[Samba] Can't join new samba dc to existing dc
fransnicho
fransnicho at gmail.com
Mon Aug 19 07:10:09 UTC 2024
Pada Min, 18 Agu 2024 pukul 23.23 Rowland Penny via samba <
samba at lists.samba.org> menulis:
> On Sun, 18 Aug 2024 22:21:02 +0700
> fransnicho via samba <samba at lists.samba.org> wrote:
>
>
>
> >
> > it at dc4:~$ sudo dpkg -l | grep -E
> > 'samba|winbind|krb5|smbclient|acl|attr|bind9'
> > ii acl 2.2.53-6
> >
> > amd64 access control
> > list - utilities
> > ii attr 1:2.4.48-5
> >
> > amd64 utilities for
> > manipulating filesystem extended attributes
> > ii bind9 1:9.18.28-0ubuntu0.20.04.1
> >
> > amd64 Internet Domain
> > Name Server
> > ii bind9-dnsutils 1:9.18.28-0ubuntu0.20.04.1
> >
> > amd64 Clients provided
> > with BIND 9
> > ii bind9-host 1:9.18.28-0ubuntu0.20.04.1
> >
> > amd64 DNS Lookup
> > Utility ii bind9-libs:amd64
> > 1:9.18.28-0ubuntu0.20.04.1
> >
> > amd64 Shared Libraries
> > used by BIND 9
> > ii bind9-utils 1:9.18.28-0ubuntu0.20.04.1
> >
> > amd64 Utilities for
> > BIND 9 ii bind9utils
> > 1:9.18.28-0ubuntu0.20.04.1
> >
> > all Transitional
> > package for bind9-utils
> > ii dnsutils 1:9.18.28-0ubuntu0.20.04.1
> >
> > all Transitional
> > package for bind9-dnsutils
> > ii krb5-config 2.6ubuntu1
> >
> > all Configuration
> > files for Kerberos Version 5
> > ii krb5-locales 1.17-6ubuntu4.6
> >
> > all
> > internationalization support for MIT Kerberos
> > ii krb5-user 1.17-6ubuntu4.6
> >
> > amd64 basic programs to
> > authenticate using MIT Kerberos
> > ii libacl1:amd64 2.2.53-6
> >
> > amd64 access control
> > list - shared library
> > ii libattr1:amd64 1:2.4.48-5
> >
> > amd64 extended
> > attribute handling - shared library
> > ii libgssapi-krb5-2:amd64 1.17-6ubuntu4.6
> >
> > amd64 MIT Kerberos
> > runtime libraries - krb5 GSS-API Mechanism
> > ii libkrb5-26-heimdal:amd64 7.7.0+dfsg-1ubuntu1.4
> >
> > amd64 Heimdal Kerberos -
> > libraries
> > ii libkrb5-3:amd64 1.17-6ubuntu4.6
> >
> > amd64 MIT Kerberos
> > runtime libraries
> > ii libkrb5support0:amd64 1.17-6ubuntu4.6
> >
> > amd64 MIT Kerberos
> > runtime libraries - Support library
> > ii libnss-winbind:amd64
> > 2:4.19.5+karoshi-1~linuxschools1+focal
> > 1
> > amd64 Samba nameservice integration plugins
> > ii libpam-krb5:amd64 4.8-2ubuntu1
> >
> > amd64 PAM module for
> > MIT Kerberos
> > ii libpam-winbind:amd64
> > 2:4.19.5+karoshi-1~linuxschools1+focal
> > 1
> > amd64 Windows domain authentication integration plugin
> > ii libwbclient0:amd64
> > 2:4.19.5+karoshi-1~linuxschools1+focal
> > 1
> > amd64 Samba winbind client library
> > ii python3-attr 19.3.0-2
> >
> > all Attributes
> > without boilerplate (Python 3)
> > ii python3-nacl 1.3.0-5
> >
> > amd64 Python bindings to
> > libsodium (Python 3)
> > ii samba
> > 2:4.19.5+karoshi-1~linuxschools1+focal
> > 1
> > amd64 SMB/CIFS file, print and login server for Unix
