[Samba] FW: samba_kcc issue after joining the domain as a DC

Alex samba at abisoft.biz
Mon Feb 10 15:43:34 UTC 2020 

Rowland,

>>> samba-tool domain join domain.com DC -k yes --dns-backend NONE
>>> --server=vm-dc1.domain.com
>>> Why did he do that ? why no dns server ?????
>> This is b/c we used to host AD zone on a separate DNS server(s), not in the AD.
>> I  thought  to keep that setup b/c it's much easier to administrator the AD zone
>> in bind9, rather than in MS DNS.
>>
> No, it isn't and using 'NONE' as the dns backend is not supported by Samba.

> Run: samba_upgradedns

> That should fill in your missing dns data.

> An AD DC is authoritative for the AD dns domain.

Here is what I got after switching to SAMBA_INTERNAL backend:

# samba-tool domain join domain.com DC -k yes --server=vm-dc1.domain.com

INFO 2020-02-10 18:34:09,671 pid:26424 /usr/local/samba/lib64/python3.6/site-packages/samba/join.py #1116: Adding 1 remote DNS records for VM-DC3.domain.com
Using binding ncacn_ip_tcp:vm-dc1.domain.com[,sign]
Mapped to DCERPC endpoint 135
added interface eth0 ip=172.26.1.83 bcast=172.26.255.255 netmask=255.255.0.0
added interface eth0 ip=172.26.1.83 bcast=172.26.255.255 netmask=255.255.0.0
resolve_lmhosts: Attempting lmhosts lookup for name vm-dc1.domain.com<0x20>
Mapped to DCERPC endpoint 49228
added interface eth0 ip=172.26.1.83 bcast=172.26.255.255 netmask=255.255.0.0
added interface eth0 ip=172.26.1.83 bcast=172.26.255.255 netmask=255.255.0.0
resolve_lmhosts: Attempting lmhosts lookup for name vm-dc1.domain.com<0x20>
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
GSSAPI credentials for administrator at domain.com will expire in 32550 secs
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically signed
INFO 2020-02-10 18:34:10,109 pid:26424 /usr/local/samba/lib64/python3.6/site-packages/samba/join.py #1179: Adding DNS A record VM-DC3.domain.com for IPv4 IP: 172.26.1.83
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../../source4/dsdb/common/util.c:4733) and from /usr/local/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
ERROR(runtime): uncaught exception - (9003, 'WERR_DNS_ERROR_RCODE_NAME_ERROR')
  File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/__init__.py", line 186, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/domain.py", line 708, in run
    backend_store_size=backend_store_size)
  File "/usr/local/samba/lib64/python3.6/site-packages/samba/join.py", line 1561, in join_DC
    ctx.do_join()
  File "/usr/local/samba/lib64/python3.6/site-packages/samba/join.py", line 1456, in do_join
    ctx.join_add_dns_records()
  File "/usr/local/samba/lib64/python3.6/site-packages/samba/join.py", line 1197, in join_add_dns_records
    dns_partition=domaindns_zone_dn)
  File "/usr/local/samba/lib64/python3.6/site-packages/samba/samdb.py", line 1177, in dns_lookup
    dns_partition=dns_partition)
Adding CN=VM-DC3,OU=Domain Controllers,DC=domain,DC=com
Adding CN=VM-DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com
Adding CN=NTDS Settings,CN=VM-DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com
Adding SPNs to CN=VM-DC3,OU=Domain Controllers,DC=domain,DC=com
Setting account password for VM-DC3$
Enabling account
Calling bare provision
Provision OK for domain DN DC=domain,DC=com
Starting replication
Missing target object - retrying with DRS_GET_TGT
Replicating critical objects from the base DN of the domain
Missing target object - retrying with DRS_GET_TGT
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=domain,DC=com
Replicating DC=ForestDnsZones,DC=domain,DC=com
Committing SAM database
--- join_add_dns_records
Join failed - cleaning up

DNS is now updated as Louis suggested to do.

-- 
Best regards,
Alex Alex

More information about the samba mailing list