[Samba] Problem to join Samba 4 DC an existing Windows AD
Marcio Demetrio Bacci
marciobacci at gmail.com
Thu Jun 27 15:32:19 UTC 2019
Hi,
I'm using Debian 9.9 and my DC's are Win 2008 Server (isn't R2).
I intend replace my Windows DC by Samba 4 DC.
Follows dependencies package that I have installed:
apt-get install acl attr autoconf bind9utils bison build-essential
apt-get install debhelper dnsutils docbook-xml docbook-xsl flex gdb
libjansson-dev krb5-user
apt-get install libacl1-dev libaio-dev libarchive-dev libattr1-dev
libblkid-dev libbsd-dev
apt-get install libcap-dev libcups2-dev libgnutls28-dev libgpgme-dev
libjson-perl
apt-get install libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl
apt-get install libpopt-dev libreadline-dev nettle-dev perl perl-modules
pkg-config
apt-get install python-all-dev python-crypto python-dbg python-dev
python-dnspython
apt-get install python3-dnspython python-gpgme python3-gpgme
python-markdown python3-markdown
apt-get install python3-dev xsltproc zlib1g-dev liblmdb-dev lmdb-utils
Ihave installed by apt-get (Samba 4.5.16)
apt-get install samba attr winbind libpam-winbind libnss-winbind
libpam-krb5 krb5-config krb5-user
root at samba4dc1:~# cat /etc/resolv.conf
domain empresa.com.br
search empresa.com.br
nameserver 192.168.1.1
nameserver 192.168.1.2
root at ubatuba:~# cat /etc/hosts
192.168.1.19 samba4dc1.empresa.com.br samba4dc1
10.133.100.135 windc1.empresa.com.br windc1
10.133.100.137 windc2.empresa.com.br windc2
192.168.1.4 srv-bkp.empresa.com.br srv-bkp
root at samba4dc1:~# cat /etc/krb5.conf
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = true
default_realm = EMPRESA.COM.BR
samba-tool domain join empresa.com.br DC -U"EMPRESA\administrator"
root at samba4dc1:~# cat /etc/samba/smb.conf
# Global parameters
[global]
netbios name = SAMBA4DC1
realm = EMPRESA.COM.BR
workgroup = SAMBA4DC1
server role = active directory domain controller
[netlogon]
path = /var/lib/samba/sysvol/empresa.com.br/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat
group: compat
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Do I need change my nsswitch.conf as following?
passwd: files winbind
group: files winbind
The follow services are running this moment
root at samba4dc1:~# netstat -lntup
Conexões Internet Ativas (sem os servidores)
Proto Recv-Q Send-Q Endereço Local Endereço Remoto Estado
PID/Program name
tcp 0 0 0.0.0.0:10050 0.0.0.0:* OUÇA
