[Samba] Problems joining DC (tried 4.11.4 and 4.10.13)

Jonathan Hunter jmhunter1 at gmail.com
Mon Jan 27 19:38:28 UTC 2020 

Hi,

Last week, I finally managed to find some time to rebuild one of my
DCs that had suffered hardware failure some time back (and accordingly
had long since been removed from the domain). Excuse the slightly long
post but I'm trying to give hopefully all the relevant background info
:)

I first of all downloaded and installed 4.11.4, using my own
installation notes (that I have been keeping somewhat up to date for
my DCs since I started with samba 4.0.0) - so I am mostly confident
that the steps I followed for this DC are the same steps I used for
all my other DCs. In summary:
- set IP of machine
- install pre-requisite .deb packages
- set up NTP
- add local LAN IP to /etc/hosts
- compile & install samba
- join domain

My other DCs are all running 4.10.11 and are working fine (apart from
I believe I am suffering from bug 12497 on some of them as I have
custom ACLs on one part of my tree - but that's another story).

Using 4.11.4 on this new DC, the initial domain join was successful,
all records were replicated during the join - but none of my other DCs
could replicate to it afterwards. I was constantly getting errors in
the logs of my other DCs along the lines of '
Failed to bind to uuid 00000000-1111-2222-3333-4444444444 for
ncacn_ip_tcp:192.168.1.6[49153,seal,krb5,target_hostname=aaaaaaaa-bbbb-cccc-dddddddddd._msdcs.mydomain.org.uk,target_principal=GC/newdc.mydomain.org.uk/mydomain.org.uk,abstract_syntax=00000000-1111-2222-3333-4444444444/0x00000004,localaddress=192.168.1.5]
NT_STATUS_INVALID_PARAMETER'

I did some digging around, searching on this mailing list and
elsewhere, and tried to figure out why this would be happening. The
most promising idea I had was that I had restored the TLS key & certs
for this DC from a very old backup, and these were using MD5 (now
deprecated) rather than SHA256 - so I thought this might be why. I run
my own internal CA, so I duly revoked the old cert (it was only in use
on this one machine) and generated a new cert, now having "Signature
Algorithm: sha256WithRSAEncryption" - but this made no difference,
other DCs were still not replicating to it.

So I thought I would revert back to using 4.10.x on the new DC, since
that is what I am still running on my other DCs - and come back to
look at this 4.11.4 issue later.

I tried removing the DC using the online removal method specified in
the wiki, which did not work (I think due to the replication issues)
newdc$ sudo samba-tool domain demote -Uadminuser
Using existingdc.mydomain.org.uk as partner server for the demotion
Password for [MYDOMAIN\adminuser]:
Deactivating inbound replication
Asking partner server existingdc.mydomain.org.uk to synchronize from us
Error while replicating out last local changes from
'CN=Schema,CN=Configuration,DC=mydomain,DC=org,DC=uk' for demotion,
re-enabling inbound replication
ERROR(<class 'samba.WERRORError'>): Error while sending a
DsReplicaSync for partition
'CN=Schema,CN=Configuration,mydomain,DC=org,DC=uk' - (87,
'WERR_INVALID_PARAMETER')
  File "/usr/local/samba/lib/python3.7/site-packages/samba/netcmd/domain.py",
line 832, in run
    drsuapiBind.DsReplicaSync(drsuapi_handle, 1, req1)

So instead I just shut down samba on the new DC and removed it from
the domain using the method specified for an offline server, from
another DC. As far as I can tell, this did work fine - I can't find
any trace of the new DC in DNS; in site replication links; etc.

So I then duly downloaded 4.10.13, compiled it, removed the contents
of /usr/local/samba/private (apart from my new TLS cert) and tried to
join the domain using exactly the same command that had worked for me
when I tried 4.11.4.

newdc$ sudo /usr/local/samba/bin/samba-tool domain join
mydomain.org.uk DC -U myadminuser --site=mysite
Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -  <8009030C:
LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data
52e, v1db1> <>
Failed to connect to 'ldap://existingdc' with backend 'ldap': LDAP
error 49 LDAP_INVALID_CREDENTIALS -  <8009030C: LdapErr:
DSID-0C0904DC, comment: AcceptSecurityContext error, data
52e, v1db1> <>
ERROR(ldb): uncaught exception - LDAP error 49
LDAP_INVALID_CREDENTIALS -  <8009030C: LdapErr: DSID-0C0904DC,
comment: AcceptSecurityContext error, data 52e, v1db1> <>
  File "/usr/local/samba/lib/python3.7/site-packages/samba/netcmd/__init__.py",
line 185, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib/python3.7/site-packages/samba/netcmd/domain.py",
line 700, in run
    backend_store=backend_store)
  File "/usr/local/samba/lib/python3.7/site-packages/samba/join.py",
line 1525, in join_DC
    backend_store=backend_store)
  File "/usr/local/samba/lib/python3.7/site-packages/samba/join.py",
line 109, in __init__
    credentials=ctx.creds, lp=ctx.lp)
  File "/usr/local/samba/lib/python3.7/site-packages/samba/samdb.py",
line 67, in __init__
    options=options)
  File "/usr/local/samba/lib/python3.7/site-packages/samba/__init__.py",
line 115, in __init__
    self.connect(url, flags, options)
  File "/usr/local/samba/lib/python3.7/site-packages/samba/samdb.py",
line 82, in connect
    options=options)

The eagle-eyed amongst you will spot that there's a missing line of
output below the command I ran. For some reason, 'samba-tool domain
join' is not asking me for a password for my admin user this time. I
can't for the life of me figure out why - I've even used strace to see
if there are any files it's accessing that might contain a cache of
the password I previously typed in last week when installing 4.11.4 -
but I found nothing at all, only a bunch of .so files in
/usr/local/samba/lib, and various python files from .

I don't know why it would be not prompting for a password when joining
the domain. I've tried clearing out /usr/local/samba/lib and
reinstalling; I have renamed my new smb.conf file that I had edited
after installing 4.11.4; etc. so I am now posting here in the hope
that someone will point out the obvious simple thing I have missed :)

Many thanks!

Jonathan

(Happy to share smb.conf but at this point I've removed/renamed it!
Only 3 lines I add are 'dns forwarder', 'idmap_ldb:use rfc2307' and
'ntlm auth' (needed for freeradius); plus a 'dfs' share which I never
actually got working)

-- 
"If we knew what it was we were doing, it would not be called
research, would it?"
      - Albert Einstein

More information about the samba mailing list