[Samba] Can't join new samba dc to existing dc
fransnicho
fransnicho at gmail.com
Wed Aug 14 09:58:12 UTC 2024
Hello All,
Please help..
I can not join an additional new samba dc ver. 4.19.5 to an existing samba
Ad version 4.19.5 functional level 2008 R2.
Last week I successfully demote an offline dc3 and move the fsmo role to
dc4. The command i used to join:
it at dc6:~$ sudo samba-tool domain join NICHO.COM DC -UAdministrator at NICHO.COM
--option='idmap_ldb:use rfc2307 = yes' --dns-backend=BIND9_DLZ --verbose -d6
INFO: Current debug levels:
all: 6
tdb: 6
printdrivers: 6
lanman: 6
smb: 6
rpc_parse: 6
rpc_srv: 6
rpc_cli: 6
passdb: 6
sam: 6
auth: 6
winbind: 6
vfs: 6
idmap: 6
quota: 6
acls: 6
locking: 6
msdfs: 6
dmapi: 6
registry: 6
scavenger: 6
dns: 6
ldb: 6
tevent: 6
auth_audit: 6
auth_json_audit: 6
kerberos: 6
drs_repl: 6
smb2: 6
smb2_credits: 6
dsdb_audit: 6
dsdb_json_audit: 6
dsdb_password_audit: 6
dsdb_password_json_audit: 6
dsdb_transaction_audit: 6
dsdb_transaction_json_audit: 6
dsdb_group_audit: 6
dsdb_group_json_audit: 6
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'ncalrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
added interface ens18 ip=10.11.10.28 bcast=10.11.11.255
netmask=255.255.254.0
added interface ens18 ip=10.11.10.28 bcast=10.11.11.255
netmask=255.255.254.0
added interface ens18 ip=10.11.10.28 bcast=10.11.11.255
netmask=255.255.254.0
added interface ens18 ip=10.11.10.28 bcast=10.11.11.255
netmask=255.255.254.0
INFO 2024-08-14 16:34:45,882 pid:6783
/usr/lib/python3/dist-packages/samba/join.py #106: Finding a writeable DC
for domain 'NICHO.COM'
added interface ens18 ip=10.11.10.28 bcast=10.11.11.255
netmask=255.255.254.0
added interface ens18 ip=10.11.10.28 bcast=10.11.11.255
netmask=255.255.254.0
finddcs: searching for a DC by DNS domain NICHO.COM
finddcs: looking for SRV records for _ldap._tcp.NICHO.COM
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.NICHO.COM
<0x0>
getlmhostsent: lmhost entry: 10.11.10.15 DC4
getlmhostsent: lmhost entry: 10.11.10.15 DC4.nicho.com
getlmhostsent: lmhost entry: 10.11.10.15 DC4.NICHO.COM
finddcs: DNS SRV response 0 at '10.11.10.15'
finddcs: performing CLDAP query on 10.11.10.15
finddcs: Found matching DC 10.11.10.15 with server_type=0x000013fd
INFO 2024-08-14 16:34:45,900 pid:6783
/usr/lib/python3/dist-packages/samba/join.py #108: Found DC dc4.nicho.com
added interface ens18 ip=10.11.10.28 bcast=10.11.11.255
netmask=255.255.254.0
added interface ens18 ip=10.11.10.28 bcast=10.11.11.255
netmask=255.255.254.0
resolve_lmhosts: Attempting lmhosts lookup for name dc4.nicho.com<0x20>
getlmhostsent: lmhost entry: 10.11.10.15 DC4
getlmhostsent: lmhost entry: 10.11.10.15 DC4.nicho.com
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Password for [Administrator at NICHO.COM]:
Received smb_krb5 packet of length 272
Received smb_krb5 packet of length 180
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically sealed
INFO 2024-08-14 16:34:50,457 pid:6783
/usr/lib/python3/dist-packages/samba/join.py #1614: workgroup is NICHO
INFO 2024-08-14 16:34:50,457 pid:6783
/usr/lib/python3/dist-packages/samba/join.py #1617: realm is nicho.com
Adding CN=DC6,OU=Domain Controllers,DC=nicho,DC=com
Adding
CN=DC6,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nicho,DC=com
Adding CN=NTDS
Settings,CN=DC6,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nicho,DC=com
Using binding ncacn_ip_tcp:dc4.nicho.com[,seal]
Mapped to DCERPC endpoint 135
added interface ens18 ip=10.11.10.28 bcast=10.11.11.255
netmask=255.255.254.0
added interface ens18 ip=10.11.10.28 bcast=10.11.11.255
netmask=255.255.254.0
resolve_lmhosts: Attempting lmhosts lookup for name dc4.nicho.com<0x20>
getlmhostsent: lmhost entry: 10.11.10.15 DC4
getlmhostsent: lmhost entry: 10.11.10.15 DC4.nicho.com
Mapped to DCERPC endpoint 49153
added interface ens18 ip=10.11.10.28 bcast=10.11.11.255
netmask=255.255.254.0
added interface ens18 ip=10.11.10.28 bcast=10.11.11.255
netmask=255.255.254.0
resolve_lmhosts: Attempting lmhosts lookup for name dc4.nicho.com<0x20>
getlmhostsent: lmhost entry: 10.11.10.15 DC4
getlmhostsent: lmhost entry: 10.11.10.15 DC4.nicho.com
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
GSSAPI credentials for Administrator at NICHO.COM will expire in 36000 secs
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically sealed
Join failed - cleaning up
