[Samba] Problem to join Samba 4 DC an existing Windows AD

L.P.H. van Belle belle at bazuin.nl
Wed Jun 26 07:48:59 UTC 2019


Hai, 
 
 
this part. 
Adding CN=NTDS Settings,CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC-com,DC=br
DsAddEntry failed with status WERR_ACCESS_DENIED info (8363, 'WERR_DS_NO_CROSSREF_FOR_NC')
Join failed - cleaning up
Deleted CN=SAMBA4DC,OU=Domain Controllers,DC=empresa,DC-com,DC=br

I just noticed the same question, (30 may 2019)   https://www.spinics.net/lists/samba/msg157397.html
I looks like a bug in samba and its not reported in bugzilla. 
 
Can you run this for me so i can have a good look at this. 
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh 
Just to make sure the linux side is setup correctly, anonymise where needed if needed. 

 
Can you report it, @ https://bugzilla.samba.org or i can report it for you, but i do want the requested info of the script also in the bugreport, then its much more complete.
 
And the windows version was? 
 
 
Greetz, 
 
louis
 

Van: Marcio Demetrio Bacci [mailto:marciobacci at gmail.com] 
Verzonden: woensdag 26 juni 2019 5:54
Aan: L.P.H. van Belle
Onderwerp: Re: [Samba] Problem to join Samba 4 DC an existing Windows AD



Hi,

>Question, does the Windows AD domain contain MS Exchange also? 
No.

>and what does the wiki tell me. 
>https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory 
>There are three authentication methods you can us: 

>samba-tool domain join samdom.example.com DC -U"SAMDOM\administrator"
>samba-tool domain join samdom.example.com DC -k yes 
>samba-tool domain join samdom.example.com DC --krb5-ccache=/tmp/krb5cc_0

I tried the 3 ways above.

>I suggest this. 
>Kinit Administrator 
>Then you know kerberos auth also works. 

Kerberos is working properly.

root at samba4dc:~# kinit administrator at EMPRESA.COM.BR
Password for administrator at EMPRESA.COM.BR:

root at samba4dc:~# klist -l
Principal name                 Cache name
--------------                 ----------
administrator at EMPRESA.COM.BR FILE:/tmp/krb5cc_0

cat /etc/krb5.conf

[libdefaults]
    dns_lookup_realm = false
    dns_lookup_kdc = true
    default_realm = EMPRESA.COM.BR


>Now, if you keep having problems with it, and your using own compiled setup, 
>Then show the compile parameters, or .. 
>Remove the compiled version and use my repo (http://apt.van-belle.nl) 
>And you can install 4.10.5 also on stretch with apt-get. 

Now, I have installed by Repository:

apt-get install apt-transport-https
wget -O - http://apt.van-belle.nl/louis-van-belle.gpg-key.asc | apt-key add -
echo "# AptVanBelle repo for samba." | tee /etc/apt/sources.list.d/van-belle.list
echo "deb http://apt.van-belle.nl/debian stretch-samba410 main contrib non-free" | tee -a /etc/apt/sources.list.d/van-belle.list
apt-get update
apt-get install -t o=AptVanBelle samba attr winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user