393/zabbix_agentd
tcp 0 0 0.0.0.0:3268 0.0.0.0:* OUÇA
750/samba
tcp 0 0 0.0.0.0:3269 0.0.0.0:* OUÇA
750/samba
tcp 0 0 0.0.0.0:389 0.0.0.0:* OUÇA
750/samba
tcp 0 0 0.0.0.0:135 0.0.0.0:* OUÇA
746/samba
tcp 0 0 0.0.0.0:139 0.0.0.0:* OUÇA
748/smbd
tcp 0 0 0.0.0.0:464 0.0.0.0:* OUÇA
752/samba
tcp 0 0 0.0.0.0:81 0.0.0.0:* OUÇA
521/lighttpd
tcp 0 0 0.0.0.0:53 0.0.0.0:* OUÇA
758/samba
tcp 0 0 0.0.0.0:88 0.0.0.0:* OUÇA
752/samba
tcp 0 0 127.0.0.1:25 0.0.0.0:* OUÇA
624/master
tcp 0 0 0.0.0.0:636 0.0.0.0:* OUÇA
750/samba
tcp 0 0 0.0.0.0:445 0.0.0.0:* OUÇA
748/smbd
tcp 0 0 0.0.0.0:1024 0.0.0.0:* OUÇA
746/samba
tcp 0 0 0.0.0.0:20000 0.0.0.0:* OUÇA
483/sshd
tcp6 0 0 :::10050 :::* OUÇA
393/zabbix_agentd
tcp6 0 0 :::3268 :::* OUÇA
750/samba
tcp6 0 0 :::3269 :::* OUÇA
750/samba
tcp6 0 0 :::389 :::* OUÇA
750/samba
tcp6 0 0 :::135 :::* OUÇA
746/samba
tcp6 0 0 :::139 :::* OUÇA
748/smbd
tcp6 0 0 :::464 :::* OUÇA
752/samba
tcp6 0 0 :::81 :::* OUÇA
521/lighttpd
tcp6 0 0 :::53 :::* OUÇA
758/samba
tcp6 0 0 :::88 :::* OUÇA
752/samba
tcp6 0 0 ::1:25 :::* OUÇA
624/master
tcp6 0 0 :::636 :::* OUÇA
750/samba
tcp6 0 0 :::445 :::* OUÇA
748/smbd
tcp6 0 0 :::1024 :::* OUÇA
746/samba
tcp6 0 0 :::20000 :::* OUÇA
483/sshd
udp 0 0 192.168.1.19:389 0.0.0.0:*
751/samba
udp 0 0 0.0.0.0:389 0.0.0.0:*
751/samba
udp 0 0 192.168.1.19:464 0.0.0.0:*
752/samba
udp 0 0 0.0.0.0:464 0.0.0.0:*
752/samba
udp 0 0 0.0.0.0:42524 0.0.0.0:*
396/rsyslogd
udp 0 0 0.0.0.0:53 0.0.0.0:*
758/samba
udp 0 0 192.168.1.19:88 0.0.0.0:*
752/samba
udp 0 0 0.0.0.0:88 0.0.0.0:*
752/samba
udp 0 0 192.168.1.19:137 0.0.0.0:*
747/samba
udp 0 0 192.168.1.255:137 0.0.0.0:*
747/samba
udp 0 0 0.0.0.0:137 0.0.0.0:*
747/samba
udp 0 0 192.168.1.19:138 0.0.0.0:*
747/samba
udp 0 0 192.168.1.255:138 0.0.0.0:*
747/samba
udp 0 0 0.0.0.0:138 0.0.0.0:*
747/samba
udp6 0 0 :::389 :::*
751/samba
udp6 0 0 :::464 :::*
752/samba
udp6 0 0 :::53 :::*
758/samba
udp6 0 0 :::88 :::*
752/samba
Do I need remove service on port 53?
tcp 0 0 0.0.0.0:53 0.0.0.0:* OUÇA
758/samba
There are errors in my Samba DC:
/etc/init.d/samba-ad-dc status
● samba-ad-dc.service - Samba AD Daemon
Loaded: loaded (/lib/systemd/system/samba-ad-dc.service; enabled; vendor
preset: enabled)
Active: active (running) since Thu 2019-06-27 11:16:22 -03; 1h 2min ago
Docs: man:samba(8)
man:samba(7)
man:smb.conf(5)
Main PID: 743 (samba)
Status: "winbindd: ready to serve connections..."
