[Samba] Join new DC to domain - advice to upgrade Samba 4.

Daniel Lopes de Carvalho daniel at cepetro.unicamp.br
Tue Apr 7 13:51:59 UTC 2020 

Hi Rowland, thanks for your email.

The working DC was installed around 2 years ago. It is the reason to stick
in Stretch. But if I can upgrade the working DC to Buster and Samba 4.9.5
without any problem, it is OK to me.

I'm not a Samba expert. How can I verify my database? Can you point me to
some link, tutorial, etc? I have used the samba-tool dbcheck (with and
without --cross-ncs), is this enough?

Find below the output of samba-tool join command:

 samba-tool domain join test.example.domain.br DC -U"test/administrator" -d3
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Finding a writeable DC for domain 'test.example.domain.br'
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._
tcp.test.example.domain.br<0x0>
Found DC adc02.test.example.domain.br
resolve_lmhosts: Attempting lmhosts lookup for name
adc02.test.example.domain.br<0x20>
Password for [test\administrator]:
Cannot reach a KDC we require to contact ldap/adc02.test.example.domain.br@
: kinit for administrator at test failed (Cannot contact any KDC for requested
realm)

SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed:
NT_STATUS_NO_LOGON_SERVERS
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
workgroup is test
realm is test.example.domain.br
Adding CN=DCS01,OU=Domain Controllers,DC=test,DC=example,DC=domain,DC=br
Adding
CN=DCS01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=example,DC=domain,DC=br
Adding CN=NTDS
Settings,CN=DCS01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=example,DC=domain,DC=br
Using binding ncacn_ip_tcp:adc02.test.example.domain.br[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name
adc02.test.example.domain.br<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
adc02.test.example.domain.br<0x20>
Cannot reach a KDC we require to contact ldap/
ADC02.test.example.domain.br at test.example.domain.br : kinit for
administrator at test failed (Cannot contact any KDC for requested realm)

SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed:
NT_STATUS_NO_LOGON_SERVERS
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
Adding SPNs to CN=DCS01,OU=Domain
Controllers,DC=test,DC=example,DC=domain,DC=br
Setting account password for DCS01$
Enabling account
Calling bare provision
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
ldb_wrap open of hklm.ldb
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
partition_metadata: Migrating partition metadata: open of metadata.tdb
gave: (null)
A Kerberos configuration suitable for Samba 4 has been generated at
/var/lib/samba/private/krb5.conf
Provision OK for domain DN DC=test,DC=example,DC=domain,DC=br
Starting replication
Using binding ncacn_ip_tcp:adc02.test.example.domain.br[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name
adc02.test.example.domain.br<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
adc02.test.example.domain.br<0x20>
Cannot reach a KDC we require to contact ldap/
ADC02.test.example.domain.br at test.example.domain.br : kinit for
administrator at test failed (Cannot contact any KDC for requested realm)

SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed:
NT_STATUS_NO_LOGON_SERVERS
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
Schema-DN[CN=Schema,CN=Configuration,DC=test,DC=example,DC=domain,DC=br]
objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=test,DC=example,DC=domain,DC=br]
objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=test,DC=example,DC=domain,DC=br]
objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=test,DC=example,DC=domain,DC=br]
objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Replicated 1550 objects (0 linked attributes) for
CN=Schema,CN=Configuration,DC=test,DC=example,DC=domain,DC=br
Partition[CN=Configuration,DC=test,DC=example,DC=domain,DC=br]
objects[402/1722] linked_values[0/0]
Replicated 402 objects (0 linked attributes) for
CN=Configuration,DC=test,DC=example,DC=domain,DC=br
Partition[CN=Configuration,DC=test,DC=example,DC=domain,DC=br]
objects[804/1722] linked_values[0/0]
Replicated 402 objects (0 linked attributes) for
CN=Configuration,DC=test,DC=example,DC=domain,DC=br
Partition[CN=Configuration,DC=test,DC=example,DC=domain,DC=br]
objects[1206/1722] linked_values[0/0]
Replicated 402 objects (0 linked attributes) for
CN=Configuration,DC=test,DC=example,DC=domain,DC=br
Partition[CN=Configuration,DC=test,DC=example,DC=domain,DC=br]
objects[1608/1722] linked_values[0/0]
Replicated 402 objects (0 linked attributes) for
CN=Configuration,DC=test,DC=example,DC=domain,DC=br
Partition[CN=Configuration,DC=test,DC=example,DC=domain,DC=br]
objects[1722/1722] linked_values[71/0]
Replicated 114 objects (71 linked attributes) for
CN=Configuration,DC=test,DC=example,DC=domain,DC=br
Replicating critical objects from the base DN of the domain
Partition[DC=test,DC=example,DC=domain,DC=br] objects[97/97]
linked_values[117/0]
Missing parent while attempting to apply records: No parent with GUID
a5fc1728-6e72-46ec-81d3-4836f7cf445a found for object remotely known as
CN=Administrator,OU=Privileged,OU=People,OU=Accounts,DC=test,DC=example,DC=domain,DC=br
Failed to commit objects: WERR_DS_DRA_MISSING_PARENT
Join failed - cleaning up
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch machine
account password for test from both secrets.ldb (Could not find entry to
match filter: '(&(flatname=test)(objectclass=primaryDomain))' base:
'cn=Primary Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4575) and from
/var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Deleted CN=DCS01,OU=Domain Controllers,DC=test,DC=example,DC=domain,DC=br
Deleted CN=NTDS
Settings,CN=DCS01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=example,DC=domain,DC=br
Deleted
CN=DCS01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=example,DC=domain,DC=br
ERROR(runtime): uncaught exception - (8460, "Failed to process 'chunk' of
DRS replicated objects: WERR_DS_DRA_MISSING_PARENT")
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 652,
in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1253, in
join_DC
    ctx.do_join()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1153, in
do_join
    ctx.join_replicate()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 890, in
join_replicate
    replica_flags=ctx.domain_replica_flags)
  File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 258, in
replicate
    schema=schema, req_level=req_level, req=req)

PS: test.example.domain.br is a fake domain just to post the output here in
te list.

Thanks and best regards

On Tue, Apr 7, 2020 at 9:14 AM Rowland penny via samba <
samba at lists.samba.org> wrote:

> On 07/04/2020 12:20, Daniel Lopes de Carvalho via samba wrote:
> > Hello Guys,
> >
> > I have a working Samba 4 DC running on Debian Stretch 9.9 with samba
> 4.5.16
> > and I would like to add a new Samba DC (on Debian Stretch 9.9 with the
> same
> > Samba version).
>
> Why stick with stretch ?
>
>  From my understanding you will only get security updates from now on.
>
> I would use Buster (Debian 10) instead, this will get you Samba 4.9.5,
> which, while it is still EOL as far as Samba is concerned, is a lot less
> dead than 4.5.16
>
> >
> > During the joining process I get the error WERR_DS_DRA_MISSING_PARENT.
> Can you post the output from the join command.
> > I was wondering to first upgrade Samba on the new joining DC and if I get
> > success and have a second working AD, then upgrade the Samba in the first
> > working DC.
>
> You may have something wrong with your database and if so, you need to
> fix this first. If you can upgrade in place, then this may be the way to
> go, but not until you are sure that the database is okay.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 

Daniel Lopes de
Carvalhohttp://www.unisim.cepetro.unicamp.brdaniel@cepetro.unicamp.br
19 3521-1221

More information about the samba mailing list