[Samba] Can't join new samba dc to existing dc

fransnicho fransnicho at gmail.com
Sun Aug 18 15:21:02 UTC 2024


Pada Min, 18 Agu 2024 pukul 16.38 Rowland Penny via samba <
samba at lists.samba.org> menulis:

> On Sat, 17 Aug 2024 16:21:14 +0700
> fransnicho via samba <samba at lists.samba.org> wrote:
> > Hi Rowland,
> > Thanks for your response
> >
> > Is it ok to have 2 records on the
> >
> CN=DC4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nicho,DC=com
> > ?
>
> Yes
>
> >
> > 20.04 comes with Samba 4.15.13, so where did you get the 4.19.5
> > packages from ?
> > deb http://ppa.launchpad.net/linux-schools/samba-latest/ubuntu focal
> > main
>
> Not sure I would rely on those.
>
> >
> > Please provide a list of the installed Samba packages.
> > it at dc4:~$ sudo apt list samba --installed
> > Listing... Done
> > samba/focal,now 2:4.19.5+karoshi-1~linuxschools1+focal1 amd64
> > [installed]
>
> Try it like this:
> dpkg -l | grep -E 'samba|winbind|krb5|smbclient|acl|attr|bind9'
>
> >
> > Probably not, but what does this command show:
> > it at dc4:~$ sudo ldbsearch -H /var/lib/samba/private/sam.ldb -P -b
> > 'cn=Schema,cn=Configuration,DC=nicho,DC=com' -s base objectVersion
> > # record 1
> > dn: CN=Schema,CN=Configuration,DC=nicho,DC=com
> > objectVersion: 69
> >
>
> That's Windows Server 2012R2, so nothing wrong there.
>
> This is what I suggest you do, install Debian Bookworm with Samba
> from bookworm-backports (it is what I use, so I know it works), this
> will get you Samba 4.20.4 .
>
> Attempt to join this as a DC, if it works, it shows that there is
> something wrong with the setup on the Ubuntu computer you are trying to
> join now. If it fails in exactly the same way, then it would point to
> either a fault in your existing DC, or a fault in the way you are
> setting up the computer before the DC join. If the latter, then I can
> talk you through the correct setup.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Hi Rowland,
Thanks for your response 🙏

it at dc4:~$ sudo dpkg -l | grep -E
'samba|winbind|krb5|smbclient|acl|attr|bind9'
ii  acl                                   2.2.53-6

                                        amd64        access control list -
utilities
ii  attr                                  1:2.4.48-5

                                        amd64        utilities for
manipulating filesystem extended attributes
ii  bind9                                 1:9.18.28-0ubuntu0.20.04.1

                                        amd64        Internet Domain Name
Server
ii  bind9-dnsutils                        1:9.18.28-0ubuntu0.20.04.1

                                        amd64        Clients provided with
BIND 9
ii  bind9-host                            1:9.18.28-0ubuntu0.20.04.1

                                        amd64        DNS Lookup Utility
ii  bind9-libs:amd64                      1:9.18.28-0ubuntu0.20.04.1

                                        amd64        Shared Libraries used
by BIND 9
ii  bind9-utils                           1:9.18.28-0ubuntu0.20.04.1

                                        amd64        Utilities for BIND 9
ii  bind9utils                            1:9.18.28-0ubuntu0.20.04.1

                                        all          Transitional package
for bind9-utils
ii  dnsutils                              1:9.18.28-0ubuntu0.20.04.1

                                        all          Transitional package
for bind9-dnsutils
ii  krb5-config                           2.6ubuntu1

                                        all          Configuration files
for Kerberos Version 5
ii  krb5-locales                          1.17-6ubuntu4.6

                                       all          internationalization
support for MIT Kerberos
ii  krb5-user                             1.17-6ubuntu4.6

                                       amd64        basic programs to
authenticate using MIT Kerberos
ii  libacl1:amd64                         2.2.53-6

                                        amd64        access control list -
shared library
ii  libattr1:amd64                        1:2.4.48-5

                                        amd64        extended attribute
handling - shared library
ii  libgssapi-krb5-2:amd64                1.17-6ubuntu4.6

                                       amd64        MIT Kerberos runtime
libraries - krb5 GSS-API Mechanism
ii  libkrb5-26-heimdal:amd64              7.7.0+dfsg-1ubuntu1.4

                                       amd64        Heimdal Kerberos -
libraries
ii  libkrb5-3:amd64                       1.17-6ubuntu4.6

                                       amd64        MIT Kerberos runtime
libraries
ii  libkrb5support0:amd64                 1.17-6ubuntu4.6

                                       amd64        MIT Kerberos runtime
libraries - Support library
ii  libnss-winbind:amd64
 2:4.19.5+karoshi-1~linuxschools1+focal
                                                                        1
amd64        Samba nameservice integration plugins
ii  libpam-krb5:amd64                     4.8-2ubuntu1

                                        amd64        PAM module for MIT
Kerberos
ii  libpam-winbind:amd64
 2:4.19.5+karoshi-1~linuxschools1+focal
                                                                        1
amd64        Windows domain authentication integration plugin
ii  libwbclient0:amd64
 2:4.19.5+karoshi-1~linuxschools1+focal
                                                                        1
amd64        Samba winbind client library
ii  python3-attr                          19.3.0-2

                                        all          Attributes without
boilerplate (Python 3)
ii  python3-nacl                          1.3.0-5