Tasks: 21 (limit: 4915)
CGroup: /system.slice/samba-ad-dc.service
├─743 /usr/sbin/samba
├─745 /usr/sbin/samba
├─746 /usr/sbin/samba
├─747 /usr/sbin/samba
├─748 /usr/sbin/smbd -D --option=server role check:inhibit=yes
--foreground
├─749 /usr/sbin/samba
├─750 /usr/sbin/samba
├─751 /usr/sbin/samba
├─752 /usr/sbin/samba
├─753 /usr/sbin/samba
├─754 /usr/sbin/samba
├─755 /usr/sbin/samba
├─756 /usr/sbin/samba
├─757 /usr/sbin/samba
├─758 /usr/sbin/samba
├─760 /usr/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
├─779 /usr/sbin/smbd -D --option=server role check:inhibit=yes
--foreground
├─780 /usr/sbin/smbd -D --option=server role check:inhibit=yes
--foreground
├─782 /usr/sbin/smbd -D --option=server role check:inhibit=yes
--foreground
├─784 /usr/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
└─822 /usr/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
jun 27 12:16:23 ubatuba samba[757]: [2019/06/27 12:16:23.460019, 0]
../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
jun 27 12:16:23 ubatuba samba[757]: /usr/sbin/samba_dnsupdate: elif
not check_dns_name(d):
jun 27 12:16:23 ubatuba samba[757]: [2019/06/27 12:16:23.460080, 0]
../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
jun 27 12:16:23 ubatuba samba[757]: /usr/sbin/samba_dnsupdate: File
"/usr/sbin/samba_dnsupdate", line 279, in check_dns_name
jun 27 12:16:23 ubatuba samba[757]: [2019/06/27 12:16:23.460229, 0]
../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
jun 27 12:16:23 ubatuba samba[757]: /usr/sbin/samba_dnsupdate: raise
Exception("Unable to contact a working DNS server while looking for %s as
%s" % (d, normalised_name))
jun 27 12:16:23 ubatuba samba[757]: [2019/06/27 12:16:23.460346, 0]
../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
jun 27 12:16:23 ubatuba samba[757]: /usr/sbin/samba_dnsupdate: Exception:
Unable to contact a working DNS server while looking for SRV _kerberos._
udp.empresa.com.br samba4dc.empresa.com.b…empresa.com.br.
jun 27 12:16:23 ubatuba samba[757]: [2019/06/27 12:16:23.478843, 0]
../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done)
jun 27 12:16:23 ubatuba samba[757]: ../source4/dsdb/dns/dns_update.c:290:
Failed DNS update - with error code 1
Hint: Some lines were ellipsized, use -l to show in full.
This is my /etc/named.con on DNS Primary Server
root at dns1:~# cat /etc/bind/named.conf
options {
directory "/etc/bind/";
allow-transfer {
192.168.1.2;
10.133.100.135;
10.133.100.137;
192.168.1.19;
};
allow-update {
192.168.1.2;
10.133.100.135;
10.133.100.137;
192.168.1.19;
};
recursion yes;
allow-recursion {0.0.0.0/0;};
};
zone "." {
type hint;
file "default/db.root";
};
zone "localhost" {
type master;
file "default/db.localhost";
};
zone "127.in-addr.arpa" {
type master;
file "default/db.127.0.0.0";
};
zone "empresa.com.br" {
type master;
file "db.empresa.com.br";
};
zone "100.133.10.in-addr.arpa" {
type master;
file "db.10.133.100.0";
};
zone "1.168.192.in-addr.arpa" {
type master;
file "db.192.168.0.0";
};
# Configuracao Active Directory / Windows
zone "_msdcs.empresa.com.br" {
type master;
file "/etc/bind/adzonas/_msdcs.empresa.com.br";
};
zone "_tcp.empresa.com.br" {
type master;
file "/etc/bind/adzonas/_tcp.empresa.com.br";
};
zone "_udp.empresa.com.br" {
type master;
file "/etc/bind/adzonas/_udp.empresa.com.br";
};
zone "_sites.empresa.com.br" {
type master;
file "/etc/bind/adzonas/_sites.empresa.com.br";
};
zone "ForestDNSZones.empresa.com.br" {
type master;
file "/etc/bind/adzonas/ForestDNSZones.empresa.com.br";
};
zone "DomainDNSZones.empresa.com.br" {
type master;
file "/etc/bind/adzonas/DomainDNSZones.empresa.com.br";
};
include "/etc/bind/named.conf.log";
The Windows DC server aren't authoritative DNS.