ldb: ltdb: tdb(/var/lib/samba/private/secrets.ldb): tdb_open_ex: could not
open file /var/lib/samba/private/secrets.ldb: No such file or directory
ldb: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file
or directory
ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with backend
'tdb': Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such
file or directory
Could not find machine account in secrets database: Failed to fetch machine
account password for NICHO from both secrets.ldb (Could not open
secrets.ldb) and from /var/lib/samba/private/secrets.tdb:
NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Deleted CN=DC6,OU=Domain Controllers,DC=nicho,DC=com
Deleted
CN=DC6,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nicho,DC=com
ERROR(runtime): uncaught exception - (8430, 'WERR_DS_INTERNAL_FAILURE')
File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 279,
in _run
return self.run(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/samba/netcmd/domain/join.py", line
128, in run
join_DC(logger=logger, server=server, creds=creds, lp=lp, domain=domain,
File "/usr/lib/python3/dist-packages/samba/join.py", line 1630, in join_DC
ctx.do_join()
File "/usr/lib/python3/dist-packages/samba/join.py", line 1518, in do_join
ctx.join_add_objects()
File "/usr/lib/python3/dist-packages/samba/join.py", line 673, in
join_add_objects
ctx.join_add_ntdsdsa()
File "/usr/lib/python3/dist-packages/samba/join.py", line 598, in
join_add_ntdsdsa
ctx.DsAddEntry([rec])
File "/usr/lib/python3/dist-packages/samba/join.py", line 517, in
DsAddEntry
(level, ctr) = ctx.drsuapi.DsAddEntry(ctx.drsuapi_handle, 2, req2)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/var/log/samba/log.samba
[2024/08/14 16:34:50.359133, 2]
../../auth/auth_log.c:858(log_authentication_event_human_readable)
Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[
Administrator at NICHO.COM] at [Wed, 14 Aug 2024 16:34:50.359113 WIB] with
[arcfour-hmac-md5] status [NT_STATUS_PROTOCOL_UNREACHABLE] workstation
[(null)] remote host [ipv4:10.11.10.28:46329] mapped to
[NICHO]\[Administrator]. local host [NULL]
{"timestamp": "2024-08-14T16:34:50.359187+0700", "type":
"Authentication", "Authentication": {"version": {"major": 1, "minor": 3},
"eventId": 4625, "logonId": "8d84c193773a6b6b", "logonType": 3, "status":
"NT_STATUS_PROTOCOL_UNREACHABLE", "localAddress": null, "remoteAddress":
"ipv4:10.11.10.28:46329", "serviceDescription": "Kerberos KDC",
"authDescription": "ENC-TS Pre-authentication", "clientDomain": null,
"clientAccount": "Administrator at NICHO.COM", "workstation": null,
"becameAccount": "Administrator", "becameDomain": "NICHO", "becameSid":
"S-1-5-21-2170936618-152811847-3992523897-500", "mappedAccount":
"Administrator", "mappedDomain": "NICHO", "netlogonComputer": null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null,
"passwordType": "arcfour-hmac-md5", "clientPolicyAccessCheck": null,
"serverPolicyAccessCheck": null, "duration": 13880}}
[2024/08/14 16:34:51.368927, 0]
../../source4/dsdb/repl/replicated_objects.c:1244(dsdb_origin_objects_commit)
../../source4/dsdb/repl/replicated_objects.c:1244: Failed add of CN=NTDS
Settings,CN=DC6,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nicho,DC=com
- objectclass_attrs: attribute 'hasMasterNCs' on entry 'CN=NTDS
Settings,CN=DC6,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nicho,DC=com'
does not exist in the specified objectclasses!
[2024/08/14 16:34:51.369239, 0]
../../source4/rpc_server/drsuapi/addentry.c:209(dcesrv_drsuapi_DsAddEntry)
../../source4/rpc_server/drsuapi/addentry.c:209: DsAddEntry failed -
WERR_DS_INTERNAL_FAILURE
/etc/samba/smb.conf
[global]
log level = 2
netbios name = DC4
realm = NICHO.COM
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
workgroup = NICHO
idmap_ldb:use rfc2307 = yes
tls enabled = yes
tls keyfile = /etc/samba/tls/lckey.pem
tls certfile = /etc/samba/tls/lccert.pem
tls cafile =
tls verify peer = no_check
ldap server require strong auth = no
ntlm auth = mschapv2-and-ntlmv2-only
client min protocol = SMB2
wins support = yes
restrict anonymous = 2
template shell = /bin/bash
template homedir = /home/%U
[sysvol]
path = /var/lib/samba/sysvol
read only = No
nt acl support = yes
Is there anything that I need to cek to get more information ?
Thank you very much for your help.
Best Regards,
Nicho.
More information about the samba
mailing list