[Samba] Can't join new samba dc to existing dc
Rowland Penny
rpenny at samba.org
Sun Aug 18 16:21:57 UTC 2024
On Sun, 18 Aug 2024 22:21:02 +0700
fransnicho via samba <samba at lists.samba.org> wrote:
>
> it at dc4:~$ sudo dpkg -l | grep -E
> 'samba|winbind|krb5|smbclient|acl|attr|bind9'
> ii acl 2.2.53-6
>
> amd64 access control
> list - utilities
> ii attr 1:2.4.48-5
>
> amd64 utilities for
> manipulating filesystem extended attributes
> ii bind9 1:9.18.28-0ubuntu0.20.04.1
>
> amd64 Internet Domain
> Name Server
> ii bind9-dnsutils 1:9.18.28-0ubuntu0.20.04.1
>
> amd64 Clients provided
> with BIND 9
> ii bind9-host 1:9.18.28-0ubuntu0.20.04.1
>
> amd64 DNS Lookup
> Utility ii bind9-libs:amd64
> 1:9.18.28-0ubuntu0.20.04.1
>
> amd64 Shared Libraries
> used by BIND 9
> ii bind9-utils 1:9.18.28-0ubuntu0.20.04.1
>
> amd64 Utilities for
> BIND 9 ii bind9utils
> 1:9.18.28-0ubuntu0.20.04.1
>
> all Transitional
> package for bind9-utils
> ii dnsutils 1:9.18.28-0ubuntu0.20.04.1
>
> all Transitional
> package for bind9-dnsutils
> ii krb5-config 2.6ubuntu1
>
> all Configuration
> files for Kerberos Version 5
> ii krb5-locales 1.17-6ubuntu4.6
>
> all
> internationalization support for MIT Kerberos
> ii krb5-user 1.17-6ubuntu4.6
>
> amd64 basic programs to
> authenticate using MIT Kerberos
> ii libacl1:amd64 2.2.53-6
>
> amd64 access control
> list - shared library
> ii libattr1:amd64 1:2.4.48-5
>
> amd64 extended
> attribute handling - shared library
> ii libgssapi-krb5-2:amd64 1.17-6ubuntu4.6
>
> amd64 MIT Kerberos
> runtime libraries - krb5 GSS-API Mechanism
> ii libkrb5-26-heimdal:amd64 7.7.0+dfsg-1ubuntu1.4
>
> amd64 Heimdal Kerberos -
> libraries
> ii libkrb5-3:amd64 1.17-6ubuntu4.6
>
> amd64 MIT Kerberos
> runtime libraries
> ii libkrb5support0:amd64 1.17-6ubuntu4.6
>
> amd64 MIT Kerberos
> runtime libraries - Support library
> ii libnss-winbind:amd64
> 2:4.19.5+karoshi-1~linuxschools1+focal
> 1
> amd64 Samba nameservice integration plugins
> ii libpam-krb5:amd64 4.8-2ubuntu1
>
> amd64 PAM module for
> MIT Kerberos
> ii libpam-winbind:amd64
> 2:4.19.5+karoshi-1~linuxschools1+focal
> 1
> amd64 Windows domain authentication integration plugin
> ii libwbclient0:amd64
> 2:4.19.5+karoshi-1~linuxschools1+focal
> 1
> amd64 Samba winbind client library
> ii python3-attr 19.3.0-2
>
> all Attributes
> without boilerplate (Python 3)
> ii python3-nacl 1.3.0-5
>
> amd64 Python bindings to
> libsodium (Python 3)
> ii samba
> 2:4.19.5+karoshi-1~linuxschools1+focal
> 1
> amd64 SMB/CIFS file, print and login server for Unix
> rc samba-common
> 2:4.17.5+karoshi-1~linuxschools1+focal
> 1
> all common files used by both the Samba server and client
> ii samba-dsdb-modules
> 2:4.19.5+karoshi-1~linuxschools1+focal
> 1
> amd64 Samba Directory Services Database
> ii samba-vfs-modules
> 2:4.19.5+karoshi-1~linuxschools1+focal
> 1
> amd64 Samba Virtual FileSystem plugins
> ii winbind
> 2:4.19.5+karoshi-1~linuxschools1+focal
> 1
> amd64 service to resolve user and group information from
> Windows NT servers
OK, you have a few files that I don't have, but I don't think they
matter, but I do have these:
ldb-tools libldb2 python3-ldb python3-samba samba-ad-dc
samba-ad-provision samba-common-bin samba-libs
Now, I know some of them probably only exist with the Samba 4.20.x on
Debian, but I feel that you need some of them, unless you Karoshi have
some how got them built into their Samba packages (if so, why?).
The big one is this:
rc samba-common
The 'rc' means that it has been removed, but its configuration files
have been left behind.
As I said all of this could be down to the Karoshi Samba packages,
which I do not recommend, they do some very strange things on that
distro, in my opinion.
>
> This is what I suggest you do, install Debian Bookworm with Samba from
> bookworm-backports (it is what I use, so I know it works), this will
> get you Samba 4.20.4.
