[Samba] samba 4.9.5 - joining Samba DC to existing Samba AD failed
franta
franta at hanzlici.cz
Mon Mar 25 15:20:09 UTC 2019
Dne 2019-03-25 16:02, Rowland Penny via samba napsal:
> On Mon, 25 Mar 2019 15:12:16 +0100
> franta via samba <samba at lists.samba.org> wrote:
>
>> Hi team,
>> I have Samba (4.9.5) AD DC, and when trying to add second DC, join
>> fail:
>>
>> # samba-tool domain join zamecek.home DC
>> -U"SSUPS-ZAMECEK\administrator" --option='idmap_ldb:use rfc2307 =
>> yes' --dns-backend=BIND9_DLZ Finding a writeable DC for domain
>> 'zamecek.home' Found DC dc1.zamecek.home
>> Password for [SSUPS-ZAMECEK\administrator]:
>> workgroup is SSUPS-ZAMECEK
>> realm is zamecek.home
>> Adding CN=DC2-LYNX,OU=Domain Controllers,DC=zamecek,DC=home
>> Adding
>> CN=DC2-LYNX,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zamecek,DC=home
>> Adding CN=NTDS
>> Settings,CN=DC2-LYNX,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zamecek,DC=home
>> Adding SPNs to CN=DC2-LYNX,OU=Domain Controllers,DC=zamecek,DC=home
>> Setting account password for DC2-LYNX$
>> Enabling account
>> Adding DNS account CN=dns-DC2-LYNX,CN=Users,DC=zamecek,DC=home with
>> dns/ SPN
>> Setting account password for dns-DC2-LYNX
>> Calling bare provision
>> Looking up IPv4 addresses
>> Looking up IPv6 addresses
>> No IPv6 address will be assigned
>> Setting up share.ldb
>> Setting up secrets.ldb
>> Setting up the registry
>> Setting up the privileges database
>> Setting up idmap db
>> Setting up SAM db
>> Setting up sam.ldb partitions and settings
>> Setting up sam.ldb rootDSE
>> Pre-loading the Samba 4 and AD schema
>> Unable to determine the DomainSID, can not enforce uniqueness
>> constraint on local domainSIDs
>>
>> A Kerberos configuration suitable for Samba AD has been generated at
>> /var/lib/samba/private/krb5.conf
>> Merge the contents of this file with your system krb5.conf or replace
>> it with this one. Do not create a symlink!
>> Provision OK for domain DN DC=zamecek,DC=home
>> Starting replication
>> Schema-DN[CN=Schema,CN=Configuration,DC=zamecek,DC=home]
>> objects[402/1550] linked_values[0/0]
>> Schema-DN[CN=Schema,CN=Configuration,DC=zamecek,DC=home]
>> objects[804/1550] linked_values[0/0]
>> Schema-DN[CN=Schema,CN=Configuration,DC=zamecek,DC=home]
>> objects[1206/1550] linked_values[0/0]
>> Schema-DN[CN=Schema,CN=Configuration,DC=zamecek,DC=home]
>> objects[1550/1550] linked_values[0/0]
>> Analyze and apply schema objects
>> Partition[CN=Configuration,DC=zamecek,DC=home] objects[402/1628]
>> linked_values[0/1]
>> Partition[CN=Configuration,DC=zamecek,DC=home] objects[804/1628]
>> linked_values[0/1]
>> Partition[CN=Configuration,DC=zamecek,DC=home] objects[1206/1628]
>> linked_values[0/1]
>> Partition[CN=Configuration,DC=zamecek,DC=home] objects[1608/1628]
>> linked_values[0/1]
>> Partition[CN=Configuration,DC=zamecek,DC=home] objects[1628/1628]
>> linked_values[42/42]
>> Failed to commit objects: DOS code 0x000021bf
>> Missing target object - retrying with DRS_GET_TGT
>> Partition[CN=Configuration,DC=zamecek,DC=home] objects[2030/1628]
>> linked_values[1/1]
>> Partition[CN=Configuration,DC=zamecek,DC=home] objects[2432/1628]
>> linked_values[0/1]
>> Partition[CN=Configuration,DC=zamecek,DC=home] objects[2834/1628]
>> linked_values[0/1]
>> Partition[CN=Configuration,DC=zamecek,DC=home] objects[3236/1628]
>> linked_values[0/1]
>> Partition[CN=Configuration,DC=zamecek,DC=home] objects[3256/1628]
>> linked_values[41/42]
>> Replicating critical objects from the base DN of the domain
>> Partition[DC=zamecek,DC=home] objects[98/97] linked_values[141/141]
>> Partition[DC=zamecek,DC=home] objects[500/700] linked_values[0/22]
>> Partition[DC=zamecek,DC=home] objects[798/700] linked_values[653/653]
>> Done with always replicated NC (base, config, schema)
>> Replicating DC=DomainDnsZones,DC=zamecek,DC=home
>> Partition[DC=DomainDnsZones,DC=zamecek,DC=home] objects[59/59]
>> linked_values[0/0]
>> Replicating DC=ForestDnsZones,DC=zamecek,DC=home
>> Partition[DC=ForestDnsZones,DC=zamecek,DC=home] objects[18/18]
>> linked_values[0/0]
>> Exop on[CN=RID Manager$,CN=System,DC=zamecek,DC=home] objects[3]
>> linked_values[0]
>> Committing SAM database
>> Join failed - cleaning up
>> Deleted CN=RID Set,CN=DC2-LYNX,OU=Domain
>> Controllers,DC=zamecek,DC=home Deleted CN=DC2-LYNX,OU=Domain
>> Controllers,DC=zamecek,DC=home Deleted
>> CN=dns-DC2-LYNX,CN=Users,DC=zamecek,DC=home Deleted CN=NTDS
>> Settings,CN=DC2-LYNX,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zamecek,DC=home
>> Deleted
>> CN=DC2-LYNX,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zamecek,DC=home
>> ERROR(ldb): uncaught exception - descriptor_modify on
>> CN=Administrator,CN=Users,DC=zamecek,DC=home failed: operations error
>> at ../source4/dsdb/samdb/ldb_modules/descriptor.c:819
>> File
>> "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line
>> 177, in _run return self.run(*args, **kwargs)
>> File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py",
>> line 716, in run
>> backend_store=backend_store)
>> File "/usr/lib64/python2.7/site-packages/samba/join.py", line
>> 1501, in join_DC
>> ctx.do_join()
>> File "/usr/lib64/python2.7/site-packages/samba/join.py", line
>> 1399, in do_join
>> ctx.join_replicate()
>> File "/usr/lib64/python2.7/site-packages/samba/join.py", line
>> 1005, in join_replicate
>> ctx.local_samdb.transaction_commit()
>>
>> I have no idea, where is problem and how solve it - can anyone help?
>> Both systems runs Fedora 29 x86_64 Linux, Samba is builded with
>> Heimdal 7.5.0 Kerberos, tdb 1.3.16, ldb 1.4.6, first DC was
>> provisioned with '--use-rfc2307' and BIND9_DLZ (bind-9.11.5) DNS
>> backend. Thanks, Franta
>>
>>
>
> You should only build Samba with the Heimdal version supplied with
> Samba, you do not need to and shouldn't install Heimdal.
My mistake in description - I have installed (it seems unnecessarily)
only heimdal-libs package (no -devel ones) and samba itself is not
linked with it:
# ldd /usr/sbin/samba|grep heim
libheimbase-samba4.so.1 => /usr/lib64/samba/libheimbase-samba4.so.1
(0x00007f911e8da000)
Thus my problem should be something else - but what?
TIA, Franta
More information about the samba
mailing list