samba -V
   Version 4.10.5-Debian

netstat -lntup
Conexões Internet Ativas (sem os servidores)
Proto Recv-Q Send-Q Endereço Local          Endereço Remoto         Estado      PID/Program name
tcp        0      0 MailScanner warning: numerical links are often malicious: 0.0.0.0:10050           0.0.0.0:*               OUÇA       398/zabbix_agentd
tcp        0      0 MailScanner warning: numerical links are often malicious: 0.0.0.0:139             0.0.0.0:*               OUÇA       23945/smbd
tcp        0      0 MailScanner warning: numerical links are often malicious: 0.0.0.0:81              0.0.0.0:*               OUÇA       550/lighttpd
tcp        0      0 MailScanner warning: numerical links are often malicious: 127.0.0.1:25            0.0.0.0:*               OUÇA       655/master
tcp        0      0 MailScanner warning: numerical links are often malicious: 0.0.0.0:445             0.0.0.0:*               OUÇA       23945/smbd
tcp        0      0 MailScanner warning: numerical links are often malicious: 0.0.0.0:20000           0.0.0.0:*               OUÇA       517/sshd
tcp6       0      0 :::10050                :::*                    OUÇA       398/zabbix_agentd
tcp6       0      0 :::139                  :::*                    OUÇA       23945/smbd
tcp6       0      0 :::81                   :::*                    OUÇA       550/lighttpd
tcp6       0      0 ::1:25                  :::*                    OUÇA       655/master
tcp6       0      0 :::445                  :::*                    OUÇA       23945/smbd
tcp6       0      0 :::20000                :::*                    OUÇA       517/sshd
udp        0      0 MailScanner warning: numerical links are often malicious: 0.0.0.0:42969           0.0.0.0:*                           394/rsyslogd
udp        0      0 MailScanner warning: numerical links are often malicious: 0.0.0.0:68              0.0.0.0:*                           383/dhclient
udp        0      0 MailScanner warning: numerical links are often malicious: 192.168.255.255:137      0.0.0.0:*                           23992/nmbd
udp        0      0 MailScanner warning: numerical links are often malicious: 192.168.1.39:137         0.0.0.0:*                           23992/nmbd
udp        0      0 MailScanner warning: numerical links are often malicious: 0.0.0.0:137             0.0.0.0:*                           23992/nmbd
udp        0      0 MailScanner warning: numerical links are often malicious: 192.168.255.255:138      0.0.0.0:*                           23992/nmbd
udp        0      0 MailScanner warning: numerical links are often malicious: 192.168.1.39:138         0.0.0.0:*                           23992/nmbd
udp        0      0 MailScanner warning: numerical links are often malicious: 0.0.0.0:138             0.0.0.0:*                           23992/nmbd


But the problems continue:

root at samba4dc:~# samba-tool domain join empresa.com.br DC -U"EMPRESA\administrator"
INFO 2019-06-26 00:22:49,231 pid:658 /usr/lib/python3/dist-packages/samba/join.py #103: Finding a writeable DC for domain 'empresa.com.br'
INFO 2019-06-26 00:22:49,241 pid:658 /usr/lib/python3/dist-packages/samba/join.py #105: Found DC windc1.empresa.com.br
Password for [EMPRESA\administrator]:
INFO 2019-06-26 00:22:58,016 pid:658 /usr/lib/python3/dist-packages/samba/join.py #1519: workgroup is EMPRESA
INFO 2019-06-26 00:22:58,016 pid:658 /usr/lib/python3/dist-packages/samba/join.py #1522: realm is empresa.com.br
Adding CN=SAMBA4DC,OU=Domain Controllers,DC=empresa,DC-com,DC=br
Adding CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC-com,DC=br
Adding CN=NTDS Settings,CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC-com,DC=br
DsAddEntry failed with status WERR_ACCESS_DENIED info (8363, 'WERR_DS_NO_CROSSREF_FOR_NC')
Join failed - cleaning up
Deleted CN=SAMBA4DC,OU=Domain Controllers,DC=empresa,DC-com,DC=br
Deleted CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC-com,DC=br
ERROR(runtime): uncaught exception - DsAddEntry failed
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line 699, in run
    backend_store=backend_store)
  File "/usr/lib/python3/dist-packages/samba/join.py", line 1535, in join_DC
    ctx.do_join()
  File "/usr/lib/python3/dist-packages/samba/join.py", line 1427, in do_join
    ctx.join_add_objects()
  File "/usr/lib/python3/dist-packages/samba/join.py", line 669, in join_add_objects
    ctx.join_add_ntdsdsa()
  File "/usr/lib/python3/dist-packages/samba/join.py", line 594, in join_add_ntdsdsa
    ctx.DsAddEntry([rec])
  File "/usr/lib/python3/dist-packages/samba/join.py", line 543, in DsAddEntry
    raise RuntimeError("DsAddEntry failed")



