ntdsdsa
ctx.DsAddEntry([rec])
File "/usr/lib/python3/dist-packages/samba/join.py", line 543, in DsAddEntry
raise RuntimeError("DsAddEntry failed")
root at samba4dc:~# samba-tool domain join empresa.com.br DC -k yes
INFO 2019-06-26 00:24:18,926 pid:666 /usr/lib/python3/dist-packages/samba/join.py #103: Finding a writeable DC for domain 'empresa.com.br'
INFO 2019-06-26 00:24:18,934 pid:666 /usr/lib/python3/dist-packages/samba/join.py #105: Found DC windc1.empresa.com.br
INFO 2019-06-26 00:24:19,113 pid:666 /usr/lib/python3/dist-packages/samba/join.py #1519: workgroup is EMPRESA
INFO 2019-06-26 00:24:19,113 pid:666 /usr/lib/python3/dist-packages/samba/join.py #1522: realm is empresa.com.br
Adding CN=SAMBA4DC,OU=Domain Controllers,DC=empresa,DC-com,DC=br
Adding CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC-com,DC=br
Adding CN=NTDS Settings,CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC-com,DC=br
DsAddEntry failed with status WERR_ACCESS_DENIED info (8363, 'WERR_DS_NO_CROSSREF_FOR_NC')
Join failed - cleaning up
Deleted CN=SAMBA4DC,OU=Domain Controllers,DC=empresa,DC-com,DC=br
Deleted CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC-com,DC=br
ERROR(runtime): uncaught exception - DsAddEntry failed
File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line 699, in run
backend_store=backend_store)
File "/usr/lib/python3/dist-packages/samba/join.py", line 1535, in join_DC
ctx.do_join()
File "/usr/lib/python3/dist-packages/samba/join.py", line 1427, in do_join
ctx.join_add_objects()
File "/usr/lib/python3/dist-packages/samba/join.py", line 669, in join_add_objects
ctx.join_add_ntdsdsa()
File "/usr/lib/python3/dist-packages/samba/join.py", line 594, in join_add_ntdsdsa
ctx.DsAddEntry([rec])
File "/usr/lib/python3/dist-packages/samba/join.py", line 543, in DsAddEntry
raise RuntimeError("DsAddEntry failed")
root at samba4dc:~#
Do you have any other idea ?
Regards,
Márcio Bacci
Em ter, 25 de jun de 2019 às 11:20, L.P.H. van Belle <belle at bazuin.nl> escreveu:
Hai Marcio,
Please keep mailing to the list, that helps everybody. ;-)
Question, does the Windows AD domain contain MS Exchange also?
Ow and my bad.. This : samba-tool domain tombstones expunge
You need to purge the tombstones on the windows server,
but forget that all.
I had a new look and noticed:
root at samba4dc:/etc/init.d# samba-tool domain join empresa.com.br DC -Uadministrator --realm=empresa.com.br
( a bit of a strange folder also to be in.. )
And what does the wiki tell me.
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
There are three authentication methods you can us:
samba-tool domain join samdom.example.com DC -U"SAMDOM\administrator"
samba-tool domain join samdom.example.com DC -k yes
samba-tool domain join samdom.example.com DC --krb5-ccache=/tmp/krb5cc_0
And yours, what is the difference.. ?
samba-tool domain join empresa.com.br DC -Uadministrator --realm=empresa.com.br
I suggest this.
Kinit Administrator
Then you know kerberos auth also works.
Then try : samba-tool domain join empresa.com.br DC -k yes
And kdestroy to remove the kerberos ticket.
Now, if you keep having problems with it, and your using own compiled setup,
Then show the compile parameters, or ..
Remove the compiled version and use my repo (http://apt.van-belle.nl)
And you can install 4.10.5 also on stretch with apt-get.
