[Samba] Joining a new Samba AD DC

Mark Foley mfoley at novatec-inc.com
Thu Aug 3 04:35:16 UTC 2023 

Here's another idea to hack my way out of this quagmire ...

When I first installed the Samba AD/DC to replace the SBS 2008 server 10 years
ago, I provisioned the Samba DC without connection to the Windows hprs.local
domain.  Then I un-joined the domain on all Windows domain members, turned off
the SBS server, and joined all the Windows workstations to the new domain. 

Sure, I'd have to create new domain users, and I'd probably have to re-add the
GPOs, but that might actually be eaiser.  This thread has been a lot of work
with no solution in sight.  The current Samba 4.8.2 DC may just be too old to
work with. I could try it with one or two guinea pig workstations.

And ... I could change the .local domain name bit while I'm at it.

--Mark

-----Original Message-----
Date: Wed, 02 Aug 2023 17:38:59 -0400
To: samba at lists.samba.org
Subject: Re: [Samba] Joining a new Samba AD DC
From: Mark Foley via samba <samba at lists.samba.org>

On Wed Aug  2 10:25:00 2023 Rowland Penny via samba <samba at lists.samba.org> wrote:

> On 02/08/2023 15:04, Mark Foley via samba wrote:
>
> > Yeah, those command on my system simply return the 'help' syntax info for the host command.

Actually, I must correct this a bit. Running those commands on my current dc
gives the "prohibited character found" error.

> >> I suggest you start Samba, wait a short while and then try again.
> > 
> > Do you mean to start Samba on the new DC (which I haven't done yet) or [re]start
> > Samba on the current DC?
>
> When you 'join' a new DC to the domain, only minimal critical DNS 
> records are created annd the GUID records are not amongst them. When 
> Samba on the new DC is started, a script <samba_dnsupdate> is run (it 
> then runs every 10 minutes after that). This script uses a file 
> <dns_update_list> to check if various DNS records for the DC exist, if 
> they do not exist, they are created, amongst these DNS records is:
>
> ${IF_DC}CNAME          ${NTDSGUID}._msdcs.${DNSFOREST}  ${HOSTNAME}
>
> So the GUID record possibly doesn't exist on your new DC because you 
> haven't started it.
>
> Rowland

Per the wiki, I ran 'samba' on the new DC, then tried the 'samba-tool drs showrepl'
on the new DC. No go:

# samba-tool drs showrepl
Failed to connect host 127.0.0.1 on port 135 - NT_STATUS_CONNECTION_REFUSED
Failed to connect host 127.0.0.1 (dc1.hprs.local) on port 135 - NT_STATUS_CONNECTION_REFUSED.
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to dc1.hprs.local failed - drsException: DRS connection to dc1.hprs.local failed: (3221226038, 'The transport-connection attempt was refused by the remote system.')
  File "/usr/lib64/python3.9/site-packages/samba/netcmd/drs.py", line 55, in drsuapi_connect
    (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
  File "/usr/lib64/python3.9/site-packages/samba/drs_utils.py", line 71, in drsuapi_connect
    raise drsException("DRS connection to %s failed: %s" % (server, e))

I then tried 'samba-tool drs showrepl' on the current DC and got:

# samba-tool drs showrepl
:
: (bunch of gensec stuff)
:
Default-First-Site-Name\MAIL
DSA Options: 0x00000001
DSA object GUID: 48c0208f-0646-42f6-89bf-dc9b81b3442c
DSA invocationId: efd15371-9645-4a1a-b9eb-f4db28add590

==== INBOUND NEIGHBORS ====

Sealed 64 bytes, and got 76 bytes header/signature.
Unsealed 2816 bytes, with 76 bytes header/signature.
CN=Schema,CN=Configuration,DC=hprs,DC=local
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 0d2a3ba9-4ade-45de-85c7-321ba69caee0
                Last attempt @ Wed Aug  2 16:31:57 2023 EDT failed, result 2 (WERR_FILE_NOT_FOUND)
                2678 consecutive failure(s).
                Last success @ NTTIME(0)

The above starting with "Default-First-Site-Name\DC1 via RPC" was be repeated
4 more times, but note the failure which occured in each repeat. After that:

==== OUTBOUND NEIGHBORS ====

Sealed 64 bytes, and got 76 bytes header/signature.
Unsealed 32 bytes, with 76 bytes header/signature.
==== KCC CONNECTION OBJECTS ====

Connection --
        Connection name: 34b6cbf3-f021-4922-9b55-6dc26cb833be
        Enabled        : TRUE
        Server DNS name : dc1.hprs.local
        Server DN name  : CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hprs,DC=local
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!

Kerberos commands still not working:

# kinit administrator
Password for administrator at hprs.local: 
kinit: KDC reply did not match expectations while getting initial credentials

# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)

/etc/resolv.conf still not working with the new DC's IP.

All these failures are likely because samba failed, /var/log/syslog:

Aug  2 16:53:14 DC1 samba[16433]: [2023/08/02 16:53:14.573450,  0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler) 
Aug  2 16:53:14 DC1 samba[16433]:   /usr/sbin/samba_dnsupdate: response to GSS-TSIG query was unsuccessful
:
: (another 26 errors like this)
:
Aug  2 16:53:15 DC1 samba[16433]: [2023/08/02 16:53:15.236106,  0] ../../source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done) 
Aug  2 16:53:15 DC1 samba[16433]:   dnsupdate_nameupdate_done: Failed DNS update with exit code 27

As it stands, samba doesn't run, kerberos doesn't run, DNS not working.

Note that the 1st place I'm failing per the wiki procedure is with:

# host -t CNAME 0d2a3ba9-4ade-45de-85c7-321ba69caee0._msdcs.hprs.local.
ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')

I'm about ready to give up and start from scratch, maybe going back and attempting to
upgrade the existing Samba 4.8.2 if you think the current course is irredeemable
and out of control.

I started down the "upgrade" line of thinking in thread "Upgrading from Samba 4.8.2 to 4.15.5"
from January 28th, but advice from you and others was to try adding a DC and
"promoting" it. Is that still viable?

I could also give this 2nd DC another clean retry by removing it from the
domain, wiping the drive and starting over. Perhaps joining with a
specified backend so DNS works right away -- or getting that to work before
moving on. At the same time I could put the latest BIND package on the current
4.8.2 DC and get away from the "prohibited character found" error.

--Mark :(

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list