Can anybody help me?
Regards,
Márcio Bacci
Em qui, 27 de jun de 2019 às 04:51, L.P.H. van Belle via samba <
samba at lists.samba.org> escreveu:
> Hai Marcio,
>
> I've checked the script output, that looks good.
>
> Just two small comments,
> - The hosts file, if your resolving is correctly working then you could
> remove the other DC's and FS from it, but it does not hurt is you keep it
> as is.
> - As long your are sure the DNS servers are ok and all needed zones are in
> these "proxy dns" server. that should be fine also.
> ( the often forgoten zone is _msdcs.your.domain.tld. )
>
> I also saw Tim's reply today also and thats one i missed and the best way
> to go.
>
> Greetz,
>
> Louis
>
>
>
>
>
> Van: Marcio Demetrio Bacci [mailto:marciobacci at gmail.com]
> Verzonden: woensdag 26 juni 2019 17:06
> Aan: L.P.H. van Belle
> Onderwerp: Re: [Samba] Problem to join Samba 4 DC an existing Windows AD
>
>
>
> Hi L.P.H van Belle
>
>
> >And the windows version was?
> Windows 2008 Server of 32 bits. ( not R2).
> AD Functional level: Win 2008
>
>
> Regards,
>
>
> Márcio Bacci
>
>
> -----------
>
>
>
> Em qua, 26 de jun de 2019 às 04:50, L.P.H. van Belle via samba <
> samba at lists.samba.org> escreveu:
>
> Hai,
>
>
> this part.
> Adding CN=NTDS
> Settings,CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC-com,DC=br
> DsAddEntry failed with status WERR_ACCESS_DENIED info (8363,
> 'WERR_DS_NO_CROSSREF_FOR_NC')
> Join failed - cleaning up
> Deleted CN=SAMBA4DC,OU=Domain Controllers,DC=empresa,DC-com,DC=br
>
> I just noticed the same question, (30 may 2019)
> https://www.spinics.net/lists/samba/msg157397.html
> I looks like a bug in samba and its not reported in bugzilla.
>
> Can you run this for me so i can have a good look at this.
>
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
>
> Just to make sure the linux side is setup correctly, anonymise where
> needed if needed.
>
>
> Can you report it, @ https://bugzilla.samba.org or i can report it for
> you, but i do want the requested info of the script also in the bugreport,
> then its much more complete.
>
> And the windows version was?
>
>
> Greetz,
>
> louis
>
>
> Van: Marcio Demetrio Bacci [mailto:marciobacci at gmail.com]
> Verzonden: woensdag 26 juni 2019 5:54
> Aan: L.P.H. van Belle
> Onderwerp: Re: [Samba] Problem to join Samba 4 DC an existing Windows AD
>
>
>
> Hi,
>
> >Question, does the Windows AD domain contain MS Exchange also?
> No.
>
> >and what does the wiki tell me.
> >
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
> >There are three authentication methods you can us:
>
> >samba-tool domain join samdom.example.com DC -U"SAMDOM\administrator"
> >samba-tool domain join samdom.example.com DC -k yes
> >samba-tool domain join samdom.example.com DC --krb5-ccache=/tmp/krb5cc_0
>
> I tried the 3 ways above.
>
> >I suggest this.
> >Kinit Administrator
> >Then you know kerberos auth also works.
>
> Kerberos is working properly.
>
> root at samba4dc:~# kinit administrator at EMPRESA.COM.BR
> Password for administrator at EMPRESA.COM.BR:
>
> root at samba4dc:~# klist -l
> Principal name Cache name
> -------------- ----------
> administrator at EMPRESA.COM.BR FILE:/tmp/krb5cc_0
>
> cat /etc/krb5.conf
>
> [libdefaults]
> dns_lookup_realm = false
> dns_lookup_kdc = true
> default_realm = EMPRESA.COM.BR
>
>
> >Now, if you keep having problems with it, and your using own compiled
> setup,
> >Then show the compile parameters, or ..
