[Samba] Problem joining domain [SEC=UNOFFICIAL]

Andrew Bartlett abartlet at samba.org
Thu May 30 08:26:22 UTC 2019

On Thu, 2019-05-30 at 07:22 +0000, Thamm, Russell via samba wrote:
> Firstly thanks for the help with my previous problem building SAMBA. The UNOFFICIAL in the subject heading is added automatically by our email system.

No worries, mate :-)

> I'm getting the following error when trying to join a 2003 server domain.
> ...
> Adding CN=TITUS,OU=Domain Controllers,DC=SSUNIT050,DC=local
> Adding CN=TITUS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SSUNIT050,DC=local
> Adding CN=NTDS Settings,CN=TITUS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SSUNIT050,DC=local
> DsAddEntry failed with status WERR_ACCESS_DENIED info (8363, 'WERR_DS_NO_CROSSREF_FOR_NC')
> ...
> I can't find out what WERR_DS_NO_CROSSREF_FOR_NC means.

DsAddEntry is a bit like LDAP Add, but for special objects like the
NTDS Settings you see above, because there is special processing done
server-sdie.  My guess is that we have something in that new NTDS
Settings object (for the Samba DC) that it doesn't like. 

> I have previously joined this domain with an older version of Samba. That SAMBA box is now dead and I have removed it from AD.
> I think that I have done this correctly.

This may have been unfortunate.  Samba is likely more flexible than
windows, and joining the modern version of Samba to that, rather than
directly to the 2003 server, might have been a way forward. 

> This domain is standalone (air-gapped). I currently have no way to get info off TITUS, so the above output from samba-tool was hand copied - might have typos.

That sounds frustrating to work with, but the info so far is good

I think what is happening is that the partition list (NC is naming
context, which we also call a partition, being the AD domain, config,
schema and 2x dns partitions) that we think we should say we host isn't
lining up with what the DC thinks it has. 

What functional level is the domain?

Do you need Samba joined to the domain long-term, or where you joining
it to access the secrets (we have some tricks for replicating the data
without creating the DC objects if that would help). 

If you can let us know a little more your purpose here we may be able
to figure another way out.


Andrew Bartlett
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list