[Samba] WERR_INTERNAL_ERROR on samba-tool domain join

Stephen Vose stephen.vose at comcast.net
Thu Feb 23 18:40:13 UTC 2023 

I have a running AD-DC I just built, version 4.16.8 on a fresh Rocky 
Linux 8.7 install, that seems to be working fine, I even got smartcard 
login working using the walkthrough on the wiki. When I try to add a 
second DC installed the same way, it fails in the following way:

[root at shp-dc2 ~]# kinit administrator
Password for administrator at PRIVATEDOMAIN.COM:
Warning: Your password will expire in 32 days on Mon 27 Mar 2023 
05:22:33 PM EDT
[root at shp-dc2 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at PRIVATEDOMAIN.COM

Valid starting       Expires              Service principal
02/23/2023 11:27:40  02/23/2023 21:27:40 
krbtgt/PRIVATEDOMAIN.COM at PRIVATEDOMAIN.COM
renew until 02/24/2023 11:27:37

[root at shp-dc2 ~]# samba-tool domain join privatedomain.com DC 
--use-krb5-ccache=/tmp/krb5cc_0 --option='idmap_ldb:use rfc2307 = yes' 
--option="interfaces=lo enp2s0" --option="bind interfaces only=yes"
INFO 2023-02-23 11:33:33,211 pid:1759 
/usr/local/samba/lib64/python3.6/site-packages/samba/join.py #105: 
Finding a writeable DC for domain 'privatedomain.com'
INFO 2023-02-23 11:33:33,219 pid:1759 
/usr/local/samba/lib64/python3.6/site-packages/samba/join.py #107: Found 
DC shp-dc1.privatedomain.com
INFO 2023-02-23 11:33:33,342 pid:1759 
/usr/local/samba/lib64/python3.6/site-packages/samba/join.py #1563: 
workgroup is privatedomain
INFO 2023-02-23 11:33:33,342 pid:1759 
/usr/local/samba/lib64/python3.6/site-packages/samba/join.py #1566: 
realm is privatedomain.com
Adding CN=SHP-DC2,OU=Domain Controllers,DC=privatedomain,DC=com
Adding 
CN=SHP-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=privatedomain,DC=com
Adding CN=NTDS 
Settings,CN=SHP-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=privatedomain,DC=com
Adding SPNs to CN=SHP-DC2,OU=Domain Controllers,DC=privatedomain,DC=com
Setting account password for SHP-DC2$
Enabling account
Calling bare provision
INFO 2023-02-23 11:33:34,031 pid:1759 
/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py 
#2108: Looking up IPv4 addresses
INFO 2023-02-23 11:33:34,032 pid:1759 
/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py 
#2125: Looking up IPv6 addresses
WARNING 2023-02-23 11:33:34,032 pid:1759 
/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py 
#2132: No IPv6 address will be assigned
INFO 2023-02-23 11:33:34,320 pid:1759 
/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py 
#2274: Setting up share.ldb
INFO 2023-02-23 11:33:34,351 pid:1759 
/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py 
#2278: Setting up secrets.ldb
INFO 2023-02-23 11:33:34,368 pid:1759 
/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py 
#2283: Setting up the registry
INFO 2023-02-23 11:33:34,431 pid:1759 
/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py 
#2286: Setting up the privileges database
INFO 2023-02-23 11:33:34,462 pid:1759 
/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py 
#2289: Setting up idmap db
INFO 2023-02-23 11:33:34,483 pid:1759 
/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py 
#2296: Setting up SAM db
INFO 2023-02-23 11:33:34,489 pid:1759 
/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py 
#880: Setting up sam.ldb partitions and settings
INFO 2023-02-23 11:33:34,490 pid:1759 
/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py 
#892: Setting up sam.ldb rootDSE
INFO 2023-02-23 11:33:34,494 pid:1759 
/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py 
#1305: Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint 
on local domainSIDs

INFO 2023-02-23 11:33:34,523 pid:1759 
/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py 
#2349: A Kerberos configuration suitable for Samba AD has been generated 
at /usr/local/samba/private/krb5.conf
INFO 2023-02-23 11:33:34,523 pid:1759 
/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py 
#2350: Merge the contents of this file with your system krb5.conf or 
replace it with this one. Do not create a symlink!
Provision OK for domain DN DC=privatedomain,DC=com
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=privatedomain,DC=com] 
objects[402/1739] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=privatedomain,DC=com] 
objects[804/1739] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=privatedomain,DC=com] 
objects[1206/1739] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=privatedomain,DC=com] 
objects[1608/1739] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=privatedomain,DC=com] 
objects[1739/1739] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=privatedomain,DC=com] objects[402/1635] 
linked_values[0/1]
Partition[CN=Configuration,DC=privatedomain,DC=com] objects[804/1635] 
linked_values[0/1]
Partition[CN=Configuration,DC=privatedomain,DC=com] objects[1206/1635] 
linked_values[0/1]
Partition[CN=Configuration,DC=privatedomain,DC=com] objects[1608/1635] 
linked_values[0/1]
Partition[CN=Configuration,DC=privatedomain,DC=com] objects[1635/1635] 
linked_values[40/40]
Failed to commit objects: DOS code 0x000021bf
Missing target object - retrying with DRS_GET_TGT
Partition[CN=Configuration,DC=privatedomain,DC=com] objects[2037/1635] 
linked_values[41/1]
Partition[CN=Configuration,DC=privatedomain,DC=com] objects[2439/1635] 
linked_values[41/1]
Partition[CN=Configuration,DC=privatedomain,DC=com] objects[2841/1635] 
linked_values[41/1]
Partition[CN=Configuration,DC=privatedomain,DC=com] objects[3243/1635] 
linked_values[41/1]
Partition[CN=Configuration,DC=privatedomain,DC=com] objects[3270/1635] 
linked_values[80/40]
Replicating critical objects from the base DN of the domain
Join failed - cleaning up
Deleted CN=SHP-DC2,OU=Domain Controllers,DC=privatedomain,DC=com
Deleted CN=NTDS 
Settings,CN=SHP-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=privatedomain,DC=com
Deleted 
CN=SHP-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=privatedomain,DC=com
ERROR(runtime): uncaught exception - (1359, 'WERR_INTERNAL_ERROR')
   File 
"/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/__init__.py", 
line 186, in _run
     return self.run(*args, **kwargs)
   File 
"/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/domain.py", 
line 709, in run
     backend_store_size=backend_store_size)
   File "/usr/local/samba/lib64/python3.6/site-packages/samba/join.py", 
line 1579, in join_DC
     ctx.do_join()
   File "/usr/local/samba/lib64/python3.6/site-packages/samba/join.py", 
line 1469, in do_join
     ctx.join_replicate()
   File "/usr/local/samba/lib64/python3.6/site-packages/samba/join.py", 
line 981, in join_replicate
     replica_flags=ctx.domain_replica_flags | 
drsuapi.DRSUAPI_DRS_CRITICAL_ONLY)
   File 
"/usr/local/samba/lib64/python3.6/site-packages/samba/drs_utils.py", 
line 361, in replicate
     (level, ctr) = self.drs.DsGetNCChanges(self.drs_handle, req_level, req)

Not really sure where I should go from here... the working DC doesn't 
have any live data besides a single user I created to test the smartcard 
login, so I won't be too upset if I have to take it down.

More information about the samba mailing list