[Samba] Problem to join Samba 4 DC an existing Windows AD
Tim Beale
timbeale at catalyst.net.nz
Wed Jun 26 21:58:43 UTC 2019
Hi Márcio,
I think this is the same problem as seen here:
https://lists.samba.org/archive/samba/2018-June/216549.html
The problem is due to differences in the replication implementation
between Samba and Windows. Normally, Samba uses the GET_TGT mechanism to
recover from this situation, but unfortunately that feature is only
supported on Windows 2008R2 DCs, not 2008 like you have.
Try the suggested work-around on that thread:
- Join a DC running Samba v4.7.
- After the join, do a 'samba-tool drs replicate --full-sync' on each of
the partitions to recover the dropped links.
- Upgrade the Samba DC to v4.10 (probably best to do this by joining a
second v4.10 Samba DC, then upgrade the first v4.7 DC to v4.10 and
rejoin it to the second Samba DC).
Cheers,
Tim
On 25/06/19 2:11 AM, Marcio Demetrio Bacci via samba wrote:
> Hi,
>
> My DCs are Windows Server 2008 (not R2) and I intend to replace then by
> Samba 4.
>
> I'm using Samba 4.10.5 on Debian 9.9
>
> when I execute the commands below it seems that errors occur of not receive
> replication of the objects from the base of AD or no commit the operation:
>
> root at samba4dc:/etc/init.d# samba-tool domain join empresa.com.br DC
> -Uadministrator --realm=empresa.com.br
>
> INFO 2019-06-23 20:53:06,973 pid:674
> /usr/local/samba/lib/python3.5/site-packages/samba/join.py #103: Finding a
> writeable DC for domain 'empresa.com.br'
> INFO 2019-06-23 20:53:06,981 pid:674
> /usr/local/samba/lib/python3.5/site-packages/samba/join.py #105: Found DC
> navegantes.empresa.com.br
> Password for [WORKGROUP\administrator]:
> INFO 2019-06-23 20:53:18,322 pid:674
> /usr/local/samba/lib/python3.5/site-packages/samba/join.py #1519: workgroup
> is EMPRESA
> INFO 2019-06-23 20:53:18,323 pid:674
> /usr/local/samba/lib/python3.5/site-packages/samba/join.py #1522: realm is
> empresa.com.br
> Adding CN=SAMBA4DC,OU=Domain Controllers,DC=empres,DC=com,DC=br
> Adding
> CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
> Adding CN=NTDS
> Settings,CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
> Adding SPNs to CN=SAMBA4DC,OU=Domain Controllers,DC=empresa,DC=com,DC=br
> Setting account password for SAMBA4DC$
> Enabling account
> Calling bare provision
> INFO 2019-06-23 20:53:22,325 pid:674
> /usr/local/samba/lib/python3.5/site-packages/samba/provision/__init__.py
> #2079: Looking up IPv4 addresses
> INFO 2019-06-23 20:53:22,325 pid:674
> /usr/local/samba/lib/python3.5/site-packages/samba/provision/__init__.py
> #2096: Looking up IPv6 addresses
> WARNING 2019-06-23 20:53:22,326 pid:674
> /usr/local/samba/lib/python3.5/site-packages/samba/provision/__init__.py
> #2103: No IPv6 address will be assigned
> INFO 2019-06-23 20:53:22,621 pid:674
> /usr/local/samba/lib/python3.5/site-packages/samba/provision/__init__.py
> #2269: Setting up share.ldb
> INFO 2019-06-23 20:53:22,775 pid:674
> /usr/local/samba/lib/python3.5/site-packages/samba/provision/__init__.py
> #2273: Setting up secrets.ldb
> INFO 2019-06-23 20:53:22,884 pid:674
> /usr/local/samba/lib/python3.5/site-packages/samba/provision/__init__.py
> #2279: Setting up the registry
> INFO 2019-06-23 20:53:23,021 pid:674
> /usr/local/samba/lib/python3.5/site-packages/samba/provision/__init__.py
> #2282: Setting up the privileges database
> INFO 2019-06-23 20:53:23,070 pid:674
> /usr/local/samba/lib/python3.5/site-packages/samba/provision/__init__.py
> #2285: Setting up idmap db
> INFO 2019-06-23 20:53:23,143 pid:674
> /usr/local/samba/lib/python3.5/site-packages/samba/provision/__init__.py
> #2292: Setting up SAM db
> INFO 2019-06-23 20:53:23,158 pid:674
> /usr/local/samba/lib/python3.5/site-packages/samba/provision/__init__.py
> #882: Setting up sam.ldb partitions and settings
> INFO 2019-06-23 20:53:23,161 pid:674
> /usr/local/samba/lib/python3.5/site-packages/samba/provision/__init__.py
> #894: Setting up sam.ldb rootDSE
> INFO 2019-06-23 20:53:23,166 pid:674
> /usr/local/samba/lib/python3.5/site-packages/samba/provision/__init__.py
> #1297: Pre-loading the Samba 4 and AD schema
>
> *Unable to determine the DomainSID, can not enforce uniqueness constraint
> on local domainSIDs*
> INFO 2019-06-23 20:53:23,200 pid:674
> /usr/local/samba/lib/python3.5/site-packages/samba/provision/__init__.py
> #2342: A Kerberos configuration suitable for Samba AD has been generated at
> /usr/local/samba/private/krb5.conf
> INFO 2019-06-23 20:53:23,200 pid:674
> /usr/local/samba/lib/python3.5/site-packages/samba/provision/__init__.py
> #2343: Merge the contents of this file with your system krb5.conf or
> replace it with this one. Do not create a symlink!
