[Samba] Trouble joining DC Bind9_DLZ

Rowland penny rpenny at samba.org
Tue Sep 3 09:39:50 UTC 2019 

On 03/09/2019 10:07, Marcio Demetrio Bacci via samba wrote:
> Hi,
>
> I'm using Samba 4.10.7 with Bind9_DLZ (9.10.3-P4-Debian), but I'm not
> getting to insert a new DC into the Domain. My SO is a VM Debian 9.9.
>
> Following is the command used and the error:
>
> root at samba4-dc3:/var/lib/samba/private# samba-tool domain join
> empresa.com.br DC -k yes --server=samba4-dc1.empresa.com.br
> --dns-backend=BIND9_DLZ -d 3
> INFO 2019-09-02 15:50:33,684 pid:6636
> /usr/lib/python3/dist-packages/samba/provision/__init__.py #2291: Setting
> up the privileges database
> INFO 2019-09-02 15:50:34,188 pid:6636
> /usr/lib/python3/dist-packages/samba/provision/__init__.py #2294: Setting
> up idmap db
> INFO 2019-09-02 15:50:34,549 pid:6636
> /usr/lib/python3/dist-packages/samba/provision/__init__.py #2301: Setting
> up SAM db
> INFO 2019-09-02 15:50:34,644 pid:6636
> /usr/lib/python3/dist-packages/samba/provision/__init__.py #882: Setting up
> sam.ldb partitions and settings
> INFO 2019-09-02 15:50:34,645 pid:6636
> /usr/lib/python3/dist-packages/samba/provision/__init__.py #894: Setting up
> sam.ldb rootDSE
> INFO 2019-09-02 15:50:34,724 pid:6636
> /usr/lib/python3/dist-packages/samba/provision/__init__.py #1302:
> Pre-loading the Samba 4 and AD schema
> partition_metadata: Migrating partition metadata: open of metadata.tdb
> gave: (null)
> Unable to determine the DomainSID, can not enforce uniqueness constraint on
> local domainSIDs
>
> INFO 2019-09-02 15:50:34,892 pid:6636
> /usr/lib/python3/dist-packages/samba/provision/__init__.py #2351: A
> Kerberos configuration suitable for Samba AD has been generated at
> /var/lib/samba/private/krb5.conf
> INFO 2019-09-02 15:50:34,893 pid:6636
> /usr/lib/python3/dist-packages/samba/provision/__init__.py #2352: Merge the
> contents of this file with your system krb5.conf or replace it with this
> one. Do not create a symlink!
> Provision OK for domain DN empresa.com.br
> Starting replication
> Using binding ncacn_ip_tcp:samba4-dc1.empresa.com.br[,seal]
> resolve_lmhosts: Attempting lmhosts lookup for name
> samba4-dc1.empresa.com.br<0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name
> samba4-dc1.empresa.com.br<0x20>
> Schema-DN[CN=Schema,CN=Configuration,empresa.com.br] objects[402/1518]
> linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,empresa.com.br] objects[804/1518]
> linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,empresa.com.br] objects[1206/1518]
> linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,empresa.com.br] objects[1518/1518]
> linked_values[0/0]
> Analyze and apply schema objects
> Replicated 1518 objects (0 linked attributes) for
> CN=Schema,CN=Configuration,empresa.com.br
> Partition[CN=Configuration,empresa.com.br] objects[402/2023]
> linked_values[0/0]
> Replicated 402 objects (0 linked attributes) for CN=Configuration,
> empresa.com.br
> Partition[CN=Configuration,empresa.com.br] objects[804/2023]
> linked_values[0/0]
> Replicated 402 objects (0 linked attributes) for CN=Configuration,
> empresa.com.br
> Partition[CN=Configuration,empresa.com.br] objects[1206/2023]
> linked_values[0/0]
> Replicated 402 objects (0 linked attributes) for CN=Configuration,
> empresa.com.br
> Partition[CN=Configuration,empresa.com.br] objects[1608/2023]
> linked_values[0/0]
> Replicated 402 objects (0 linked attributes) for CN=Configuration,
> empresa.com.br
> Partition[CN=Configuration,empresa.com.br] objects[2010/2023]
> linked_values[0/20]
> Replicated 402 objects (0 linked attributes) for CN=Configuration,
> empresa.com.br
> Partition[CN=Configuration,empresa.com.br] objects[2023/2023]
> linked_values[36/36]
> Replicated 13 objects (36 linked attributes) for CN=Configuration,
> empresa.com.br
> Replicating critical objects from the base DN of the domain