> > rc samba-common
> > 2:4.17.5+karoshi-1~linuxschools1+focal
> > 1
> > all common files used by both the Samba server and client
> > ii samba-dsdb-modules
> > 2:4.19.5+karoshi-1~linuxschools1+focal
> > 1
> > amd64 Samba Directory Services Database
> > ii samba-vfs-modules
> > 2:4.19.5+karoshi-1~linuxschools1+focal
> > 1
> > amd64 Samba Virtual FileSystem plugins
> > ii winbind
> > 2:4.19.5+karoshi-1~linuxschools1+focal
> > 1
> > amd64 service to resolve user and group information from
> > Windows NT servers
>
> OK, you have a few files that I don't have, but I don't think they
> matter, but I do have these:
>
> ldb-tools libldb2 python3-ldb python3-samba samba-ad-dc
> samba-ad-provision samba-common-bin samba-libs
>
> Now, I know some of them probably only exist with the Samba 4.20.x on
> Debian, but I feel that you need some of them, unless you Karoshi have
> some how got them built into their Samba packages (if so, why?).
>
> The big one is this:
>
> rc samba-common
>
> The 'rc' means that it has been removed, but its configuration files
> have been left behind.
>
> As I said all of this could be down to the Karoshi Samba packages,
> which I do not recommend, they do some very strange things on that
> distro, in my opinion.
>
> >
> > This is what I suggest you do, install Debian Bookworm with Samba from
> > bookworm-backports (it is what I use, so I know it works), this will
> > get you Samba 4.20.4.
> > Actually I already try this when I also install DC7. DC7 is my new
> > samba DC that also can't join to my existing AD DC (DC4).
> > root at dc7:~# sudo lsb_release -a
> > No LSB modules are available.
> > Distributor ID: Debian
> > Description: Debian GNU/Linux 12 (bookworm)
> > Release: 12
> > Codename: bookworm
> > root at dc7:~# samba -V
> > Version 4.20.2-tranquilit-7
>
> They are not the Samba packages from bookworm-backports, they are
> very probably okay, but I don't use them, so I don't know just how to
> use them.
>
> > /etc/apt/sources.list.d/tissamba.list
> > deb [signed-by=/usr/share/keyrings/tissamba.gpg]
> > https://samba.tranquil.it/debian/samba-4.20.2/ bookworm main
> >
> > Attempt to join this as a DC, if it works, it shows that there is
> > something wrong with the setup on the Ubuntu computer you are trying
> > to join now. If it fails in exactly the same way, then it would point
> > to either a fault in your existing DC, or a fault in the way you are
> > setting up the computer before the DC join. If the latter, then I can
> > talk you through the correct setup.
> > root at dc7:~# samba-tool domain join nicho.com DC
> > -UAdministrator at NICHO.COM --option='idmap_ldb:use rfc2307 = yes'
> > --dns-backend=BIND9_DLZ --verbose
> > WARNING: Using passwords on command line is insecure. Installing the
> > setproctitle python module will hide these from shortly after program
> > start.