> >Remove the compiled version and use my repo (http://apt.van-belle.nl)
> >And you can install 4.10.5 also on stretch with apt-get.
>
> Now, I have installed by Repository:
>
> apt-get install apt-transport-https
> wget -O - http://apt.van-belle.nl/louis-van-belle.gpg-key.asc | apt-key
> add -
> echo "# AptVanBelle repo for samba." | tee
> /etc/apt/sources.list.d/van-belle.list
> echo "deb http://apt.van-belle.nl/debian stretch-samba410 main contrib
> non-free" | tee -a /etc/apt/sources.list.d/van-belle.list
> apt-get update
> apt-get install -t o=AptVanBelle samba attr winbind libpam-winbind
> libnss-winbind libpam-krb5 krb5-config krb5-user
>
> samba -V
> Version 4.10.5-Debian
>
> netstat -lntup
> Conexões Internet Ativas (sem os servidores)
> Proto Recv-Q Send-Q Endereço Local Endereço Remoto Estado
> PID/Program name
> tcp 0 0 MailScanner warning: numerical links are often
> malicious: MailScanner warning: numerical links are often malicious:
> 0.0.0.0:10050 0.0.0.0:* OUÇA
> 398/zabbix_agentd
> tcp 0 0 MailScanner warning: numerical links are often
> malicious: MailScanner warning: numerical links are often malicious:
> 0.0.0.0:139 0.0.0.0:* OUÇA 23945/smbd
> tcp 0 0 MailScanner warning: numerical links are often
> malicious: MailScanner warning: numerical links are often malicious:
> 0.0.0.0:81 0.0.0.0:* OUÇA 550/lighttpd
> tcp 0 0 MailScanner warning: numerical links are often
> malicious: MailScanner warning: numerical links are often malicious:
> 127.0.0.1:25 0.0.0.0:* OUÇA 655/master
> tcp 0 0 MailScanner warning: numerical links are often
> malicious: MailScanner warning: numerical links are often malicious:
> 0.0.0.0:445 0.0.0.0:* OUÇA 23945/smbd
> tcp 0 0 MailScanner warning: numerical links are often
> malicious: MailScanner warning: numerical links are often malicious:
> 0.0.0.0:20000 0.0.0.0:* OUÇA 517/sshd
> tcp6 0 0 :::10050 :::* OUÇA
> 398/zabbix_agentd
> tcp6 0 0 :::139 :::* OUÇA
> 23945/smbd
> tcp6 0 0 :::81 :::* OUÇA
> 550/lighttpd
> tcp6 0 0 ::1:25 :::* OUÇA
> 655/master
> tcp6 0 0 :::445 :::* OUÇA
> 23945/smbd
> tcp6 0 0 :::20000 :::* OUÇA
> 517/sshd
> udp 0 0 MailScanner warning: numerical links are often
> malicious: MailScanner warning: numerical links are often malicious:
> 0.0.0.0:42969 0.0.0.0:* 394/rsyslogd
> udp 0 0 MailScanner warning: numerical links are often
> malicious: MailScanner warning: numerical links are often malicious:
> 0.0.0.0:68 0.0.0.0:* 383/dhclient
> udp 0 0 MailScanner warning: numerical links are often
> malicious: MailScanner warning: numerical links are often malicious:
> 192.168.255.255:137 0.0.0.0:* 23992/nmbd
> udp 0 0 MailScanner warning: numerical links are often
> malicious: MailScanner warning: numerical links are often malicious:
> 192.168.1.39:137 0.0.0.0:* 23992/nmbd
> udp 0 0 MailScanner warning: numerical links are often
> malicious: MailScanner warning: numerical links are often malicious:
> 0.0.0.0:137 0.0.0.0:* 23992/nmbd
> udp 0 0 MailScanner warning: numerical links are often
> malicious: MailScanner warning: numerical links are often malicious:
> 192.168.255.255:138 0.0.0.0:* 23992/nmbd
> udp 0 0 MailScanner warning: numerical links are often
> malicious: MailScanner warning: numerical links are often malicious:
> 192.168.1.39:138 0.0.0.0:* 23992/nmbd
> udp 0 0 MailScanner warning: numerical links are often
> malicious: MailScanner warning: numerical links are often malicious:
> 0.0.0.0:138 0.0.0.0:* 23992/nmbd
>
>
> But the problems continue:
>
> root at samba4dc:~# samba-tool domain join empresa.com.br DC
> -U"EMPRESA\administrator"
> INFO 2019-06-26 00:22:49,231 pid:658
> /usr/lib/python3/dist-packages/samba/join.py #103: Finding a writeable DC
