[Samba] Can't join new samba dc to existing dc
fransnicho
fransnicho at gmail.com
Sun Aug 18 15:21:02 UTC 2024
Pada Min, 18 Agu 2024 pukul 16.38 Rowland Penny via samba <
samba at lists.samba.org> menulis:
> On Sat, 17 Aug 2024 16:21:14 +0700
> fransnicho via samba <samba at lists.samba.org> wrote:
> > Hi Rowland,
> > Thanks for your response
> >
> > Is it ok to have 2 records on the
> >
> CN=DC4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nicho,DC=com
> > ?
>
> Yes
>
> >
> > 20.04 comes with Samba 4.15.13, so where did you get the 4.19.5
> > packages from ?
> > deb http://ppa.launchpad.net/linux-schools/samba-latest/ubuntu focal
> > main
>
> Not sure I would rely on those.
>
> >
> > Please provide a list of the installed Samba packages.
> > it at dc4:~$ sudo apt list samba --installed
> > Listing... Done
> > samba/focal,now 2:4.19.5+karoshi-1~linuxschools1+focal1 amd64
> > [installed]
>
> Try it like this:
> dpkg -l | grep -E 'samba|winbind|krb5|smbclient|acl|attr|bind9'
>
> >
> > Probably not, but what does this command show:
> > it at dc4:~$ sudo ldbsearch -H /var/lib/samba/private/sam.ldb -P -b
> > 'cn=Schema,cn=Configuration,DC=nicho,DC=com' -s base objectVersion
> > # record 1
> > dn: CN=Schema,CN=Configuration,DC=nicho,DC=com
> > objectVersion: 69
> >
>
> That's Windows Server 2012R2, so nothing wrong there.
>
> This is what I suggest you do, install Debian Bookworm with Samba
> from bookworm-backports (it is what I use, so I know it works), this
> will get you Samba 4.20.4 .
>
> Attempt to join this as a DC, if it works, it shows that there is
> something wrong with the setup on the Ubuntu computer you are trying to
> join now. If it fails in exactly the same way, then it would point to
> either a fault in your existing DC, or a fault in the way you are
> setting up the computer before the DC join. If the latter, then I can
> talk you through the correct setup.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
Hi Rowland,
Thanks for your response 🙏
it at dc4:~$ sudo dpkg -l | grep -E
'samba|winbind|krb5|smbclient|acl|attr|bind9'
ii acl 2.2.53-6
amd64 access control list -
utilities
ii attr 1:2.4.48-5
amd64 utilities for
manipulating filesystem extended attributes
ii bind9 1:9.18.28-0ubuntu0.20.04.1
amd64 Internet Domain Name
Server
ii bind9-dnsutils 1:9.18.28-0ubuntu0.20.04.1
amd64 Clients provided with
BIND 9
ii bind9-host 1:9.18.28-0ubuntu0.20.04.1
amd64 DNS Lookup Utility
ii bind9-libs:amd64 1:9.18.28-0ubuntu0.20.04.1
amd64 Shared Libraries used
by BIND 9
ii bind9-utils 1:9.18.28-0ubuntu0.20.04.1
amd64 Utilities for BIND 9
ii bind9utils 1:9.18.28-0ubuntu0.20.04.1
all Transitional package
for bind9-utils
ii dnsutils 1:9.18.28-0ubuntu0.20.04.1
all Transitional package
for bind9-dnsutils
ii krb5-config 2.6ubuntu1
all Configuration files
for Kerberos Version 5
ii krb5-locales 1.17-6ubuntu4.6
all internationalization
support for MIT Kerberos
ii krb5-user 1.17-6ubuntu4.6
amd64 basic programs to
authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-6
amd64 access control list -
shared library
ii libattr1:amd64 1:2.4.48-5
amd64 extended attribute
handling - shared library
ii libgssapi-krb5-2:amd64 1.17-6ubuntu4.6
amd64 MIT Kerberos runtime
libraries - krb5 GSS-API Mechanism
ii libkrb5-26-heimdal:amd64 7.7.0+dfsg-1ubuntu1.4
amd64 Heimdal Kerberos -
libraries
ii libkrb5-3:amd64 1.17-6ubuntu4.6
amd64 MIT Kerberos runtime
libraries
ii libkrb5support0:amd64 1.17-6ubuntu4.6
amd64 MIT Kerberos runtime
libraries - Support library
ii libnss-winbind:amd64
2:4.19.5+karoshi-1~linuxschools1+focal
1
amd64 Samba nameservice integration plugins
ii libpam-krb5:amd64 4.8-2ubuntu1
amd64 PAM module for MIT
Kerberos
ii libpam-winbind:amd64
2:4.19.5+karoshi-1~linuxschools1+focal
1
amd64 Windows domain authentication integration plugin
ii libwbclient0:amd64
2:4.19.5+karoshi-1~linuxschools1+focal
1
amd64 Samba winbind client library
ii python3-attr 19.3.0-2
all Attributes without
boilerplate (Python 3)
ii python3-nacl 1.3.0-5
amd64 Python bindings to
libsodium (Python 3)
ii samba
2:4.19.5+karoshi-1~linuxschools1+focal
1
amd64 SMB/CIFS file, print and login server for Unix
rc samba-common
2:4.17.5+karoshi-1~linuxschools1+focal
1
all common files used by both the Samba server and client
ii samba-dsdb-modules
2:4.19.5+karoshi-1~linuxschools1+focal
1
amd64 Samba Directory Services Database
ii samba-vfs-modules
2:4.19.5+karoshi-1~linuxschools1+focal
1
amd64 Samba Virtual FileSystem plugins
ii winbind
2:4.19.5+karoshi-1~linuxschools1+focal
1
amd64 service to resolve user and group information from Windows NT
servers
This is what I suggest you do, install Debian Bookworm with Samba from
bookworm-backports (it is what I use, so I know it works), this will
get you Samba 4.20.4.