> Provision OK for domain DN DC=empres,DC=com,DC=br
> Starting replication
> Schema-DN[CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br]
> objects[402/1626] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br]
> objects[804/1626] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br]
> objects[1206/1626] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br]
> objects[1521/1626] linked_values[0/0]
> Analyze and apply schema objects
> Partition[CN=Configuration,DC=empresa,DC=com,DC=br] objects[402/1262]
> linked_values[0/46]
> Partition[CN=Configuration,DC=empresa,DC=com,DC=br] objects[804/1262]
> linked_values[0/46]
> Partition[CN=Configuration,DC=empresa,DC=com,DC=br] objects[1206/1262]
> linked_values[0/46]
> Partition[CN=Configuration,DC=empresa,DC=com,DC=br] objects[1608/1262]
> linked_values[0/46]
> Partition[CN=Configuration,DC=empresa,DC=com,DC=br] objects[1696/1262]
> linked_values[46/46]
> dsdb_replicated_objects_convert: Ignoring object outside partition
> 43911352-587f-417a-a791-3faab1c8944f
> CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br:
> WERR_DS_ADD_REPLICA_INHIBITED
> Replicating critical objects from the base DN of the domain
> Partition[DC=empresa,DC=com,DC=br] objects[101/546] linked_values[18/257]
> Partition[DC=empresa,DC=com,DC=br] objects[402/2392] linked_values[0/257]
> Partition[DC=empresa,DC=com,DC=br] objects[806/2392] linked_values[50/257]
>
> *Failed to commit objects: DOS code 0x000021bfJoin failed - cleaning up*
> Deleted CN=SAMBA4DC,OU=Domain Controllers,DC=empresa,DC=com,DC=br
> Deleted CN=NTDS
> Settings,CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
> Deleted
> CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
> ERROR(runtime): uncaught exception - (8639, "Failed to process 'chunk' of
> DRS replicated objects: DOS code 0x000021bf")
> File
> "/usr/local/samba/lib/python3.5/site-packages/samba/netcmd/__init__.py",
> line 185, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/local/samba/lib/python3.5/site-packages/samba/netcmd/domain.py", line
> 699, in run
> backend_store=backend_store)
> File "/usr/local/samba/lib/python3.5/site-packages/samba/join.py", line
> 1535, in join_DC
> ctx.do_join()
> File "/usr/local/samba/lib/python3.5/site-packages/samba/join.py", line
> 1429, in do_join
> ctx.join_replicate()
> File "/usr/local/samba/lib/python3.5/site-packages/samba/join.py", line
> 977, in join_replicate
> replica_flags=ctx.domain_replica_flags)
> File "/usr/local/samba/lib/python3.5/site-packages/samba/drs_utils.py",
> line 356, in replicate
> raise e
> File "/usr/local/samba/lib/python3.5/site-packages/samba/drs_utils.py",
> line 343, in replicate
> self.process_chunk(level, ctr, schema, req_level, req, first_chunk)
> File "/usr/local/samba/lib/python3.5/site-packages/samba/drs_utils.py",
> line 237, in process_chunk
> schema=schema, req_level=req_level, req=req)
>
>
> Does anybody have an idea how to solve this problem?
>
> Regards,
>
> Márcio Bacci
More information about the samba
mailing list