[Samba] Can't join new samba dc to existing dc

fransnicho fransnicho at gmail.com
Wed Aug 14 09:58:12 UTC 2024


Hello All,


Please help..

I can not join an additional new samba dc ver. 4.19.5 to an existing samba
Ad version 4.19.5 functional level 2008 R2.

Last week I successfully demote an offline dc3 and move the fsmo role to
dc4. The command i used to join:

it at dc6:~$ sudo samba-tool domain join NICHO.COM DC -UAdministrator at NICHO.COM
--option='idmap_ldb:use rfc2307 = yes' --dns-backend=BIND9_DLZ --verbose -d6
INFO: Current debug levels:
  all: 6
  tdb: 6
  printdrivers: 6
  lanman: 6
  smb: 6
  rpc_parse: 6
  rpc_srv: 6
  rpc_cli: 6
  passdb: 6
  sam: 6
  auth: 6
  winbind: 6
  vfs: 6
  idmap: 6
  quota: 6
  acls: 6
  locking: 6
  msdfs: 6
  dmapi: 6
  registry: 6
  scavenger: 6
  dns: 6
  ldb: 6
  tevent: 6
  auth_audit: 6
  auth_json_audit: 6
  kerberos: 6
  drs_repl: 6
  smb2: 6
  smb2_credits: 6
  dsdb_audit: 6
  dsdb_json_audit: 6
  dsdb_password_audit: 6
  dsdb_password_json_audit: 6
  dsdb_transaction_audit: 6
  dsdb_transaction_json_audit: 6
  dsdb_group_audit: 6
  dsdb_group_json_audit: 6
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'ncalrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
added interface ens18 ip=10.11.10.28 bcast=10.11.11.255
netmask=255.255.254.0
added interface ens18 ip=10.11.10.28 bcast=10.11.11.255
netmask=255.255.254.0
added interface ens18 ip=10.11.10.28 bcast=10.11.11.255
netmask=255.255.254.0
added interface ens18 ip=10.11.10.28 bcast=10.11.11.255
netmask=255.255.254.0
INFO 2024-08-14 16:34:45,882 pid:6783
/usr/lib/python3/dist-packages/samba/join.py #106: Finding a writeable DC
for domain 'NICHO.COM'
added interface ens18 ip=10.11.10.28 bcast=10.11.11.255
netmask=255.255.254.0
added interface ens18 ip=10.11.10.28 bcast=10.11.11.255
netmask=255.255.254.0
finddcs: searching for a DC by DNS domain NICHO.COM
finddcs: looking for SRV records for _ldap._tcp.NICHO.COM
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.NICHO.COM
<0x0>
getlmhostsent: lmhost entry: 10.11.10.15 DC4
getlmhostsent: lmhost entry: 10.11.10.15 DC4.nicho.com
getlmhostsent: lmhost entry: 10.11.10.15 DC4.NICHO.COM
finddcs: DNS SRV response 0 at '10.11.10.15'
finddcs: performing CLDAP query on 10.11.10.15
finddcs: Found matching DC 10.11.10.15 with server_type=0x000013fd
INFO 2024-08-14 16:34:45,900 pid:6783
/usr/lib/python3/dist-packages/samba/join.py #108: Found DC dc4.nicho.com
added interface ens18 ip=10.11.10.28 bcast=10.11.11.255
netmask=255.255.254.0
added interface ens18 ip=10.11.10.28 bcast=10.11.11.255
netmask=255.255.254.0
resolve_lmhosts: Attempting lmhosts lookup for name dc4.nicho.com<0x20>
getlmhostsent: lmhost entry: 10.11.10.15 DC4
getlmhostsent: lmhost entry: 10.11.10.15 DC4.nicho.com
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Password for [Administrator at NICHO.COM]:
Received smb_krb5 packet of length 272
Received smb_krb5 packet of length 180
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically sealed
INFO 2024-08-14 16:34:50,457 pid:6783
/usr/lib/python3/dist-packages/samba/join.py #1614: workgroup is NICHO
INFO 2024-08-14 16:34:50,457 pid:6783
/usr/lib/python3/dist-packages/samba/join.py #1617: realm is nicho.com
Adding CN=DC6,OU=Domain Controllers,DC=nicho,DC=com
Adding
CN=DC6,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nicho,DC=com
Adding CN=NTDS
Settings,CN=DC6,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nicho,DC=com
Using binding ncacn_ip_tcp:dc4.nicho.com[,seal]
Mapped to DCERPC endpoint 135
added interface ens18 ip=10.11.10.28 bcast=10.11.11.255
netmask=255.255.254.0
added interface ens18 ip=10.11.10.28 bcast=10.11.11.255
netmask=255.255.254.0
resolve_lmhosts: Attempting lmhosts lookup for name dc4.nicho.com<0x20>
getlmhostsent: lmhost entry: 10.11.10.15 DC4
getlmhostsent: lmhost entry: 10.11.10.15 DC4.nicho.com
Mapped to DCERPC endpoint 49153
added interface ens18 ip=10.11.10.28 bcast=10.11.11.255
netmask=255.255.254.0
added interface ens18 ip=10.11.10.28 bcast=10.11.11.255
netmask=255.255.254.0
resolve_lmhosts: Attempting lmhosts lookup for name dc4.nicho.com<0x20>
getlmhostsent: lmhost entry: 10.11.10.15 DC4
getlmhostsent: lmhost entry: 10.11.10.15 DC4.nicho.com
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
GSSAPI credentials for Administrator at NICHO.COM will expire in 36000 secs
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically sealed
Join failed - cleaning up
ldb: ltdb: tdb(/var/lib/samba/private/secrets.ldb): tdb_open_ex: could not
open file /var/lib/samba/private/secrets.ldb: No such file or directory
ldb: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file
or directory
ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with backend
'tdb': Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such
file or directory
Could not find machine account in secrets database: Failed to fetch machine
account password for NICHO from both secrets.ldb (Could not open
secrets.ldb) and from /var/lib/samba/private/secrets.tdb:
NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Deleted CN=DC6,OU=Domain Controllers,DC=nicho,DC=com
Deleted
CN=DC6,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nicho,DC=com
ERROR(runtime): uncaught exception - (8430, 'WERR_DS_INTERNAL_FAILURE')
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 279,
in _run
    return self.run(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/samba/netcmd/domain/join.py", line
128, in run
    join_DC(logger=logger, server=server, creds=creds, lp=lp, domain=domain,
  File "/usr/lib/python3/dist-packages/samba/join.py", line 1630, in join_DC
    ctx.do_join()
  File "/usr/lib/python3/dist-packages/samba/join.py", line 1518, in do_join
    ctx.join_add_objects()
  File "/usr/lib/python3/dist-packages/samba/join.py", line 673, in
join_add_objects
    ctx.join_add_ntdsdsa()
  File "/usr/lib/python3/dist-packages/samba/join.py", line 598, in
join_add_ntdsdsa
    ctx.DsAddEntry([rec])
  File "/usr/lib/python3/dist-packages/samba/join.py", line 517, in
DsAddEntry
    (level, ctr) = ctx.drsuapi.DsAddEntry(ctx.drsuapi_handle, 2, req2)
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

