[Samba] WERR_INTERNAL_ERROR on samba-tool domain join

Rowland Penny rpenny at samba.org
Thu Feb 23 19:42:07 UTC 2023 


On 23/02/2023 18:40, Stephen Vose via samba wrote:
> I have a running AD-DC I just built, version 4.16.8 on a fresh Rocky 
> Linux 8.7 install, that seems to be working fine, I even got smartcard 
> login working using the walkthrough on the wiki. When I try to add a 
> second DC installed the same way, it fails in the following way:
> 
> [root at shp-dc2 ~]# kinit administrator
> Password for administrator at PRIVATEDOMAIN.COM:
> Warning: Your password will expire in 32 days on Mon 27 Mar 2023 
> 05:22:33 PM EDT
> [root at shp-dc2 ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administrator at PRIVATEDOMAIN.COM
> 
> Valid starting       Expires              Service principal
> 02/23/2023 11:27:40  02/23/2023 21:27:40 
> krbtgt/PRIVATEDOMAIN.COM at PRIVATEDOMAIN.COM
> renew until 02/24/2023 11:27:37
> 
> [root at shp-dc2 ~]# samba-tool domain join privatedomain.com DC 
> --use-krb5-ccache=/tmp/krb5cc_0 --option='idmap_ldb:use rfc2307 = yes' 
> --option="interfaces=lo enp2s0" --option="bind interfaces only=yes"
> INFO 2023-02-23 11:33:33,211 pid:1759 
> /usr/local/samba/lib64/python3.6/site-packages/samba/join.py #105: 
> Finding a writeable DC for domain 'privatedomain.com'
> INFO 2023-02-23 11:33:33,219 pid:1759 
> /usr/local/samba/lib64/python3.6/site-packages/samba/join.py #107: Found 
> DC shp-dc1.privatedomain.com
> INFO 2023-02-23 11:33:33,342 pid:1759 
> /usr/local/samba/lib64/python3.6/site-packages/samba/join.py #1563: 
> workgroup is privatedomain
> INFO 2023-02-23 11:33:33,342 pid:1759 
> /usr/local/samba/lib64/python3.6/site-packages/samba/join.py #1566: 
> realm is privatedomain.com
> Adding CN=SHP-DC2,OU=Domain Controllers,DC=privatedomain,DC=com
> Adding 
> CN=SHP-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=privatedomain,DC=com
> Adding CN=NTDS 
> Settings,CN=SHP-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=privatedomain,DC=com
> Adding SPNs to CN=SHP-DC2,OU=Domain Controllers,DC=privatedomain,DC=com
> Setting account password for SHP-DC2$
> Enabling account
> Calling bare provision
> INFO 2023-02-23 11:33:34,031 pid:1759 
> /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2108: Looking up IPv4 addresses
> INFO 2023-02-23 11:33:34,032 pid:1759 
> /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2125: Looking up IPv6 addresses
> WARNING 2023-02-23 11:33:34,032 pid:1759 
> /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2132: No IPv6 address will be assigned
> INFO 2023-02-23 11:33:34,320 pid:1759 
> /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2274: Setting up share.ldb
> INFO 2023-02-23 11:33:34,351 pid:1759 
> /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2278: Setting up secrets.ldb
> INFO 2023-02-23 11:33:34,368 pid:1759 
> /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2283: Setting up the registry
> INFO 2023-02-23 11:33:34,431 pid:1759 
> /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2286: Setting up the privileges database
> INFO 2023-02-23 11:33:34,462 pid:1759 
> /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2289: Setting up idmap db
> INFO 2023-02-23 11:33:34,483 pid:1759 
> /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2296: Setting up SAM db
> INFO 2023-02-23 11:33:34,489 pid:1759 
> /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #880: Setting up sam.ldb partitions and settings
> INFO 2023-02-23 11:33:34,490 pid:1759 
> /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #892: Setting up sam.ldb rootDSE
> INFO 2023-02-23 11:33:34,494 pid:1759 
> /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1305: Pre-loading the Samba 4 and AD schema
> Unable to determine the DomainSID, can not enforce uniqueness constraint 
> on local domainSIDs
> 
> INFO 2023-02-23 11:33:34,523 pid:1759 
> /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2349: A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba/private/krb5.conf
> INFO 2023-02-23 11:33:34,523 pid:1759 
> /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2350: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
> Provision OK for domain DN DC=privatedomain,DC=com
> Starting replication
> Schema-DN[CN=Schema,CN=Configuration,DC=privatedomain,DC=com] 
> objects[402/1739] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=privatedomain,DC=com] 
> objects[804/1739] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=privatedomain,DC=com] 
> objects[1206/1739] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=privatedomain,DC=com] 
> objects[1608/1739] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=privatedomain,DC=com] 
> objects[1739/1739] linked_values[0/0]
> Analyze and apply schema objects
> Partition[CN=Configuration,DC=privatedomain,DC=com] objects[402/1635] 
> linked_values[0/1]
> Partition[CN=Configuration,DC=privatedomain,DC=com] objects[804/1635] 
> linked_values[0/1]
> Partition[CN=Configuration,DC=privatedomain,DC=com] objects[1206/1635] 
> linked_values[0/1]
> Partition[CN=Configuration,DC=privatedomain,DC=com] objects[1608/1635] 
> linked_values[0/1]
> Partition[CN=Configuration,DC=privatedomain,DC=com] objects[1635/1635] 
> linked_values[40/40]
> Failed to commit objects: DOS code 0x000021bf
> Missing target object - retrying with DRS_GET_TGT
> Partition[CN=Configuration,DC=privatedomain,DC=com] objects[2037/1635] 
> linked_values[41/1]
> Partition[CN=Configuration,DC=privatedomain,DC=com] objects[2439/1635] 
> linked_values[41/1]
> Partition[CN=Configuration,DC=privatedomain,DC=com] objects[2841/1635] 
> linked_values[41/1]
> Partition[CN=Configuration,DC=privatedomain,DC=com] objects[3243/1635] 
> linked_values[41/1]
> Partition[CN=Configuration,DC=privatedomain,DC=com] objects[3270/1635] 
> linked_values[80/40]
> Replicating critical objects from the base DN of the domain
> Join failed - cleaning up
>

You can ignore anything after 'Join failed', the join error has already 
happened and it looks like a replication problem. Does the first 
Nameserver in /etc/resolv.conf point to the first DC ?
How is /etc/hosts setup ?

Rowland

More information about the samba mailing list