> for domain 'empresa.com.br'
> INFO 2019-06-26 00:22:49,241 pid:658
> /usr/lib/python3/dist-packages/samba/join.py #105: Found DC
> windc1.empresa.com.br
> Password for [EMPRESA\administrator]:
> INFO 2019-06-26 00:22:58,016 pid:658
> /usr/lib/python3/dist-packages/samba/join.py #1519: workgroup is EMPRESA
> INFO 2019-06-26 00:22:58,016 pid:658
> /usr/lib/python3/dist-packages/samba/join.py #1522: realm is
> empresa.com.br
> Adding CN=SAMBA4DC,OU=Domain Controllers,DC=empresa,DC-com,DC=br
> Adding
> CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC-com,DC=br
> Adding CN=NTDS
> Settings,CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC-com,DC=br
> DsAddEntry failed with status WERR_ACCESS_DENIED info (8363,
> 'WERR_DS_NO_CROSSREF_FOR_NC')
> Join failed - cleaning up
> Deleted CN=SAMBA4DC,OU=Domain Controllers,DC=empresa,DC-com,DC=br
> Deleted
> CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC-com,DC=br
> ERROR(runtime): uncaught exception - DsAddEntry failed
> File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
> 185, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line 699,
> in run
> backend_store=backend_store)
> File "/usr/lib/python3/dist-packages/samba/join.py", line 1535, in
> join_DC
> ctx.do_join()
> File "/usr/lib/python3/dist-packages/samba/join.py", line 1427, in
> do_join
> ctx.join_add_objects()
> File "/usr/lib/python3/dist-packages/samba/join.py", line 669, in
> join_add_objects
> ctx.join_add_ntdsdsa()
> File "/usr/lib/python3/dist-packages/samba/join.py", line 594, in
> join_add_ntdsdsa
> ctx.DsAddEntry([rec])
> File "/usr/lib/python3/dist-packages/samba/join.py", line 543, in
> DsAddEntry
> raise RuntimeError("DsAddEntry failed")
>
>
>
> root at samba4dc:~# samba-tool domain join empresa.com.br DC -k yes
> INFO 2019-06-26 00:24:18,926 pid:666
> /usr/lib/python3/dist-packages/samba/join.py #103: Finding a writeable DC
> for domain 'empresa.com.br'
> INFO 2019-06-26 00:24:18,934 pid:666
> /usr/lib/python3/dist-packages/samba/join.py #105: Found DC
> windc1.empresa.com.br
> INFO 2019-06-26 00:24:19,113 pid:666
> /usr/lib/python3/dist-packages/samba/join.py #1519: workgroup is EMPRESA
> INFO 2019-06-26 00:24:19,113 pid:666
> /usr/lib/python3/dist-packages/samba/join.py #1522: realm is
> empresa.com.br
> Adding CN=SAMBA4DC,OU=Domain Controllers,DC=empresa,DC-com,DC=br
> Adding
> CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC-com,DC=br
> Adding CN=NTDS
> Settings,CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC-com,DC=br
> DsAddEntry failed with status WERR_ACCESS_DENIED info (8363,
> 'WERR_DS_NO_CROSSREF_FOR_NC')
> Join failed - cleaning up
> Deleted CN=SAMBA4DC,OU=Domain Controllers,DC=empresa,DC-com,DC=br
> Deleted
> CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC-com,DC=br
> ERROR(runtime): uncaught exception - DsAddEntry failed
> File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
> 185, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line 699,
> in run
> backend_store=backend_store)
> File "/usr/lib/python3/dist-packages/samba/join.py", line 1535, in
> join_DC
> ctx.do_join()
> File "/usr/lib/python3/dist-packages/samba/join.py", line 1427, in
> do_join
> ctx.join_add_objects()
> File "/usr/lib/python3/dist-packages/samba/join.py", line 669, in
> join_add_objects
> ctx.join_add_ntdsdsa()
> File "/usr/lib/python3/dist-packages/samba/join.py", line 594, in
> join_add_ntdsdsa
> ctx.DsAddEntry([rec])
> File "/usr/lib/python3/dist-packages/samba/join.py", line 543, in
> DsAddEntry
> raise RuntimeError("DsAddEntry failed")
> root at samba4dc:~#
>
> Do you have any other idea ?