> Actually I already try this when I also install DC7. DC7 is my new
> samba DC that also can't join to my existing AD DC (DC4).
> root at dc7:~# sudo lsb_release -a
> No LSB modules are available.
> Distributor ID: Debian
> Description: Debian GNU/Linux 12 (bookworm)
> Release: 12
> Codename: bookworm
> root at dc7:~# samba -V
> Version 4.20.2-tranquilit-7
They are not the Samba packages from bookworm-backports, they are
very probably okay, but I don't use them, so I don't know just how to
use them.
> /etc/apt/sources.list.d/tissamba.list
> deb [signed-by=/usr/share/keyrings/tissamba.gpg]
> https://samba.tranquil.it/debian/samba-4.20.2/ bookworm main
>
> Attempt to join this as a DC, if it works, it shows that there is
> something wrong with the setup on the Ubuntu computer you are trying
> to join now. If it fails in exactly the same way, then it would point
> to either a fault in your existing DC, or a fault in the way you are
> setting up the computer before the DC join. If the latter, then I can
> talk you through the correct setup.
> root at dc7:~# samba-tool domain join nicho.com DC
> -UAdministrator at NICHO.COM --option='idmap_ldb:use rfc2307 = yes'
> --dns-backend=BIND9_DLZ --verbose
> WARNING: Using passwords on command line is insecure. Installing the
> setproctitle python module will hide these from shortly after program
> start.
> INFO 2024-08-18 21:57:32,458 pid:5083
> /usr/lib/python3/dist-packages/samba/join.py #104: Finding a writeable
> DC for domain 'nicho.com'
> INFO 2024-08-18 21:57:32,474 pid:5083
> /usr/lib/python3/dist-packages/samba/join.py #106: Found DC
> dc4.nicho.com
> Password for [Administrator at NICHO.COM]:
> INFO 2024-08-18 21:57:36,788 pid:5083
> /usr/lib/python3/dist-packages/samba/join.py #1605: workgroup is NICHO
> INFO 2024-08-18 21:57:36,789 pid:5083
> /usr/lib/python3/dist-packages/samba/join.py #1608: realm is nicho.com
> Adding CN=DC7,OU=Domain Controllers,DC=nicho,DC=com
> Adding
> CN=DC7,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nicho,DC=com
> Adding CN=NTDS
> Settings,CN=DC7,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nicho,DC=com
> Join failed - cleaning up Deleted CN=DC7,OU=Domain
> Controllers,DC=nicho,DC=com Deleted
> CN=DC7,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nicho,DC=com
> ERROR(runtime): uncaught exception - (8430,
> 'WERR_DS_INTERNAL_FAILURE') File
> "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 285,
> in _run return self.run(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^
> File "/usr/lib/python3/dist-packages/samba/netcmd/domain/join.py",
> line 128, in run join_DC(logger=logger, server=server, creds=creds,
> lp=lp, domain=domain, File
> "/usr/lib/python3/dist-packages/samba/join.py", line 1621, in join_DC
> ctx.do_join() File "/usr/lib/python3/dist-packages/samba/join.py",
> line 1509, in do_join ctx.join_add_objects()
> File "/usr/lib/python3/dist-packages/samba/join.py", line 665, in
> join_add_objects
> ctx.join_add_ntdsdsa()
> File "/usr/lib/python3/dist-packages/samba/join.py", line 590, in
> join_add_ntdsdsa
> ctx.DsAddEntry([rec])
> File "/usr/lib/python3/dist-packages/samba/join.py", line 509, in
> DsAddEntry (level, ctr) = ctx.drsuapi.DsAddEntry(ctx.drsuapi_handle,
> 2, req2) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> /var/log/samba/log.samba on DC4
> [2024/08/18 21:57:37.670918, 0]
> ../../source4/dsdb/repl/replicated_objects.c:1244(dsdb_origin_objects_commit)
> ../../source4/dsdb/repl/replicated_objects.c:1244: Failed add of
> CN=NTDS
> Settings,CN=DC7,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nicho,DC=com
> - objectclass_attrs: attribute 'hasMasterNCs' on entry 'CN=NTDS
> Settings,CN=DC7,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nicho,DC=com'
> does not exist in the specified objectclasses!
> [2024/08/18 21:57:37.671302, 0]
> ../../source4/rpc_server/drsuapi/addentry.c:209(dcesrv_drsuapi_DsAddEntry)
> ../../source4/rpc_server/drsuapi/addentry.c:209: DsAddEntry failed -
> WERR_DS_INTERNAL_FAILURE
>
> I think it fails in exactly the same way, the log also point to the
> same error with the DC6 domain join command.
> From the information above, can you help me to find the fault in my
> existing DC, or a fault in the way my setting up the computer before
> the DC join ?
I think you need to ensure your existing DC is working correctly, try
and install samba-common first:
sudo apt install -s samba-common
That will do a dummy install and hopefully show if it can be installed,
if it can, install it and the rest of my list above.
Rowland
More information about the samba
mailing list