Actually I already try this when I also install DC7. DC7 is my new
samba DC that also can't join to my existing AD DC (DC4).
root at dc7:~# sudo lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 12 (bookworm)
Release: 12
Codename: bookworm
root at dc7:~# samba -V
Version 4.20.2-tranquilit-7
/etc/apt/sources.list.d/tissamba.list
deb [signed-by=/usr/share/keyrings/tissamba.gpg]
https://samba.tranquil.it/debian/samba-4.20.2/ bookworm main
Attempt to join this as a DC, if it works, it shows that there is
something wrong with the setup on the Ubuntu computer you are trying
to join now. If it fails in exactly the same way, then it would point
to either a fault in your existing DC, or a fault in the way you are
setting up the computer before the DC join. If the latter, then I can
talk you through the correct setup.
root at dc7:~# samba-tool domain join nicho.com DC
-UAdministrator at NICHO.COM --option='idmap_ldb:use rfc2307 = yes'
--dns-backend=BIND9_DLZ --verbose
WARNING: Using passwords on command line is insecure. Installing the
setproctitle python module will hide these from shortly after program
start.
INFO 2024-08-18 21:57:32,458 pid:5083
/usr/lib/python3/dist-packages/samba/join.py #104: Finding a writeable
DC for domain 'nicho.com'
INFO 2024-08-18 21:57:32,474 pid:5083
/usr/lib/python3/dist-packages/samba/join.py #106: Found DC
dc4.nicho.com
Password for [Administrator at NICHO.COM]:
INFO 2024-08-18 21:57:36,788 pid:5083
/usr/lib/python3/dist-packages/samba/join.py #1605: workgroup is NICHO
INFO 2024-08-18 21:57:36,789 pid:5083
/usr/lib/python3/dist-packages/samba/join.py #1608: realm is nicho.com
Adding CN=DC7,OU=Domain Controllers,DC=nicho,DC=com
Adding CN=DC7,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nicho,DC=com
Adding CN=NTDS Settings,CN=DC7,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nicho,DC=com
Join failed - cleaning up
Deleted CN=DC7,OU=Domain Controllers,DC=nicho,DC=com
Deleted CN=DC7,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nicho,DC=com
ERROR(runtime): uncaught exception - (8430, 'WERR_DS_INTERNAL_FAILURE')
File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
285, in _run
return self.run(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/samba/netcmd/domain/join.py",
line 128, in run
join_DC(logger=logger, server=server, creds=creds, lp=lp, domain=domain,
File "/usr/lib/python3/dist-packages/samba/join.py", line 1621, in join_DC
ctx.do_join()
File "/usr/lib/python3/dist-packages/samba/join.py", line 1509, in do_join
ctx.join_add_objects()
File "/usr/lib/python3/dist-packages/samba/join.py", line 665, in
join_add_objects
ctx.join_add_ntdsdsa()
File "/usr/lib/python3/dist-packages/samba/join.py", line 590, in
join_add_ntdsdsa
ctx.DsAddEntry([rec])
File "/usr/lib/python3/dist-packages/samba/join.py", line 509, in DsAddEntry
(level, ctr) = ctx.drsuapi.DsAddEntry(ctx.drsuapi_handle, 2, req2)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/var/log/samba/log.samba on DC4
[2024/08/18 21:57:37.670918, 0]
../../source4/dsdb/repl/replicated_objects.c:1244(dsdb_origin_objects_commit)
../../source4/dsdb/repl/replicated_objects.c:1244: Failed add of
CN=NTDS Settings,CN=DC7,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nicho,DC=com
-
objectclass_attrs: attribute 'hasMasterNCs' on entry 'CN=NTDS
Settings,CN=DC7,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nicho,DC=com'
does not exist in the specified objectclasses!
[2024/08/18 21:57:37.671302, 0]
../../source4/rpc_server/drsuapi/addentry.c:209(dcesrv_drsuapi_DsAddEntry)
../../source4/rpc_server/drsuapi/addentry.c:209: DsAddEntry failed -
WERR_DS_INTERNAL_FAILURE
I think it fails in exactly the same way, the log also point to the
same error with the DC6 domain join command.
>From the information above, can you help me to find the fault in my
existing DC, or a fault in the way my setting up the computer before
the DC join ?
Best Regards,
Nicho.
More information about the samba
mailing list