[Samba] Unable to join DC to domain.

Klaus Ade Johnstad klaus at linuxavdelingen.no
Wed Jun 30 20:10:58 UTC 2021

On 30.06.2021 21:32, Rowland Penny via samba wrote:
> On Wed, 2021-06-30 at 20:42 +0200, Klaus Ade Johnstad via samba wrote:
>> I'm looking at a new hosting provider for a new project, and one of
>> the
>> things we need setup, is a Samba ReadOnly DC at the hosting places,
>> talking to our DC at the office over vpn. I've tried 4 different
>> hostingproviders, and joining a Samba DC from 3 of these providers
>> works
>> flawlessly. I have a script that sets up everything, so the setup is
>> identical everywhere. I use Debian 10 with the newest samba packages
>> from Louis.
>> At one place this just does not work. The weird thing is that klist
>> works, ldapsearch works, I can even join as a normal member, just not
>> as
>> a RODC, or normal DC for that matter. There is no firewall stopping
>> anything. I just wonder if anyone has seen something like this? Or
>> if
>> they have an idea what might be stopping this?
>> This is that I get every time, but only at 1 of the 4 different
>> hosting
>> places I've tried:
>> samba-tool domain join s.d-s.no RODC -U"AD\\Administrator"
>> --dns-backend=SAMBA_INTERNAL  --option='idmap_ldb:use rfc2307 = yes'
>> --server=dc01.s.d-s.no --option="interfaces=lo tun9"  --option="bind
>> interfaces only=yes"
> Try it like this:
> samba-tool domain join s.d-s.no RODC -U Administrator --
> password=ADMINISTRATOR_PASSWORD --option='idmap_ldb:use rfc2307 = yes'
> --option="interfaces = lo tun9" --option="bind interfaces only = yes"
> I take it that everything else is identical, /etc/resolv.conf for
> instance.
> Rowland

Thanks for the answer, should have mentioned in my first mail that I 
have tried that, but I did it again like you suggest. Everything is 
identical across this 4 providers, the same /etc/hosts and 
/etc/resolv.conf (with small local necessary changes)

samba-tool domain join s.d-s.no RODC -U Administrator --password=secret 
--option='idmap_ldb:use rfc2307 = yes' --option="interfaces=lo tun9" 
--option="bind interfaces only=yes"
WARNING: Using password on command line is insecure. Please install the 
setproctitle python module.
INFO 2021-06-30 22:06:15,586 pid:764 
/usr/lib/python3/dist-packages/samba/join.py #106: Finding a writeable 
DC for domain 's.d-s.no'
INFO 2021-06-30 22:06:16,188 pid:764 
/usr/lib/python3/dist-packages/samba/join.py #108: Found DC dc01.s.d-s.no
ERROR(<class 'samba.join.DCJoinException'>): uncaught exception - Can't 
join, error: 00002020: Operation unavailable without authentication
   File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 
186, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line 
681, in run
   File "/usr/lib/python3/dist-packages/samba/join.py", line 1483, in 
   File "/usr/lib/python3/dist-packages/samba/join.py", line 120, in 
     raise DCJoinException(estr)

Klaus Ade Johnstad

More information about the samba mailing list