[Samba] Problems joining DC (tried 4.11.4 and 4.10.13)

Rowland penny rpenny at samba.org
Mon Jan 27 20:05:15 UTC 2020 

On 27/01/2020 19:38, Jonathan Hunter via samba wrote:
> Hi,
>
> Last week, I finally managed to find some time to rebuild one of my
> DCs that had suffered hardware failure some time back (and accordingly
> had long since been removed from the domain). Excuse the slightly long
> post but I'm trying to give hopefully all the relevant background info
> :)
>
> I first of all downloaded and installed 4.11.4, using my own
> installation notes (that I have been keeping somewhat up to date for
> my DCs since I started with samba 4.0.0) - so I am mostly confident
> that the steps I followed for this DC are the same steps I used for
> all my other DCs. In summary:
> - set IP of machine
> - install pre-requisite .deb packages
> - set up NTP
> - add local LAN IP to /etc/hosts
> - compile & install samba
> - join domain
>
> My other DCs are all running 4.10.11 and are working fine (apart from
> I believe I am suffering from bug 12497 on some of them as I have
> custom ACLs on one part of my tree - but that's another story).
>
> Using 4.11.4 on this new DC, the initial domain join was successful,
> all records were replicated during the join - but none of my other DCs
> could replicate to it afterwards. I was constantly getting errors in
> the logs of my other DCs along the lines of '
> Failed to bind to uuid 00000000-1111-2222-3333-4444444444 for
> ncacn_ip_tcp:192.168.1.6[49153,seal,krb5,target_hostname=aaaaaaaa-bbbb-cccc-dddddddddd._msdcs.mydomain.org.uk,target_principal=GC/newdc.mydomain.org.uk/mydomain.org.uk,abstract_syntax=00000000-1111-2222-3333-4444444444/0x00000004,localaddress=192.168.1.5]
> NT_STATUS_INVALID_PARAMETER'
>
> I did some digging around, searching on this mailing list and
> elsewhere, and tried to figure out why this would be happening. The
> most promising idea I had was that I had restored the TLS key & certs
> for this DC from a very old backup, and these were using MD5 (now
> deprecated) rather than SHA256 - so I thought this might be why. I run
> my own internal CA, so I duly revoked the old cert (it was only in use
> on this one machine) and generated a new cert, now having "Signature
> Algorithm: sha256WithRSAEncryption" - but this made no difference,
> other DCs were still not replicating to it.
>
> So I thought I would revert back to using 4.10.x on the new DC, since
> that is what I am still running on my other DCs - and come back to
> look at this 4.11.4 issue later.
>
> I tried removing the DC using the online removal method specified in
> the wiki, which did not work (I think due to the replication issues)
> newdc$ sudo samba-tool domain demote -Uadminuser
> Using existingdc.mydomain.org.uk as partner server for the demotion
> Password for [MYDOMAIN\adminuser]:
> Deactivating inbound replication
> Asking partner server existingdc.mydomain.org.uk to synchronize from us
> Error while replicating out last local changes from
> 'CN=Schema,CN=Configuration,DC=mydomain,DC=org,DC=uk' for demotion,
> re-enabling inbound replication
> ERROR(<class 'samba.WERRORError'>): Error while sending a
> DsReplicaSync for partition
> 'CN=Schema,CN=Configuration,mydomain,DC=org,DC=uk' - (87,
> 'WERR_INVALID_PARAMETER')
>    File "/usr/local/samba/lib/python3.7/site-packages/samba/netcmd/domain.py",
> line 832, in run
>      drsuapiBind.DsReplicaSync(drsuapi_handle, 1, req1)
>
> So instead I just shut down samba on the new DC and removed it from
> the domain using the method specified for an offline server, from
> another DC. As far as I can tell, this did work fine - I can't find
> any trace of the new DC in DNS; in site replication links; etc.
>
> So I then duly downloaded 4.10.13, compiled it, removed the contents
> of /usr/local/samba/private (apart from my new TLS cert) and tried to
> join the domain using exactly the same command that had worked for me
> when I tried 4.11.4.
>
> newdc$ sudo /usr/local/samba/bin/samba-tool domain join
> mydomain.org.uk DC -U myadminuser --site=mysite
> Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -  <8009030C:
> LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data
> 52e, v1db1> <>
> Failed to connect to 'ldap://existingdc' with backend 'ldap': LDAP
> error 49 LDAP_INVALID_CREDENTIALS -  <8009030C: LdapErr:
> DSID-0C0904DC, comment: AcceptSecurityContext error, data
> 52e, v1db1> <>
> ERROR(ldb): uncaught exception - LDAP error 49
> LDAP_INVALID_CREDENTIALS -  <8009030C: LdapErr: DSID-0C0904DC,
> comment: AcceptSecurityContext error, data 52e, v1db1> <>
>    File "/usr/local/samba/lib/python3.7/site-packages/samba/netcmd/__init__.py",
> line 185, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/local/samba/lib/python3.7/site-packages/samba/netcmd/domain.py",
> line 700, in run
>      backend_store=backend_store)
>    File "/usr/local/samba/lib/python3.7/site-packages/samba/join.py",
> line 1525, in join_DC
>      backend_store=backend_store)
>    File "/usr/local/samba/lib/python3.7/site-packages/samba/join.py",
> line 109, in __init__
>      credentials=ctx.creds, lp=ctx.lp)
>    File "/usr/local/samba/lib/python3.7/site-packages/samba/samdb.py",
> line 67, in __init__
>      options=options)
>    File "/usr/local/samba/lib/python3.7/site-packages/samba/__init__.py",
> line 115, in __init__
>      self.connect(url, flags, options)
>    File "/usr/local/samba/lib/python3.7/site-packages/samba/samdb.py",
> line 82, in connect
>      options=options)
>
> The eagle-eyed amongst you will spot that there's a missing line of
> output below the command I ran. For some reason, 'samba-tool domain
> join' is not asking me for a password for my admin user this time. I
> can't for the life of me figure out why - I've even used strace to see
> if there are any files it's accessing that might contain a cache of
> the password I previously typed in last week when installing 4.11.4 -
> but I found nothing at all, only a bunch of .so files in
> /usr/local/samba/lib, and various python files from .
>
> I don't know why it would be not prompting for a password when joining
> the domain. I've tried clearing out /usr/local/samba/lib and
> reinstalling; I have renamed my new smb.conf file that I had edited
> after installing 4.11.4; etc. so I am now posting here in the hope
> that someone will point out the obvious simple thing I have missed :)
>
> Many thanks!
>
> Jonathan
>
> (Happy to share smb.conf but at this point I've removed/renamed it!
> Only 3 lines I add are 'dns forwarder', 'idmap_ldb:use rfc2307' and
> 'ntlm auth' (needed for freeradius); plus a 'dfs' share which I never
> actually got working)
>
You should have removed all of /usr/local/samba and ensured that the new 
dead DC was removed from AD by running 'samba-tool  domain demote 
--remove-other-dead-server=<Your DC that didn't join>' on one of your 
other DCs. This would have made sure that there is nothing from the new 
DC in AD (if there was anything).

Can I also suggest you use Louis's repo: http://apt.van-belle.nl/

This will save you building Samba.

Rowland

More information about the samba mailing list