[Samba] Can't join new samba dc to existing dc

Rowland Penny rpenny at samba.org
Sun Aug 18 16:21:57 UTC 2024


On Sun, 18 Aug 2024 22:21:02 +0700
fransnicho via samba <samba at lists.samba.org> wrote:



> 
> it at dc4:~$ sudo dpkg -l | grep -E
> 'samba|winbind|krb5|smbclient|acl|attr|bind9'
> ii  acl                                   2.2.53-6
> 
>                                         amd64        access control
> list - utilities
> ii  attr                                  1:2.4.48-5
> 
>                                         amd64        utilities for
> manipulating filesystem extended attributes
> ii  bind9                                 1:9.18.28-0ubuntu0.20.04.1
> 
>                                         amd64        Internet Domain
> Name Server
> ii  bind9-dnsutils                        1:9.18.28-0ubuntu0.20.04.1
> 
>                                         amd64        Clients provided
> with BIND 9
> ii  bind9-host                            1:9.18.28-0ubuntu0.20.04.1
> 
>                                         amd64        DNS Lookup
> Utility ii  bind9-libs:amd64
> 1:9.18.28-0ubuntu0.20.04.1
> 
>                                         amd64        Shared Libraries
> used by BIND 9
> ii  bind9-utils                           1:9.18.28-0ubuntu0.20.04.1
> 
>                                         amd64        Utilities for
> BIND 9 ii  bind9utils
> 1:9.18.28-0ubuntu0.20.04.1
> 
>                                         all          Transitional
> package for bind9-utils
> ii  dnsutils                              1:9.18.28-0ubuntu0.20.04.1
> 
>                                         all          Transitional
> package for bind9-dnsutils
> ii  krb5-config                           2.6ubuntu1
> 
>                                         all          Configuration
> files for Kerberos Version 5
> ii  krb5-locales                          1.17-6ubuntu4.6
> 
>                                        all
> internationalization support for MIT Kerberos
> ii  krb5-user                             1.17-6ubuntu4.6
> 
>                                        amd64        basic programs to
> authenticate using MIT Kerberos
> ii  libacl1:amd64                         2.2.53-6
> 
>                                         amd64        access control
> list - shared library
> ii  libattr1:amd64                        1:2.4.48-5
> 
>                                         amd64        extended
> attribute handling - shared library
> ii  libgssapi-krb5-2:amd64                1.17-6ubuntu4.6
> 
>                                        amd64        MIT Kerberos
> runtime libraries - krb5 GSS-API Mechanism
> ii  libkrb5-26-heimdal:amd64              7.7.0+dfsg-1ubuntu1.4
> 
>                                        amd64        Heimdal Kerberos -
> libraries
> ii  libkrb5-3:amd64                       1.17-6ubuntu4.6
> 
>                                        amd64        MIT Kerberos
> runtime libraries
> ii  libkrb5support0:amd64                 1.17-6ubuntu4.6
> 
>                                        amd64        MIT Kerberos
> runtime libraries - Support library
> ii  libnss-winbind:amd64
>  2:4.19.5+karoshi-1~linuxschools1+focal
>                                                                         1
> amd64        Samba nameservice integration plugins
> ii  libpam-krb5:amd64                     4.8-2ubuntu1
> 
>                                         amd64        PAM module for
> MIT Kerberos
> ii  libpam-winbind:amd64
>  2:4.19.5+karoshi-1~linuxschools1+focal
>                                                                         1
> amd64        Windows domain authentication integration plugin
> ii  libwbclient0:amd64
>  2:4.19.5+karoshi-1~linuxschools1+focal
>                                                                         1
> amd64        Samba winbind client library
> ii  python3-attr                          19.3.0-2
> 
>                                         all          Attributes
> without boilerplate (Python 3)
> ii  python3-nacl                          1.3.0-5
> 
>                                        amd64        Python bindings to
> libsodium (Python 3)
> ii  samba
> 2:4.19.5+karoshi-1~linuxschools1+focal
>                                                                         1
> amd64        SMB/CIFS file, print and login server for Unix
> rc  samba-common
>  2:4.17.5+karoshi-1~linuxschools1+focal
>                                                                         1
> all          common files used by both the Samba server and client
> ii  samba-dsdb-modules
>  2:4.19.5+karoshi-1~linuxschools1+focal
>                                                                         1
> amd64        Samba Directory Services Database
> ii  samba-vfs-modules
> 2:4.19.5+karoshi-1~linuxschools1+focal
>                                                                         1
> amd64        Samba Virtual FileSystem plugins
> ii  winbind
> 2:4.19.5+karoshi-1~linuxschools1+focal
>                                                                         1
> amd64        service to resolve user and group information from
> Windows NT servers

OK, you have a few files that I don't have, but I don't think they
matter, but I do have these:

ldb-tools libldb2 python3-ldb python3-samba samba-ad-dc
samba-ad-provision samba-common-bin samba-libs

Now, I know some of them probably only exist with the Samba 4.20.x on
Debian, but I feel that you need some of them, unless you Karoshi have
some how got them built into their Samba packages (if so, why?).

The big one is this:

rc  samba-common 

The 'rc' means that it has been removed, but its configuration files
have been left behind.

