[Samba] Problems joining DC (tried 4.11.4 and 4.10.13)

Jonathan Hunter jmhunter1 at gmail.com
Mon Jan 27 22:41:31 UTC 2020 

Thank you Rowland - appreciated.

On Mon, 27 Jan 2020 at 20:06, Rowland penny via samba
<samba at lists.samba.org> wrote:
> You should have removed all of /usr/local/samba and ensured that the new
> dead DC was removed from AD by running 'samba-tool  domain demote
> --remove-other-dead-server=<Your DC that didn't join>' on one of your
> other DCs. This would have made sure that there is nothing from the new
> DC in AD (if there was anything).

I did use --remove-other-dead-server at the time, sorry for not making
that clear in my original post. (I tried demoting from the new DC at
first. When that didn't work I then used --remove-other-dead-server
from another DC)

I've now removed all of /usr/local/samba as you suggest - thanks.
(Apart from sysvol which I'm replicating via rsync - I took care to
avoid deleting that so as not to cascade any deletes there to other
DCs :) )

The only remaining items in /usr/local/samba were then two directories
that I replicate between DCs, and that I'm sure won't be impacting on
this issue:
    /usr/local/samba/dfsroot (an empty folder anyway)
    /usr/local/samba/var/locks (contains sysvol which is replicated)

Unfortunately even with all of /usr/local/samba gone, this hasn't made
a difference for me :(

newdc:~/samba-4.10.13 $ sudo make install
[...]
newdc:~/samba-4.10.13 $ sudo /usr/local/samba/bin/samba-tool domain
join mydomain.org.uk DC -U adminuser --site=mysite
INFO 2020-01-27 22:18:54,654 pid:10351
/usr/local/samba/lib/python3.7/site-packages/samba/join.py #104:
Finding a writeable DC for domain 'mydomain.org.uk'
INFO 2020-01-27 22:18:54,765 pid:10351
/usr/local/samba/lib/python3.7/site-packages/samba/join.py #106: Found
DC existingdc.mydomain.org.uk
Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -  <8009030C:
LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data
52e, v1db1> <>
Failed to connect to 'ldap://existingdc.mydomain.org.uk' with backend
'ldap': LDAP error 49 LDAP_INVALID_CREDENTIALS -  <8009030C: LdapErr:
DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1>
<>
ERROR(ldb): uncaught exception - LDAP error 49
LDAP_INVALID_CREDENTIALS -  <8009030C: LdapErr: DSID-0C0904DC,
comment: AcceptSecurityContext error, data 52e, v1db1> <>
  File "/usr/local/samba/lib/python3.7/site-packages/samba/netcmd/__init__.py",
line 185, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib/python3.7/site-packages/samba/netcmd/domain.py",
line 700, in run
    backend_store=backend_store)
  File "/usr/local/samba/lib/python3.7/site-packages/samba/join.py",
line 1525, in join_DC
    backend_store=backend_store)
  File "/usr/local/samba/lib/python3.7/site-packages/samba/join.py",
line 109, in __init__
    credentials=ctx.creds, lp=ctx.lp)
  File "/usr/local/samba/lib/python3.7/site-packages/samba/samdb.py",
line 67, in __init__
    options=options)
  File "/usr/local/samba/lib/python3.7/site-packages/samba/__init__.py",
line 115, in __init__
    self.connect(url, flags, options)
  File "/usr/local/samba/lib/python3.7/site-packages/samba/samdb.py",
line 82, in connect
    options=options)

I'm not sure why samba-tool isn't prompting for the password when I
join the domain, I've never had that before.

I also checked that it was picking up the correct version (since I had
of course installed 4.11.4 at first, and then switched to 4.10.13)
$ /usr/local/samba/bin/samba-tool --version
4.10.13

> Can I also suggest you use Louis's repo: http://apt.van-belle.nl/
>
> This will save you building Samba.

I would try it, but I am running on ARM architecture and Louis's repo
is x86/x64 only, from what I can see. Plus, I don't mind building
samba in any case, I've been doing it this way for a rather large
number of years as I've always kept my DCs, and PDCs, before that, up
to date via this method since distribution packages have never been
updated promptly enough for me. I want to keep up to date with samba
versions independently of the underlying distribution's release
cycle.. Building from source is my preferred method :)

Thanks!

Jonathan

-- 
"If we knew what it was we were doing, it would not be called
research, would it?"
      - Albert Einstein

More information about the samba mailing list