> > INFO 2024-08-18 21:57:32,458 pid:5083
> > /usr/lib/python3/dist-packages/samba/join.py #104: Finding a writeable
> > DC for domain 'nicho.com'
> > INFO 2024-08-18 21:57:32,474 pid:5083
> > /usr/lib/python3/dist-packages/samba/join.py #106: Found DC
> > dc4.nicho.com
> > Password for [Administrator at NICHO.COM]:
> > INFO 2024-08-18 21:57:36,788 pid:5083
> > /usr/lib/python3/dist-packages/samba/join.py #1605: workgroup is NICHO
> > INFO 2024-08-18 21:57:36,789 pid:5083
> > /usr/lib/python3/dist-packages/samba/join.py #1608: realm is nicho.com
> > Adding CN=DC7,OU=Domain Controllers,DC=nicho,DC=com
> > Adding
> >
> CN=DC7,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nicho,DC=com
> > Adding CN=NTDS
> >
> Settings,CN=DC7,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nicho,DC=com
> > Join failed - cleaning up Deleted CN=DC7,OU=Domain
> > Controllers,DC=nicho,DC=com Deleted
> >
> CN=DC7,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nicho,DC=com
> > ERROR(runtime): uncaught exception - (8430,
> > 'WERR_DS_INTERNAL_FAILURE') File
> > "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 285,
> > in _run return self.run(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^
> > File "/usr/lib/python3/dist-packages/samba/netcmd/domain/join.py",
> > line 128, in run join_DC(logger=logger, server=server, creds=creds,
> > lp=lp, domain=domain, File
> > "/usr/lib/python3/dist-packages/samba/join.py", line 1621, in join_DC
> > ctx.do_join() File "/usr/lib/python3/dist-packages/samba/join.py",
> > line 1509, in do_join ctx.join_add_objects()
> > File "/usr/lib/python3/dist-packages/samba/join.py", line 665, in
> > join_add_objects
> > ctx.join_add_ntdsdsa()
> > File "/usr/lib/python3/dist-packages/samba/join.py", line 590, in
> > join_add_ntdsdsa
> > ctx.DsAddEntry([rec])
> > File "/usr/lib/python3/dist-packages/samba/join.py", line 509, in
> > DsAddEntry (level, ctr) = ctx.drsuapi.DsAddEntry(ctx.drsuapi_handle,
> > 2, req2) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > /var/log/samba/log.samba on DC4
> > [2024/08/18 21:57:37.670918, 0]
> >
> ../../source4/dsdb/repl/replicated_objects.c:1244(dsdb_origin_objects_commit)
> > ../../source4/dsdb/repl/replicated_objects.c:1244: Failed add of
> > CN=NTDS
> >
> Settings,CN=DC7,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nicho,DC=com
> > - objectclass_attrs: attribute 'hasMasterNCs' on entry 'CN=NTDS
> >
> Settings,CN=DC7,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nicho,DC=com'
> > does not exist in the specified objectclasses!
> > [2024/08/18 21:57:37.671302, 0]
> >
> ../../source4/rpc_server/drsuapi/addentry.c:209(dcesrv_drsuapi_DsAddEntry)
> > ../../source4/rpc_server/drsuapi/addentry.c:209: DsAddEntry failed -
> > WERR_DS_INTERNAL_FAILURE
> >
> > I think it fails in exactly the same way, the log also point to the
> > same error with the DC6 domain join command.
> > From the information above, can you help me to find the fault in my
> > existing DC, or a fault in the way my setting up the computer before
> > the DC join ?
>
> I think you need to ensure your existing DC is working correctly, try
> and install samba-common first:
> sudo apt install -s samba-common
>
> That will do a dummy install and hopefully show if it can be installed,
> if it can, install it and the rest of my list above.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
Hi Rowland,
Thanks for your response 🙏
ldb-tools -> error upgrade to version 2.4.4-0ubuntu0.20.04.2. still using
version 2.2.3-0ubuntu0.20.04.3
libldb2 --> already the newest version (2:2.4.4-0ubuntu0.20.04.2)
python3-ldb --> error 1 new install, 9 to remove. The following packages
will be REMOVED:
freeradius libnss-winbind libpam-winbind libparse-pidl-perl libwbclient0
samba samba-dsdb-modules samba-vfs-modules winbind
python3-samba --> success
samba-ad-dc --> no installation candidate. However the following packages
replace it: samba
samba-ad-provision --> Unable to locate package samba-ad-provision
samba-common --> success
samba-common-bin --> success
samba-libs --> success
Should I force to install python3.ldb ?
Or is there any best way to change/replace the samba packages ?
Best Regards,
Nicho.
More information about the samba
mailing list