root at samba4dc:~# samba-tool domain join empresa.com.br DC -k yes
INFO 2019-06-26 00:24:18,926 pid:666 /usr/lib/python3/dist-packages/samba/join.py #103: Finding a writeable DC for domain 'empresa.com.br'
INFO 2019-06-26 00:24:18,934 pid:666 /usr/lib/python3/dist-packages/samba/join.py #105: Found DC windc1.empresa.com.br
INFO 2019-06-26 00:24:19,113 pid:666 /usr/lib/python3/dist-packages/samba/join.py #1519: workgroup is EMPRESA
INFO 2019-06-26 00:24:19,113 pid:666 /usr/lib/python3/dist-packages/samba/join.py #1522: realm is empresa.com.br
Adding CN=SAMBA4DC,OU=Domain Controllers,DC=empresa,DC-com,DC=br
Adding CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC-com,DC=br
Adding CN=NTDS Settings,CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC-com,DC=br
DsAddEntry failed with status WERR_ACCESS_DENIED info (8363, 'WERR_DS_NO_CROSSREF_FOR_NC')
Join failed - cleaning up
Deleted CN=SAMBA4DC,OU=Domain Controllers,DC=empresa,DC-com,DC=br
Deleted CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC-com,DC=br
ERROR(runtime): uncaught exception - DsAddEntry failed
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line 699, in run
    backend_store=backend_store)
  File "/usr/lib/python3/dist-packages/samba/join.py", line 1535, in join_DC
    ctx.do_join()
  File "/usr/lib/python3/dist-packages/samba/join.py", line 1427, in do_join
    ctx.join_add_objects()
  File "/usr/lib/python3/dist-packages/samba/join.py", line 669, in join_add_objects
    ctx.join_add_ntdsdsa()
  File "/usr/lib/python3/dist-packages/samba/join.py", line 594, in join_add_ntdsdsa
    ctx.DsAddEntry([rec])
  File "/usr/lib/python3/dist-packages/samba/join.py", line 543, in DsAddEntry
    raise RuntimeError("DsAddEntry failed")
root at samba4dc:~#

Do you have any other idea ?


Regards, 

Márcio Bacci








Em ter, 25 de jun de 2019 às 11:20, L.P.H. van Belle <belle at bazuin.nl> escreveu:

Hai Marcio, 

Please keep mailing to the list, that helps everybody.  ;-) 

Question, does the Windows AD domain contain MS Exchange also? 
Ow and my bad.. This : samba-tool domain tombstones expunge  
You need to purge the tombstones on the windows server, 

but forget that all. 

I had a new look and noticed: 
root at samba4dc:/etc/init.d# samba-tool domain join empresa.com.br DC -Uadministrator --realm=empresa.com.br
( a bit of a strange folder also to be in.. ) 

And what does the wiki tell me. 
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory 
There are three authentication methods you can us: 

samba-tool domain join samdom.example.com DC -U"SAMDOM\administrator"
samba-tool domain join samdom.example.com DC -k yes 
samba-tool domain join samdom.example.com DC --krb5-ccache=/tmp/krb5cc_0

And yours, what is the difference.. ? 
samba-tool domain join empresa.com.br DC -Uadministrator --realm=empresa.com.br

I suggest this. 
Kinit Administrator 
Then you know kerberos auth also works. 
Then try : samba-tool domain join empresa.com.br DC -k yes 
And kdestroy to remove the kerberos ticket. 

Now, if you keep having problems with it, and your using own compiled setup, 
Then show the compile parameters, or .. 
Remove the compiled version and use my repo (http://apt.van-belle.nl) 
And you can install 4.10.5 also on stretch with apt-get. 