>
>
> Regards,
>
> Márcio Bacci
>
>
>
>
>
>
>
>
> Em ter, 25 de jun de 2019 às 11:20, L.P.H. van Belle <belle at bazuin.nl>
> escreveu:
>
> Hai Marcio,
>
> Please keep mailing to the list, that helps everybody. ;-)
>
> Question, does the Windows AD domain contain MS Exchange also?
> Ow and my bad.. This : samba-tool domain tombstones expunge
> You need to purge the tombstones on the windows server,
>
> but forget that all.
>
> I had a new look and noticed:
> root at samba4dc:/etc/init.d# samba-tool domain join empresa.com.br DC
> -Uadministrator --realm=empresa.com.br
> ( a bit of a strange folder also to be in.. )
>
> And what does the wiki tell me.
>
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
> There are three authentication methods you can us:
>
> samba-tool domain join samdom.example.com DC -U"SAMDOM\administrator"
> samba-tool domain join samdom.example.com DC -k yes
> samba-tool domain join samdom.example.com DC --krb5-ccache=/tmp/krb5cc_0
>
> And yours, what is the difference.. ?
> samba-tool domain join empresa.com.br DC -Uadministrator --realm=
> empresa.com.br
>
> I suggest this.
> Kinit Administrator
> Then you know kerberos auth also works.
> Then try : samba-tool domain join empresa.com.br DC -k yes
> And kdestroy to remove the kerberos ticket.
>
> Now, if you keep having problems with it, and your using own compiled
> setup,
> Then show the compile parameters, or ..
> Remove the compiled version and use my repo (http://apt.van-belle.nl)
> And you can install 4.10.5 also on stretch with apt-get.
>
>
>
> Greetz,
>
> Louis
>
>
>
> ________________________________
>
> Van: Marcio Demetrio Bacci [mailto:marciobacci at gmail.com]
> Verzonden: maandag 24 juni 2019 19:11
> Aan: L.P.H. van Belle
> Onderwerp: Re: [Samba] Problem to join Samba 4 DC an existing
> Windows AD
>
>
> Hi,
>
> Follows the results of commands below executed in Samba 4:
>
> >Maybe first run : samba-tool domain tombstones expunge
>
> samba-tool domain tombstones expunge
> Unable to determine the DomainSID, can not enforce uniqueness
> constraint on local domainSIDs
>
> dsdb_schema_from_db() failed: 32:No such object: dsdb_schema:
> failed to search attributeSchema and classSchema objects: No such Base DN:
> CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br
> dsdb_get_schema: refresh_fn() failed
> schema_load_init: dsdb_get_schema failed
> module schema_load initialization failed : Operations error
> module dsdb_notification initialization failed : Operations error
> module rootdse initialization failed : Operations error
> module samba_dsdb initialization failed : Operations error
> Unable to load modules for tdb:///usr/local/samba/private/sam.ldb:
> schema_load_init: dsdb_get_schema failed
> ERROR(ldb): uncaught exception - schema_load_init: dsdb_get_schema
> failed
> File
> "/usr/local/samba/lib/python3.5/site-packages/samba/netcmd/__init__.py",
> line 185, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/local/samba/lib/python3.5/site-packages/samba/netcmd/domain.py", line
> 3913, in run
> credentials=creds, lp=lp)
> File
> "/usr/local/samba/lib/python3.5/site-packages/samba/samdb.py", line 67, in
> __init__
> options=options)
> File
> "/usr/local/samba/lib/python3.5/site-packages/samba/__init__.py", line 115,
> in __init__
> self.connect(url, flags, options)
> File
> "/usr/local/samba/lib/python3.5/site-packages/samba/samdb.py", line 82, in
> connect
> options=options)
>
>
>
> >Check the DNS if any leftovers and check with RSAT also for
> leftovers.
