[Samba] samba-tool join faild. ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT

Denis CARDON dcardon at tranquil.it
Mon Apr 6 12:04:46 UTC 2020 

Hi Epsilon,

I think the issue here is with localization support in Samba. You 
"Default-First-Site" in Spanish MS-AD is translated (as it is in French 
AD), and it seems that it looks for the following site name during the join:

CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=conylec,DC=local

while it should be trying to create the entry in the following site name:

CN=Nombre-predeterminado-primer-sitio,CN=Sites,CN=Configuration,DC=conylec,DC=local

I have already joined a few French localized MS-AD in the past and don't 
remember that issue though. Default-First-Site-Name should be a 
well-known-object with its own GUID I think, so I think it shouldn't 
matter what the name is...

You may try to specify the site name when doing the join with the --site 
option using your spanish name, it might just work.

Cheers,

Denis


Le 06/04/2020 à 02:33, Epsilon Minus via samba a écrit :
> I run command in debug mode level 3:
> 
> root at DC02:~# samba-tool domain join conylec.local DC -U
> "conylec\administrador" --dns-backend=SAMBA_INTERNAL
> --server=DC01.conylec.local -d 3
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> resolve_lmhosts: Attempting lmhosts lookup for name DC01.conylec.local<0x20>
> Password for [CONYLEC\administrador]:
> Cannot reach a KDC we require to contact (null) : kinit for
> administrador at CONYLEC failed (Cannot contact any KDC for requested
> realm)
> 
> SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for
> ldap/DC01.conylec.local failed (next[ntlmssp]):
> NT_STATUS_NO_LOGON_SERVERS
> Got challenge flags:
> Got NTLMSSP neg_flags=0x62898235
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x62088235
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088235
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088235
> workgroup is CONYLEC
> realm is conylec.local
> Adding CN=DC02,OU=Domain Controllers,DC=conylec,DC=local
> Adding CN=DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=conylec,DC=local
> Join failed - cleaning up
> ldb_wrap open of secrets.ldb
> Could not find machine account in secrets database: Failed to fetch
> machine account password for CONYLEC from both secrets.ldb (Could not
> find entry to match filter:
> '(&(flatname=CONYLEC)(objectclass=primaryDomain))' base: 'cn=Primary
> Domains': No such object: dsdb_search at
> ../source4/dsdb/common/util.c:4657) and from
> /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> Deleted CN=DC02,OU=Domain Controllers,DC=conylec,DC=local
> ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT -
> <00002030: objectclass: Cannot add
> CN=DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=conylec,DC=local,
> parent does not exist!> <>
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 176, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
> 661, in run
>      machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
>    File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in join_DC
>      ctx.do_join()
>    File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in do_join
>      ctx.join_add_objects()
>    File "/usr/lib/python2.7/dist-packages/samba/join.py", line 631, in
> join_add_objects
>      ctx.samdb.add(rec)
> 
> El dom., 5 abr. 2020 a las 20:05, Epsilon Minus
> (<theepsilonminus at gmail.com>) escribió:
>>
>> Hello,
>>
>> I inherited an Active directory in Windows in Spanish, after a lot of
>> work I was able to do the first synchronization to a DC in Samba.
>>
>> Now I am at the stage that I want to remove Windows, but previously I
>> want to remove Windows.
>>
>> I am trying to add another DC in Samba to advance and I am presented
>> with the following problem. I feel lost with these errors.
>>
>> root at DC01:~# samba-tool fsmo show
>> SchemaMasterRole owner: CN=NTDS
>> Settings,CN=DC01,CN=Servers,CN=Nombre-predeterminado-primer-sitio,CN=Sites,CN=Configuration,DC=conylec,DC=local
>> InfrastructureMasterRole owner: CN=NTDS
>> Settings,CN=DC01,CN=Servers,CN=Nombre-predeterminado-primer-sitio,CN=Sites,CN=Configuration,DC=conylec,DC=local
>> RidAllocationMasterRole owner: CN=NTDS
>> Settings,CN=DC01,CN=Servers,CN=Nombre-predeterminado-primer-sitio,CN=Sites,CN=Configuration,DC=conylec,DC=local
>> PdcEmulationMasterRole owner: CN=NTDS