Greetz, 

Louis



________________________________

        Van: Marcio Demetrio Bacci [mailto:marciobacci at gmail.com] 
        Verzonden: maandag 24 juni 2019 19:11
        Aan: L.P.H. van Belle
        Onderwerp: Re: [Samba] Problem to join Samba 4 DC an existing Windows AD


        Hi,

        Follows the results of commands below executed in Samba 4:

        >Maybe first run : samba-tool domain tombstones expunge 

        samba-tool domain tombstones expunge
        Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs

        dsdb_schema_from_db() failed: 32:No such object: dsdb_schema: failed to search attributeSchema and classSchema objects: No such Base DN: CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br
        dsdb_get_schema: refresh_fn() failed
        schema_load_init: dsdb_get_schema failed
        module schema_load initialization failed : Operations error
        module dsdb_notification initialization failed : Operations error
        module rootdse initialization failed : Operations error
        module samba_dsdb initialization failed : Operations error
        Unable to load modules for tdb:///usr/local/samba/private/sam.ldb: schema_load_init: dsdb_get_schema failed
        ERROR(ldb): uncaught exception - schema_load_init: dsdb_get_schema failed
          File "/usr/local/samba/lib/python3.5/site-packages/samba/netcmd/__init__.py", line 185, in _run
            return self.run(*args, **kwargs)
          File "/usr/local/samba/lib/python3.5/site-packages/samba/netcmd/domain.py", line 3913, in run
            credentials=creds, lp=lp)
          File "/usr/local/samba/lib/python3.5/site-packages/samba/samdb.py", line 67, in __init__
            options=options)
          File "/usr/local/samba/lib/python3.5/site-packages/samba/__init__.py", line 115, in __init__
            self.connect(url, flags, options)
          File "/usr/local/samba/lib/python3.5/site-packages/samba/samdb.py", line 82, in connect
            options=options)



        >Check the DNS if any leftovers and check with RSAT also for leftovers. 
        There isn't leftovers.

        >Then run : samba-tool dbcheck --cross-nc

        samba-tool dbcheck --cross-nc
        Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs

        dsdb_schema_from_db() failed: 32:No such object: dsdb_schema: failed to search attributeSchema and classSchema objects: No such Base DN: CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br
        dsdb_get_schema: refresh_fn() failed
        schema_load_init: dsdb_get_schema failed
        module schema_load initialization failed : Operations error
        module dsdb_notification initialization failed : Operations error
        module rootdse initialization failed : Operations error
        module samba_dsdb initialization failed : Operations error
        Unable to load modules for tdb:///usr/local/samba/private/sam.ldb: schema_load_init: dsdb_get_schema failed
        ERROR: Failed to connect to DB at None.  If this is a really old sam.ldb (before alpha9), then try again with --force-modules


        >DNS domain = empresa.com.br <http://empresa.com.br/>  and Kerberos domain = EMPRESA.COM.BR <http://empresa.com.br/>  
        >These are NOT the same. 


        OK.

        root at samba4dc:~# cat /etc/krb5.conf 
        [libdefaults]
            dns_lookup_realm = false
            dns_lookup_kdc = true
            default_realm = EMPRESA.COM.BR


        cat /etc/resolv.conf 
        domain empresa.com.br
        search empresa.com.br
        nameserver 172.30.1.1 # is not the Windows DC
        nameserver 172.30.1.2 # is not the Windows DC


        We use bind as authorative DNS. The Windows DC only receves updates of the bind servers.

        Regards,

        Márcio Bacci


        Em seg, 24 de jun de 2019 às 12:09, L.P.H. van Belle via samba <samba at lists.samba.org> escreveu:



                > > ERROR(runtime): uncaught exception - (8639, "Failed to 
                > > process 'chunk' of
                > > DRS replicated objects: DOS code 0x000021bf")

                0x000021bf : 
                The replication operation failed because the target object referred by a link value is recycled.  
                Maybe first run : samba-tool domain tombstones expunge 
                Check the DNS if any leftovers and check with RSAT also for leftovers. 

                Then run : samba-tool dbcheck --cross-nc
                Fix things where needed. 

                THEN join. 

                And use : 
                samba-tool domain join empresa.com.br DC -Uadministrator --realm=EMPRESA.COM.BR

                DNS domain = empresa.com.br and Kerberos domain = EMPRESA.COM.BR 
                These are NOT the same. 

                Greetz, 

                Louis


                -- 
                To unsubscribe from this list go to the following URL and read the
                instructions:  https://lists.samba.org/mailman/options/samba






More information about the samba mailing list