[Samba] Problems on joining samba DC to a Windows Domain while adding DNS record for new DC
Mitja Tavčar
mitja at mttv.it
Fri Aug 9 11:38:35 UTC 2024
Hi,
I'm trying to join a debian bookworm running samba (Version 4.17.12-Debian) as an additional DC to a Active Directory Domain.
The domain is already running on 2 windows 2019 DC's (hostnames vmw2srvdc1 and vmw2srvdc2) and the functional level of the AD domain is 2008 R2.
I followed the samba wiki instructions at:
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
I also made another Site in AD to which i want the new samba domain controller to join to. So in the command i also used the --site option.
This is command i used for my last attempt:
samba-tool domain join intra.comune.trento.it DC --site PSN --server vmw2srvdc2.intra.comune.trento.it --use-kerberos=desired -d 3
Join always fails after adding the DNS records for LVSRVDC.intra.comune.trento.it (my new domain controller)
I tried varying some options (authentication via Username/password instead of kerberos and also switching between BIND9_DLZ to SAMBA_INTERNAL dns backend) but
the join process always fail apparently in the same point. From the logs the error would appear in adding the DNS record for the new domain controller, but i
also noticed the "Could not find machine account in secrets database: Failed to fetch machine account password for INTRA from both secrets.ldb" error which
could be the problem.
The samba server is a new debian bookworm setup that was not used for other purpose, and between the various attempts i also deleted all .ldb and .tdb databases
from /var/lib/samba/ /var/cache/samba and /run/samba and subfolders and the /etc/samba/smb.conf. as suggested in the wiki above for a cleaner start.
I'm stuck. Any suggestions for a solution?
Thank you in advance.
Mitja Tavčar
here are the final parts of the log with -d 3 option after the error:
(..)
INFO 2024-08-08 12:24:34,906 pid:1386 /usr/lib/python3/dist-packages/samba/join.py #1080: Committed SAM database
INFO 2024-08-08 12:24:34,927 pid:1386 /usr/lib/python3/dist-packages/samba/join.py #1156: Adding 1 remote DNS records for LVSRVDC.intra.comune.trento.it
Using binding ncacn_ip_tcp:vmw2srvdc2.intra.comune.trento.it[,sign]
resolve_lmhosts: Attempting lmhosts lookup for name vmw2srvdc2.intra.comune.trento.it<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name vmw2srvdc2.intra.comune.trento.it<0x20>
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch machine account password for INTRA from both secrets.ldb (Could not find entry to match
filter: '(&(flatname=INTRA)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../../source4/dsdb/common/util.c:5176) and
from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
ERROR(<class 'UnboundLocalError'>): uncaught exception - cannot access local variable 'res' where it is not associated with a value
File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185, in _run
return self.run(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line 711, in run
join_RODC(logger=logger, server=server, creds=creds, lp=lp, domain=domain,
File "/usr/lib/python3/dist-packages/samba/join.py", line 1563, in join_RODC
ctx.do_join()
File "/usr/lib/python3/dist-packages/samba/join.py", line 1495, in do_join
ctx.join_add_dns_records()
File "/usr/lib/python3/dist-packages/samba/join.py", line 1191, in join_add_dns_records
for rec in res.rec:
^^^
Adding CN=LVSRVDC,OU=Domain Controllers,DC=intra,DC=comune,DC=trento,DC=it
Adding CN=krbtgt_LVSRVDC,CN=Users,DC=intra,DC=comune,DC=trento,DC=it
Got krbtgt_name=krbtgt_7869
Renaming CN=krbtgt_LVSRVDC,CN=Users,DC=intra,DC=comune,DC=trento,DC=it to CN=krbtgt_7869,CN=Users,DC=intra,DC=comune,DC=trento,DC=it
Adding CN=LVSRVDC,CN=Servers,CN=PSN,CN=Sites,CN=Configuration,DC=intra,DC=comune,DC=trento,DC=it
Adding CN=NTDS Settings,CN=LVSRVDC,CN=Servers,CN=PSN,CN=Sites,CN=Configuration,DC=intra,DC=comune,DC=trento,DC=it
Adding CN=RODC Connection (FRS),CN=NTDS Settings,CN=LVSRVDC,CN=Servers,CN=PSN,CN=Sites,CN=Configuration,DC=intra,DC=comune,DC=trento,DC=it
Adding SPNs to CN=LVSRVDC,OU=Domain Controllers,DC=intra,DC=comune,DC=trento,DC=it
Setting account password for LVSRVDC$
Enabling account
Calling bare provision
Provision OK for domain DN DC=intra,DC=comune,DC=trento,DC=it
Missing target object - retrying with DRS_GET_TGT
Replicating critical objects from the base DN of the domain
Missing target object - retrying with DRS_GET_TGT
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=intra,DC=comune,DC=trento,DC=it
Replicating DC=ForestDnsZones,DC=intra,DC=comune,DC=trento,DC=it
Join failed - cleaning up
Deleted CN=LVSRVDC,OU=Domain Controllers,DC=intra,DC=comune,DC=trento,DC=it
Deleted CN=krbtgt_7869,CN=Users,DC=intra,DC=comune,DC=trento,DC=it
Deleted CN=RODC Connection (FRS),CN=NTDS Settings,CN=LVSRVDC,CN=Servers,CN=PSN,CN=Sites,CN=Configuration,DC=intra,DC=comune,DC=trento,DC=it
Deleted CN=NTDS Settings,CN=LVSRVDC,CN=Servers,CN=PSN,CN=Sites,CN=Configuration,DC=intra,DC=comune,DC=trento,DC=it
Deleted CN=LVSRVDC,CN=Servers,CN=PSN,CN=Sites,CN=Configuration,DC=intra,DC=comune,DC=trento,DC=it
More information about the samba
mailing list