>> Settings,CN=DC01,CN=Servers,CN=Nombre-predeterminado-primer-sitio,CN=Sites,CN=Configuration,DC=conylec,DC=local
>> DomainNamingMasterRole owner: CN=NTDS
>> Settings,CN=DC01,CN=Servers,CN=Nombre-predeterminado-primer-sitio,CN=Sites,CN=Configuration,DC=conylec,DC=local
>> DomainDnsZonesMasterRole owner: CN=NTDS
>> Settings,CN=DC01,CN=Servers,CN=Nombre-predeterminado-primer-sitio,CN=Sites,CN=Configuration,DC=conylec,DC=local
>> ForestDnsZonesMasterRole owner: CN=NTDS
>> Settings,CN=DC01,CN=Servers,CN=Nombre-predeterminado-primer-sitio,CN=Sites,CN=Configuration,DC=conylec,DC=local
>>
>>
>> First Join without server paramenter:
>>
>> root at DC02:~# samba-tool domain join conylec.local DC -U
>> "conylec\administrador" --dns-backend=SAMBA_INTERNAL
>> Finding a writeable DC for domain 'conylec.local'
>> Found DC AD01.conylec.local
>> Password for [CONYLEC\administrador]:
>> workgroup is CONYLEC
>> realm is conylec.local
>> Adding CN=DC02,OU=Domain Controllers,DC=conylec,DC=local
>> Adding CN=DC02,CN=Servers,CN=Nombre-predeterminado-primer-sitio,CN=Sites,CN=Configuration,DC=conylec,DC=local
>> Adding CN=NTDS Settings,CN=DC02,CN=Servers,CN=Nombre-predeterminado-primer-sitio,CN=Sites,CN=Configuration,DC=conylec,DC=local
>> Join failed - cleaning up
>> Deleted CN=DC02,OU=Domain Controllers,DC=conylec,DC=local
>> Deleted CN=NTDS
>> Settings,CN=DC02,CN=Servers,CN=Nombre-predeterminado-primer-sitio,CN=Sites,CN=Configuration,DC=conylec,DC=local
>> Deleted CN=DC02,CN=Servers,CN=Nombre-predeterminado-primer-sitio,CN=Sites,CN=Configuration,DC=conylec,DC=local
>> ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL -
>> <0000202B: RefErr: DSID-030A0B8E, data 0, 1 access points
>> ref 1: '1bb952b0-c0ee-44fc-9a5d-ce440d550993._msdcs.conylec.local'
>>> <ldap://1bb952b0-c0ee-44fc-9a5d-ce440d550993._msdcs.conylec.local>
>>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>> line 176, in _run
>>      return self.run(*args, **kwargs)
>>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
>> 661, in run
>>      machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
>>    File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in join_DC
>>      ctx.do_join()
>>    File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in do_join
>>      ctx.join_add_objects()
>>    File "/usr/lib/python2.7/dist-packages/samba/join.py", line 668, in
>> join_add_objects
>>      ctx.samdb.modify(m)
>>
>>
>>
>> Second join with server parameter
>>
>> root at DC02:~# samba-tool domain join conylec.local DC -U
>> "conylec\administrador" --dns-backend=SAMBA_INTERNAL
>> --server=DC01.conylec.local
>> Password for [CONYLEC\administrado]:
>> workgroup is CONYLEC
>> realm is conylec.local
>> Adding CN=DC02,OU=Domain Controllers,DC=conylec,DC=local
>> Adding CN=DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=conylec,DC=local
>> Join failed - cleaning up
>> Deleted CN=DC02,OU=Domain Controllers,DC=conylec,DC=local
>> ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT -
>> <00002030: objectclass: Cannot add
>> CN=DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=conylec,DC=local,
>> parent does not exist!> <>
>>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>> line 176, in _run
>>      return self.run(*args, **kwargs)
>>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
>> 661, in run
>>      machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
>>    File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in join_DC
>>      ctx.do_join()
>>    File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in do_join
>>      ctx.join_add_objects()
>>    File "/usr/lib/python2.7/dist-packages/samba/join.py", line 631, in
>> join_add_objects
>>      ctx.samdb.add(rec)
>>
>>
>> You see a important different, in the first join the DNS (Windows DC not fsmo) :
>> Adding CN=DC02,CN=Servers,CN=Nombre-predeterminado-primer-sitio,CN=Sites,CN=Configuration,DC=conylec,DC=local
>> Adding CN=NTDS Settings,CN=DC02,CN=Servers,CN=Nombre-predeterminado-primer-sitio,CN=Sites,CN=Configuration,DC=conylec,DC=local
>>
>> And the second the DNS is  (Samba DC  is fsmo):
>>
>> Adding CN=DC02,OU=Domain Controllers,DC=conylec,DC=local
>> Adding CN=DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=conylec,DC=local
>>
>> the first join the DN is correct, but in the second is wrong. you have
>> any idea to continue?
>>
>> Thanks.
>

More information about the samba mailing list