[Samba] Problems on joining samba DC to a Windows Domain while adding DNS record for new DC

Rowland Penny rpenny at samba.org
Fri Aug 9 14:09:00 UTC 2024


On Fri, 9 Aug 2024 13:38:35 +0200
Mitja Tavčar via samba <samba at lists.samba.org> wrote:

> Hi,
> 
> I'm trying to join a debian bookworm running samba (Version
> 4.17.12-Debian) as an additional DC to a Active Directory Domain. The
> domain is already running on 2 windows 2019 DC's (hostnames
> vmw2srvdc1 and vmw2srvdc2) and the functional level of the AD domain
> is 2008 R2.
> 
> I followed the samba wiki instructions at:
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
> 
> I also made another Site in AD to which i want the new samba domain
> controller to join to. So in the command i also used the --site
> option.
> 
> This is command i used for my last attempt:
> samba-tool domain join intra.comune.trento.it DC --site PSN --server
> vmw2srvdc2.intra.comune.trento.it --use-kerberos=desired -d 3
> 
> Join always fails after adding the DNS records for
> LVSRVDC.intra.comune.trento.it (my new domain controller)
> 
> I tried varying some options (authentication via Username/password
> instead of kerberos and also switching between BIND9_DLZ to
> SAMBA_INTERNAL dns backend) but the join process always fail
> apparently in the same point. From the logs the error would appear in
> adding the DNS record for the new domain controller, but i also
> noticed the "Could not find machine account in secrets database:
> Failed to fetch machine account password for INTRA from both
> secrets.ldb" error which could be the problem.
> 
> The samba server is a new debian bookworm setup that was not used for
> other purpose, and between the various attempts i also deleted all
> .ldb and .tdb databases from /var/lib/samba/ /var/cache/samba and
> /run/samba and subfolders and the /etc/samba/smb.conf. as suggested
> in the wiki above for a cleaner start.
> 
> 

Can you please try again with Samba from Bookworm backports, that will
get you 4.20.2 , there has been better support for Windows domains 
added.

As you are using kerberos for the join, I take it you are running
samba-tool as root, so have you also run 'kinit Administrator' as root ?

Rowland



More information about the samba mailing list