As I said all of this could be down to the Karoshi Samba packages,
which I do not recommend, they do some very strange things on that
distro, in my opinion.

> 
> This is what I suggest you do, install Debian Bookworm with Samba from
> bookworm-backports (it is what I use, so I know it works), this will
> get you Samba 4.20.4.
> Actually I already try this when I also install DC7. DC7 is my new
> samba DC that also can't join to my existing AD DC (DC4).
> root at dc7:~# sudo lsb_release -a
> No LSB modules are available.
> Distributor ID: Debian
> Description:    Debian GNU/Linux 12 (bookworm)
> Release:        12
> Codename:       bookworm
> root at dc7:~# samba -V
> Version 4.20.2-tranquilit-7

They are not the Samba packages from bookworm-backports, they are
very probably okay, but I don't use them, so I don't know just how to
use them.

> /etc/apt/sources.list.d/tissamba.list
> deb [signed-by=/usr/share/keyrings/tissamba.gpg]
> https://samba.tranquil.it/debian/samba-4.20.2/ bookworm main
> 
> Attempt to join this as a DC, if it works, it shows that there is
> something wrong with the setup on the Ubuntu computer you are trying
> to join now. If it fails in exactly the same way, then it would point
> to either a fault in your existing DC, or a fault in the way you are
> setting up the computer before the DC join. If the latter, then I can
> talk you through the correct setup.
> root at dc7:~# samba-tool domain join nicho.com DC
> -UAdministrator at NICHO.COM --option='idmap_ldb:use rfc2307 = yes'
> --dns-backend=BIND9_DLZ --verbose
> WARNING: Using passwords on command line is insecure. Installing the
> setproctitle python module will hide these from shortly after program
> start.
> INFO 2024-08-18 21:57:32,458 pid:5083
> /usr/lib/python3/dist-packages/samba/join.py #104: Finding a writeable
> DC for domain 'nicho.com'
> INFO 2024-08-18 21:57:32,474 pid:5083
> /usr/lib/python3/dist-packages/samba/join.py #106: Found DC
> dc4.nicho.com
> Password for [Administrator at NICHO.COM]:
> INFO 2024-08-18 21:57:36,788 pid:5083
> /usr/lib/python3/dist-packages/samba/join.py #1605: workgroup is NICHO
> INFO 2024-08-18 21:57:36,789 pid:5083
> /usr/lib/python3/dist-packages/samba/join.py #1608: realm is nicho.com
> Adding CN=DC7,OU=Domain Controllers,DC=nicho,DC=com
> Adding
> CN=DC7,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nicho,DC=com
> Adding CN=NTDS
> Settings,CN=DC7,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nicho,DC=com
> Join failed - cleaning up Deleted CN=DC7,OU=Domain
> Controllers,DC=nicho,DC=com Deleted
> CN=DC7,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nicho,DC=com
> ERROR(runtime): uncaught exception - (8430,
> 'WERR_DS_INTERNAL_FAILURE') File
> "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 285,
> in _run return self.run(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^
> File "/usr/lib/python3/dist-packages/samba/netcmd/domain/join.py",
> line 128, in run join_DC(logger=logger, server=server, creds=creds,
> lp=lp, domain=domain, File
> "/usr/lib/python3/dist-packages/samba/join.py", line 1621, in join_DC
> ctx.do_join() File "/usr/lib/python3/dist-packages/samba/join.py",
> line 1509, in do_join ctx.join_add_objects()
>   File "/usr/lib/python3/dist-packages/samba/join.py", line 665, in
> join_add_objects
>     ctx.join_add_ntdsdsa()
>   File "/usr/lib/python3/dist-packages/samba/join.py", line 590, in
> join_add_ntdsdsa
>     ctx.DsAddEntry([rec])
>   File "/usr/lib/python3/dist-packages/samba/join.py", line 509, in
> DsAddEntry (level, ctr) = ctx.drsuapi.DsAddEntry(ctx.drsuapi_handle,
> 2, req2) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> /var/log/samba/log.samba on DC4
> [2024/08/18 21:57:37.670918,  0]
> ../../source4/dsdb/repl/replicated_objects.c:1244(dsdb_origin_objects_commit)
>   ../../source4/dsdb/repl/replicated_objects.c:1244: Failed add of
> CN=NTDS
> Settings,CN=DC7,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nicho,DC=com
> - objectclass_attrs: attribute 'hasMasterNCs' on entry 'CN=NTDS
> Settings,CN=DC7,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nicho,DC=com'
> does not exist in the specified objectclasses!
> [2024/08/18 21:57:37.671302,  0]
> ../../source4/rpc_server/drsuapi/addentry.c:209(dcesrv_drsuapi_DsAddEntry)
>   ../../source4/rpc_server/drsuapi/addentry.c:209: DsAddEntry failed -
> WERR_DS_INTERNAL_FAILURE
> 
> I think it fails in exactly the same way, the log also point to the
> same error with the DC6 domain join command.
> From the information above, can you help me to find the fault in my
> existing DC, or a fault in the way my setting up the computer before
> the DC join ?

I think you need to ensure your existing DC is working correctly, try
and install samba-common first:
sudo apt install -s samba-common

That will do a dummy install and hopefully show if it can be installed,
if it can, install it and the rest of my list above.

Rowland




More information about the samba mailing list