Greetz,
Louis
________________________________
Van: Marcio Demetrio Bacci [mailto:marciobacci at gmail.com]
Verzonden: maandag 24 juni 2019 19:11
Aan: L.P.H. van Belle
Onderwerp: Re: [Samba] Problem to join Samba 4 DC an existing Windows AD
Hi,
Follows the results of commands below executed in Samba 4:
>Maybe first run : samba-tool domain tombstones expunge
samba-tool domain tombstones expunge
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs
dsdb_schema_from_db() failed: 32:No such object: dsdb_schema: failed to search attributeSchema and classSchema objects: No such Base DN: CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br
dsdb_get_schema: refresh_fn() failed
schema_load_init: dsdb_get_schema failed
module schema_load initialization failed : Operations error
module dsdb_notification initialization failed : Operations error
module rootdse initialization failed : Operations error
module samba_dsdb initialization failed : Operations error
Unable to load modules for tdb:///usr/local/samba/private/sam.ldb: schema_load_init: dsdb_get_schema failed
ERROR(ldb): uncaught exception - schema_load_init: dsdb_get_schema failed
File "/usr/local/samba/lib/python3.5/site-packages/samba/netcmd/__init__.py", line 185, in _run
return self.run(*args, **kwargs)
File "/usr/local/samba/lib/python3.5/site-packages/samba/netcmd/domain.py", line 3913, in run
credentials=creds, lp=lp)
File "/usr/local/samba/lib/python3.5/site-packages/samba/samdb.py", line 67, in __init__
options=options)
File "/usr/local/samba/lib/python3.5/site-packages/samba/__init__.py", line 115, in __init__
self.connect(url, flags, options)
File "/usr/local/samba/lib/python3.5/site-packages/samba/samdb.py", line 82, in connect
options=options)
>Check the DNS if any leftovers and check with RSAT also for leftovers.
There isn't leftovers.
>Then run : samba-tool dbcheck --cross-nc
samba-tool dbcheck --cross-nc
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs
dsdb_schema_from_db() failed: 32:No such object: dsdb_schema: failed to search attributeSchema and classSchema objects: No such Base DN: CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br
dsdb_get_schema: refresh_fn() failed
schema_load_init: dsdb_get_schema failed
module schema_load initialization failed : Operations error
module dsdb_notification initialization failed : Operations error
module rootdse initialization failed : Operations error
module samba_dsdb initialization failed : Operations error
Unable to load modules for tdb:///usr/local/samba/private/sam.ldb: schema_load_init: dsdb_get_schema failed
ERROR: Failed to connect to DB at None. If this is a really old sam.ldb (before alpha9), then try again with --force-modules
>DNS domain = empresa.com.br <http://empresa.com.br/> and Kerberos domain = EMPRESA.COM.BR <http://empresa.com.br/>
>These are NOT the same.
OK.
root at samba4dc:~# cat /etc/krb5.conf
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = true
default_realm = EMPRESA.COM.BR
cat /etc/resolv.conf
domain empresa.com.br
search empresa.com.br
nameserver 172.30.1.1 # is not the Windows DC
nameserver 172.30.1.2 # is not the Windows DC
We use bind as authorative DNS. The Windows DC only receves updates of the bind servers.
Regards,
Márcio Bacci
Em seg, 24 de jun de 2019 às 12:09, L.P.H. van Belle via samba <samba at lists.samba.org> escreveu:
> > ERROR(runtime): uncaught exception - (8639, "Failed to
> > process 'chunk' of
> > DRS replicated objects: DOS code 0x000021bf")
0x000021bf :
The replication operation failed because the target object referred by a link value is recycled.
Maybe first run : samba-tool domain tombstones expunge
Check the DNS if any leftovers and check with RSAT also for leftovers.
Then run : samba-tool dbcheck --cross-nc
Fix things where needed.
THEN join.
And use :
samba-tool domain join empresa.com.br DC -Uadministrator --realm=EMPRESA.COM.BR
DNS domain = empresa.com.br and Kerberos domain = EMPRESA.COM.BR
These are NOT the same.
Greetz,
Louis
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list