[Samba] Problem joining domain [SEC=UNCLASSIFIED]

Fri May 31 06:21:49 UTC 2019

UNCLASSIFIED

Hi Andrew and Roland,

I originally installed samba-4.1.7 on CentOS 6.5. I successfully joined the domain. I intended to take over from the 2003 server but because the domain was being heavily used, I delayed seizing the roles. 

Now I really, really want to replace the 2003 server. The network is currently not in use and I want to complete the job while I have an opportunity. If I have no other option, I will create a new domain, but I'd prefer to avoid having to create new user accounts.

When I tried to join the domain with the new samba box, I got the error I reported. I hoped removing the old server from AD might fix the problem but alas no.

I removed the samba 4 server (Gollum) following the instructions https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup

Ndsutil failed, so I used Active Directory Users and Computers to delete Gollum's Domain Controller entry, specifying that the old controller was permanently offline. I used Active Directory Sites and Services to delete NTDS Settings and the Service under Default-First-Site again specifying that the Gollum was permanently offline.  I backed up the AD on the 2003 server first, so in theory, I can undo these changes.

The new server is CentOS 7 (1810) and the version of SAMBA is the 4.10.4.

The 2003 domain is at the highest functional level.

Cheers
Russell

-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland penny via samba
Sent: Thursday, 30 May, 2019 5:35 p.m.
To: samba at lists.samba.org
Subject: Re: [Samba] Problem joining domain [SEC=UNCLASSIFIED]

On 30/05/2019 08:22, Thamm, Russell via samba wrote:
> UNOFFICIAL
> Firstly thanks for the help with my previous problem building SAMBA. The UNOFFICIAL in the subject heading is added automatically by our email system.
OFFICIAL
Stupid idea in my opinion
>
> I'm getting the following error when trying to join a 2003 server domain.
Didn't you get the memo, 2003 is EOL ;-)
>
> ...
> Adding CN=TITUS,OU=Domain Controllers,DC=SSUNIT050,DC=local Adding 
> CN=TITUS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configurati
> on,DC=SSUNIT050,DC=local Adding CN=NTDS 
> Settings,CN=TITUS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Co
> nfiguration,DC=SSUNIT050,DC=local DsAddEntry failed with status 
> WERR_ACCESS_DENIED info (8363, 'WERR_DS_NO_CROSSREF_FOR_NC') ...
>
> I can't find out what WERR_DS_NO_CROSSREF_FOR_NC means.
The cross-reference for the specified naming context could not be found
>
> I have previously joined this domain with an older version of Samba. That SAMBA box is now dead and I have removed it from AD.
> I think that I have done this correctly.

What version worked ?

How did you remove it ?

What version are you using now ?

What OS ?

>
> This domain is standalone (air-gapped). I currently have no way to get info off TITUS, so the above output from samba-tool was hand copied - might have typos.

I think you might have to find a way in, you might have to do a lot of typing otherwise.

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

IMPORTANT: This email remains the property of the Department of Defence and is subject to the jurisdiction of section 70 of the Crimes Act 1914. If you have received this email in error, you are requested to contact the sender and delete the email.