[Samba] Samba 4.11.6 cannot JOIN - 'Could not find machine account'

Sat Feb 8 20:25:26 UTC 2020

Thanks for the help with this, Rowland.

> Where these 2008 DCs upgraded from an earlier version ? (2000, 2003)

Yes, the two Windows servers were migrated over the years to Server 2008 (one is 2008 
R2).
I've now moved the _msdcs folder and made it a zone in the forest, restarted NETLOGON, 
and set the functionality of the forest to Server 2008, then rebooted both windows servers.
This seems to be working fine, on the windows servers and with other Windows client PC's. 

BTW, this same Samba join error was happening before I did all that, though, and it didn't 
seem to help to raise functionality.

But it does seem like some permission on the Windows side might be missing for the new 
Samba DC to join the domain.
I would think that the administrator paswd provided to samba-tool would be enough, though.

This issue is similar:
https://bugzilla.samba.org/show_bug.cgi?id=13298

Here is how I am attempting the join (my bash script):
-----
echo "Stopping Samba services..."
service samba stop  >/dev/null || true
service samba-ad-dc stop  >/dev/null || true
service smbd stop  >/dev/null || true
service nmbd stop  >/dev/null || true

echo "Deleting Samba configuration file..."
rm  -f /etc/samba/smb.conf
echo "Deleting Kerberos configuration file..."
rm -f /etc/krb5.conf

echo "Clean up *.tdb and *.ldb files (samba DBs)..."
DIRS=$(smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR" | cut -d: -f2)
for dir in $DIRS; do
 echo " Clearing $dir ..."
 find $dir \( -name "*.tdb" -or -name "*.ldb" \) -delete || true
done

rm -f Sambajoin.log
samba-tool domain join OFFICE.EXAMPLE.COM DC --server=SERVI.OFFICE.EXAMPLE.COM -U"OFFICE\\administrator" --password=TheActualPassword --dns-backend=BIND9_DLZ -d3 >Sambajoin.log 2>&1
samba-tool user setexpiry administrator --noexpiry
samba-tool domain exportkeytab /etc/krb5.keytab
------

> Also, can we see more of the join output, what you posted is usually the 
> fallout from a failed join and is usually meaningless, I think there 
> will be a line similar to 'join failed', we need to see what is above this.

There were several "Cannot reach a KDC" message prior to the 
WERR_DNS_ERROR_RCODE_NAME_ERROR in the log.
(Not sure if these are relevant.)

Start of JOIN log...
--------
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
resolve_lmhosts: Attempting lmhosts lookup for name SERVI.OFFICE.EXAMPLE.COM<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name SERVI.OFFICE.EXAMPLE.COM<0x20>
Cannot reach a KDC we require to contact (null) : kinit for administrator at OFFICE failed (Cannot contact any KDC for requested realm)

gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating NEG_TOKEN_INIT for ldap/SERVI.OFFICE.EXAMPLE.COM failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:

...ETC.
-------------

Eventually the fatal WERR_DNS_ERROR_RCODE_NAME_ERROR occurs later when 
adding the A record for the new server is attempted.

Either something very subtle (or very obvious) is going on here!