> There isn't leftovers.
>
> >Then run : samba-tool dbcheck --cross-nc
>
> samba-tool dbcheck --cross-nc
> Unable to determine the DomainSID, can not enforce uniqueness
> constraint on local domainSIDs
>
> dsdb_schema_from_db() failed: 32:No such object: dsdb_schema:
> failed to search attributeSchema and classSchema objects: No such Base DN:
> CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br
> dsdb_get_schema: refresh_fn() failed
> schema_load_init: dsdb_get_schema failed
> module schema_load initialization failed : Operations error
> module dsdb_notification initialization failed : Operations error
> module rootdse initialization failed : Operations error
> module samba_dsdb initialization failed : Operations error
> Unable to load modules for tdb:///usr/local/samba/private/sam.ldb:
> schema_load_init: dsdb_get_schema failed
> ERROR: Failed to connect to DB at None. If this is a really old
> sam.ldb (before alpha9), then try again with --force-modules
>
>
> >DNS domain = empresa.com.br <http://empresa.com.br/> and
> Kerberos domain = EMPRESA.COM.BR <http://empresa.com.br/>
> >These are NOT the same.
>
>
> OK.
>
> root at samba4dc:~# cat /etc/krb5.conf
> [libdefaults]
> dns_lookup_realm = false
> dns_lookup_kdc = true
> default_realm = EMPRESA.COM.BR
>
>
> cat /etc/resolv.conf
> domain empresa.com.br
> search empresa.com.br
> nameserver 172.30.1.1 # is not the Windows DC
> nameserver 172.30.1.2 # is not the Windows DC
>
>
> We use bind as authorative DNS. The Windows DC only receves
> updates of the bind servers.
>
> Regards,
>
> Márcio Bacci
>
>
> Em seg, 24 de jun de 2019 às 12:09, L.P.H. van Belle via samba <
> samba at lists.samba.org> escreveu:
>
>
>
> > > ERROR(runtime): uncaught exception - (8639, "Failed to
> > > process 'chunk' of
> > > DRS replicated objects: DOS code 0x000021bf")
>
> 0x000021bf :
> The replication operation failed because the target object
> referred by a link value is recycled.
> Maybe first run : samba-tool domain tombstones expunge
> Check the DNS if any leftovers and check with RSAT also
> for leftovers.
>
> Then run : samba-tool dbcheck --cross-nc
> Fix things where needed.
>
> THEN join.
>
> And use :
> samba-tool domain join empresa.com.br DC -Uadministrator
> --realm=EMPRESA.COM.BR
>
> DNS domain = empresa.com.br and Kerberos domain =
> EMPRESA.COM.BR
> These are NOT the same.
>
> Greetz,
>
> Louis
>
>
> --
> To unsubscribe from this list go to the following URL and
> read the
> instructions:
> https://lists.samba.org/mailman/options/samba
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list