[Samba] Linux/Windows Domain Controller

matti.kaupenjohann matti.kaupenjohann at fh-dortmund.de
Wed Oct 25 11:58:12 UTC 2023

So. I've builded 4.19.2 from source. building worked fine and I've 
configured like the following:

./configure \
     --sbindir=/usr/local/sbin \
     --bindir=/usr/local/bin \
     --sysconfdir=/etc/samba \
     --mandir=/usr/share/man \
     --systemd-install-services \
     --with-systemddir=/lib/systemd/system \
     --enable-selftest \

I ran make quicktest with no resulting issues.

I generated a ticket with kinit administrator which worked as expected.

Afterwards I tried to join the domain with:

samba-tool domain join mydomain.special.de DC -U"mydomain\administrator"

Which resulted in the foloowing already known error:

INFO 2023-10-25 11:56:33,488 pid:403032 
/usr/local/samba/lib/python3.10/site-packages/samba/join.py #106: 
Finding a writeable DC for domain 'mydomain.special.de'
INFO 2023-10-25 11:56:33,505 pid:403032 
/usr/local/samba/lib/python3.10/site-packages/samba/join.py #108: Found 
DC dc02.mydomain.special.de
Password for [MYDOMAIN\administrator]:
INFO 2023-10-25 11:56:41,616 pid:403032 
/usr/local/samba/lib/python3.10/site-packages/samba/join.py #1614: 
workgroup is MYDOMAIN
INFO 2023-10-25 11:56:41,617 pid:403032 
/usr/local/samba/lib/python3.10/site-packages/samba/join.py #1617: realm 
is mydomain.special.de
Adding CN=DC03,OU=Domain Controllers,DC=mydomain,DC=special,DC=de
Adding CN=NTDS 
DsAddEntry failed with status WERR_ACCESS_DENIED info (8567, 
Join failed - cleaning up
Deleted CN=DC03,OU=Domain Controllers,DC=mydomain,DC=special,DC=de
ERROR(runtime): uncaught exception - DsAddEntry failed
line 279, in _run
         return self.run(*args, **kwargs)
line 128, in run
         join_DC(logger=logger, server=server, creds=creds, lp=lp, 
     File "/usr/local/samba/lib/python3.10/site-packages/samba/join.py", 
line 1630, in join_DC
     File "/usr/local/samba/lib/python3.10/site-packages/samba/join.py", 
line 1518, in do_join
     File "/usr/local/samba/lib/python3.10/site-packages/samba/join.py", 
line 673, in join_add_objects
     File "/usr/local/samba/lib/python3.10/site-packages/samba/join.py", 
line 598, in join_add_ntdsdsa
     File "/usr/local/samba/lib/python3.10/site-packages/samba/join.py", 
line 534, in DsAddEntry
         raise RuntimeError("DsAddEntry failed")

Seems from my position still be an issue with functional level 2016. Do 
I need to configure differently?
Further I am curious about the systemd service flag. The created and 
installed services doesn't uses as exec samba -D instead it uses samba 

Am 10/19/23 um 10:39 schrieb Stefan Kania via samba:

> Am 18.10.23 um 23:27 schrieb Matti Kaupenjohann via samba:
>> Yes I've red this section and the docu is saying no FL above 2008. 
>> Might be caused by incompleted docu? So far I understand if we don't 
>> use >4.19 we will not be able to use FL 2016 which is necessary since 
>> our DC WIN22 is configured as FL2016?
> Yes you MUST usee 4.19 ;-)
>> On 18.10.23 19:10, Stefan Kania via samba wrote:
>>> If you take a look at:
>>> https://wiki.samba.org/index.php/Windows_2012_Server_compatibility
>>> You will find your error message. I think your domain is running 
>>> with FL 2012 and you are using a samba version < 4.19. So you can 
>>> only go up to FL 2008_R2. The new 4.19 is the first version 
>>> supporting FL >2008_R2. There you can go up to FL 2016.
>>> Am 18.10.23 um 18:05 schrieb matti.kaupenjohann via samba:
>>>> DsAddEntry failed with status WERR_ACCESS_DENIED info (8567,

Mit freundlichen Grüßen

Matti Kaupenjohann

Fachhochschule Dortmund
University of Applied Sciences and Arts

*Kaupenjohann, Matti*
FB Informationstechnik,

Sonnenstraße 96 - 44139 Dortmund
Raum SON-A A701.4
Tel     0231 9112 9190
matti.kaupenjohann at fh-dortmund.de

Think before you print!

More information about the samba mailing list