[Samba] samba 4.9.5 - joining Samba DC to existing Samba AD failed

Rowland Penny rpenny at samba.org
Tue Mar 26 09:29:41 UTC 2019


On Tue, 26 Mar 2019 05:18:20 +0100
Franta Hanzlík <franta at hanzlici.cz> wrote:

> Hi Tim and Rowland, thanks for Your support!
> I was thinking about e.g. Python 2.7.15 compatibility (as newer Samba
> versions require Python3), but You are right, here in DB can be
> problem
>  - first Samba AD DC was created by migrating Samba3 NT4 domain to
> Samba4 AD cca week ago (using 'samba-tool domain classicupgrade ...',
> according to Samba Wiki):
> 
> [root at dc1 samba]# samba-tool dbcheck
> Checking 701 objects
> NOTE: old (due to rename or delete) DN string component for
> lastKnownParent in object CN=RID
> Set\0ADEL:2df6a1a3-2a54-4385-ae71-5d95b1348310,CN=Deleted
> Objects,DC=zamecek,DC=home - CN=DC2-LYNX,OU=Domain
> Controllers,DC=zamecek,DC=home Not fixing old string component 

You can ignore lines like that, the '\0ADEL' means it is a deleted
object and will eventually go away.


> > 2. Try dumping the object it's failing on, just to see if there's
> > anything odd with the objectClass attributes. E.g.
> > ldbsearch -H ldap://$SERVER -b
> > 'CN=Administrator,CN=Users,DC=zamecek,DC=home'  
> 
> [root at dc1 samba]# ldbsearch
> -H /var/lib/samba/private/sam.ldb.d/DC=ZAMECEK,DC=HOME.ldb
> '(CN=Administrator)' 

Do not touch the files found under 'sam.ldb.d', use the 'sam'ldb' file
instead, or use the 'ldbsearch' as shown, not that it would work for
what you require, it should have been something like this:

ldbsearch -H ldap://dc4 -UAdministrator -b
'CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com' -s base
nTSecurityDescriptor

Which (after you enter Administrator's password)) should produce
something like this:

# record 1
dn: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com
nTSecurityDescriptor: O:DAG:DAD:AI(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWP
 CRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC;
 ;;PS)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a54-1e2f-1
 1d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)(O
 A;;RPWP;77b5b886-944a-11d1-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b2-9455-11d1
 -aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b3-9455-11d1-aebd-0000f80367c1;;PS)(OA
 ;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;RS)(OA;;RP;4c164200-20c0-11d0-a768
 -00aa006e0529;;RS)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;RS)(A;;RC;;;A
 U)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;77b5b886-944a-11d1
 -aebd-0000f80367c1;;AU)(OA;;RP;e45795b3-9455-11d1-aebd-0000f80367c1;;AU)(OA;;
 RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;CR;ab721a53-1e2f-11d0-9819-0
 0aa0040529b;;WD)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;RS)(OA;;RPWP;bf
 967a7f-0de6-11d0-a285-00aa003049e2;;CA)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58
 d456d2;;S-1-5-32-560)(OA;;RPWP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32
 -561)(OA;;RPWP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)(OA;CIIOID;
 RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;
 RU)(OA;CIID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-0
 0aa003049e2;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-14
 37-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf
 ;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-902
 0-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;bc0ac240-7
 9a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID
 ;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28
 ;RU)(OA;CIID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-
 00aa003049e2;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1
 437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;037088f8-0ae1-11d2-b422-00a0c968f93
 9;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-85
 4e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6
 d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CII
 D;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e
 2;ED)(OA;CIIOID;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;
 RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RPLCLORC;;bf967aba
 -0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff
 4f3ccd8;;PS)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIID;LC;;;RU)(A;CIID;R
 PWPCRCCLCLORCWOWDSDSW;;;BA)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f8
 0367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-
 11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)


> unicodePwd::

I would change Administrators password, you have given it to the
world ;-)

Rowland




More information about the samba mailing list