                                       amd64        Python bindings to
libsodium (Python 3)
ii  samba
2:4.19.5+karoshi-1~linuxschools1+focal
                                                                        1
amd64        SMB/CIFS file, print and login server for Unix
rc  samba-common
 2:4.17.5+karoshi-1~linuxschools1+focal
                                                                        1
all          common files used by both the Samba server and client
ii  samba-dsdb-modules
 2:4.19.5+karoshi-1~linuxschools1+focal
                                                                        1
amd64        Samba Directory Services Database
ii  samba-vfs-modules
2:4.19.5+karoshi-1~linuxschools1+focal
                                                                        1
amd64        Samba Virtual FileSystem plugins
ii  winbind
2:4.19.5+karoshi-1~linuxschools1+focal
                                                                        1
amd64        service to resolve user and group information from Windows NT
servers

This is what I suggest you do, install Debian Bookworm with Samba from
bookworm-backports (it is what I use, so I know it works), this will
get you Samba 4.20.4.
Actually I already try this when I also install DC7. DC7 is my new
samba DC that also can't join to my existing AD DC (DC4).
root at dc7:~# sudo lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 12 (bookworm)
Release:        12
Codename:       bookworm
root at dc7:~# samba -V
Version 4.20.2-tranquilit-7
/etc/apt/sources.list.d/tissamba.list
deb [signed-by=/usr/share/keyrings/tissamba.gpg]
https://samba.tranquil.it/debian/samba-4.20.2/ bookworm main

Attempt to join this as a DC, if it works, it shows that there is
something wrong with the setup on the Ubuntu computer you are trying
to join now. If it fails in exactly the same way, then it would point
to either a fault in your existing DC, or a fault in the way you are
setting up the computer before the DC join. If the latter, then I can
talk you through the correct setup.
root at dc7:~# samba-tool domain join nicho.com DC
-UAdministrator at NICHO.COM --option='idmap_ldb:use rfc2307 = yes'
--dns-backend=BIND9_DLZ --verbose
WARNING: Using passwords on command line is insecure. Installing the
setproctitle python module will hide these from shortly after program
start.
INFO 2024-08-18 21:57:32,458 pid:5083
/usr/lib/python3/dist-packages/samba/join.py #104: Finding a writeable
DC for domain 'nicho.com'
INFO 2024-08-18 21:57:32,474 pid:5083
/usr/lib/python3/dist-packages/samba/join.py #106: Found DC
dc4.nicho.com
Password for [Administrator at NICHO.COM]:
INFO 2024-08-18 21:57:36,788 pid:5083
/usr/lib/python3/dist-packages/samba/join.py #1605: workgroup is NICHO
INFO 2024-08-18 21:57:36,789 pid:5083
/usr/lib/python3/dist-packages/samba/join.py #1608: realm is nicho.com
Adding CN=DC7,OU=Domain Controllers,DC=nicho,DC=com
Adding CN=DC7,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nicho,DC=com
Adding CN=NTDS Settings,CN=DC7,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nicho,DC=com
Join failed - cleaning up
Deleted CN=DC7,OU=Domain Controllers,DC=nicho,DC=com
Deleted CN=DC7,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nicho,DC=com
ERROR(runtime): uncaught exception - (8430, 'WERR_DS_INTERNAL_FAILURE')
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
285, in _run
    return self.run(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/samba/netcmd/domain/join.py",
line 128, in run
    join_DC(logger=logger, server=server, creds=creds, lp=lp, domain=domain,
  File "/usr/lib/python3/dist-packages/samba/join.py", line 1621, in join_DC
    ctx.do_join()
  File "/usr/lib/python3/dist-packages/samba/join.py", line 1509, in do_join
    ctx.join_add_objects()
  File "/usr/lib/python3/dist-packages/samba/join.py", line 665, in
join_add_objects
    ctx.join_add_ntdsdsa()
  File "/usr/lib/python3/dist-packages/samba/join.py", line 590, in
join_add_ntdsdsa
    ctx.DsAddEntry([rec])
  File "/usr/lib/python3/dist-packages/samba/join.py", line 509, in DsAddEntry
    (level, ctr) = ctx.drsuapi.DsAddEntry(ctx.drsuapi_handle, 2, req2)
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/var/log/samba/log.samba on DC4
[2024/08/18 21:57:37.670918,  0]
../../source4/dsdb/repl/replicated_objects.c:1244(dsdb_origin_objects_commit)
  ../../source4/dsdb/repl/replicated_objects.c:1244: Failed add of
CN=NTDS Settings,CN=DC7,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nicho,DC=com
-
objectclass_attrs: attribute 'hasMasterNCs' on entry 'CN=NTDS
Settings,CN=DC7,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nicho,DC=com'
does not exist in the specified objectclasses!
[2024/08/18 21:57:37.671302,  0]
../../source4/rpc_server/drsuapi/addentry.c:209(dcesrv_drsuapi_DsAddEntry)
  ../../source4/rpc_server/drsuapi/addentry.c:209: DsAddEntry failed -
WERR_DS_INTERNAL_FAILURE

I think it fails in exactly the same way, the log also point to the
same error with the DC6 domain join command.
>From the information above, can you help me to find the fault in my
existing DC, or a fault in the way my setting up the computer before
the DC join ?

Best Regards,
Nicho.


More information about the samba mailing list