/var/log/samba/log.samba

[2024/08/14 16:34:50.359133,  2]
../../auth/auth_log.c:858(log_authentication_event_human_readable)
  Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[
Administrator at NICHO.COM] at [Wed, 14 Aug 2024 16:34:50.359113 WIB] with
[arcfour-hmac-md5] status [NT_STATUS_PROTOCOL_UNREACHABLE] workstation
[(null)] remote host [ipv4:10.11.10.28:46329] mapped to
[NICHO]\[Administrator]. local host [NULL]
  {"timestamp": "2024-08-14T16:34:50.359187+0700", "type":
"Authentication", "Authentication": {"version": {"major": 1, "minor": 3},
"eventId": 4625, "logonId": "8d84c193773a6b6b", "logonType": 3, "status":
"NT_STATUS_PROTOCOL_UNREACHABLE", "localAddress": null, "remoteAddress":
"ipv4:10.11.10.28:46329", "serviceDescription": "Kerberos KDC",
"authDescription": "ENC-TS Pre-authentication", "clientDomain": null,
"clientAccount": "Administrator at NICHO.COM", "workstation": null,
"becameAccount": "Administrator", "becameDomain": "NICHO", "becameSid":
"S-1-5-21-2170936618-152811847-3992523897-500", "mappedAccount":
"Administrator", "mappedDomain": "NICHO", "netlogonComputer": null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null,
"passwordType": "arcfour-hmac-md5", "clientPolicyAccessCheck": null,
"serverPolicyAccessCheck": null, "duration": 13880}}
[2024/08/14 16:34:51.368927,  0]
../../source4/dsdb/repl/replicated_objects.c:1244(dsdb_origin_objects_commit)
  ../../source4/dsdb/repl/replicated_objects.c:1244: Failed add of CN=NTDS
Settings,CN=DC6,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nicho,DC=com
- objectclass_attrs: attribute 'hasMasterNCs' on entry 'CN=NTDS
Settings,CN=DC6,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nicho,DC=com'
does not exist in the specified objectclasses!
[2024/08/14 16:34:51.369239,  0]
../../source4/rpc_server/drsuapi/addentry.c:209(dcesrv_drsuapi_DsAddEntry)
  ../../source4/rpc_server/drsuapi/addentry.c:209: DsAddEntry failed -
WERR_DS_INTERNAL_FAILURE


/etc/samba/smb.conf

[global]
log level = 2
netbios name = DC4
realm = NICHO.COM
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
workgroup = NICHO
idmap_ldb:use rfc2307 = yes
tls enabled  = yes
tls keyfile  = /etc/samba/tls/lckey.pem
tls certfile = /etc/samba/tls/lccert.pem
tls cafile   =
tls verify peer = no_check
ldap server require strong auth = no
ntlm auth = mschapv2-and-ntlmv2-only
client min protocol = SMB2
wins support = yes
restrict anonymous = 2
template shell = /bin/bash
template homedir = /home/%U
[sysvol]
path = /var/lib/samba/sysvol
read only = No
nt acl support = yes


Is there anything that I need to cek to get more information ?

Thank you very much for your help.



Best Regards,

Nicho.


More information about the samba mailing list