> Partition[empresa.com.br] objects[103/103] linked_values[45/45]
> Replicated 103 objects (45 linked attributes) for empresa.com.br
> Partition[empresa.com.br] objects[402/2296] linked_values[0/0]
> Replicated 402 objects (0 linked attributes) for empresa.com.br
> Partition[empresa.com.br] objects[804/2296] linked_values[0/0]
> Replicated 402 objects (0 linked attributes) for empresa.com.br
> Partition[empresa.com.br] objects[1206/2296] linked_values[0/0]
> Replicated 402 objects (0 linked attributes) for empresa.com.br
> Partition[empresa.com.br] objects[1608/2296] linked_values[0/764]
> Replicated 402 objects (0 linked attributes) for empresa.com.br
> Partition[empresa.com.br] objects[2010/2296] linked_values[0/1066]
> Replicated 402 objects (0 linked attributes) for empresa.com.br
> Partition[empresa.com.br] objects[2296/2296] linked_values[1066/1066]
> ../../ldb_key_value/ldb_kv_index.c:2413: duplicate attribute value in
> CN=COMP0082,CN=Computers,empresa.com.br for index on servicePrincipalName,
> duplicate of objectGUID 1c0cc09b-a4c2-4e2d-9544-d49f82b436f3 in
> @INDEX:SERVICEPRINCIPALNAME:TERMSRV/COMP0082.EMPRESA.COM.BR
> ../../ldb_key_value/ldb_kv_index.c:2413: duplicate attribute value in
> CN=COMP0013,CN=Computers,empresa.com.br for index on servicePrincipalName,
> duplicate of objectGUID be74c1a9-d80b-4922-90f5-94a8c86632ad in
> @INDEX:SERVICEPRINCIPALNAME:TERMSRV/COMP0013.EMPRESA.COM.BR
> Replicated 286 objects (1066 linked attributes) for empresa.com.br
> Done with always replicated NC (base, config, schema)
> Replicating DC=DomainDnsZones,empresa.com.br
> Partition[DC=DomainDnsZones,empresa.com.br] objects[402/692]
> linked_values[0/0]
> Replicated 402 objects (0 linked attributes) for DC=DomainDnsZones,
> empresa.com.br
> Partition[DC=DomainDnsZones,empresa.com.br] objects[692/692]
> linked_values[0/0]
> Replicated 290 objects (0 linked attributes) for DC=DomainDnsZones,
> empresa.com.br
> Replicating DC=ForestDnsZones,empresa.com.br
> Partition[DC=ForestDnsZones,empresa.com.br] objects[40/40]
> linked_values[0/0]
> Replicated 40 objects (0 linked attributes) for DC=ForestDnsZones,
> empresa.com.br
> Exop on[CN=RID Manager$,CN=System,empresa.com.br] objects[3]
> linked_values[0]
> Discarding older DRS attribute update to objectClass on CN=RID
> Manager$,CN=System,empresa.com.br from 032a8fdc-a9b8-425a-88c3-5125986fc59d
>
> #### OMITTED #####
>
> INFO 2019-09-02 15:50:51,647 pid:6636
> /usr/lib/python3/dist-packages/samba/join.py #1169: Adding DNS A record
> SAMBA4-DC3.empresa.com.br for IPv4 IP: 172.30.1.19
> INFO 2019-09-02 15:50:51,699 pid:6636
> /usr/lib/python3/dist-packages/samba/join.py #1197: Adding DNS CNAME record
> 956bafb9-4aa8-4f91-8615-6b5af36b91fa._msdcs.empresa.com.br for
> SAMBA4-DC3.empresa.com.br
> Join failed - cleaning up
This is where the join failed, you can ignore anything after 'Join failed'
> I have saw that there are duplicate objects in the base, but I believe this
> is not the cause of the problem.
Yes
>
> Also I have verified that I can only find my FQDN domain. The short name
> does not respond. I don't know if that would be a problem.
>
> root at samba4-dc3:~# host -t A EMPRESA.COM.BR
> EMPRESA.COM.BR has address 192.168.1.20
> EMPRESA.COM.BR has address 192.168.1.22
> root at samba4-dc3:~# host -t A EMPRESA
> Host EMPRESA not found: 3(NXDOMAIN)
That is because 'EMPRESA' is a NetBIOS name, not a a dns name.

The join seems to be failing when it tries to add a CNAME record or when 
its ownership is changed, so does the forest dns zone exist ?

try running this on an existing DC:

ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -b 
'CN=MicrosoftDNS,DC=ForestDnsZones,DC=empresa,DC=com,DC=br' -s sub 
'(&(objectclass=dnsZone)(dc=_msdcs.empresa.com.br))'

It should produce one AD object record.

Rowland

More information about the samba mailing list