[Samba] Error when joining new DC
Rowland Penny
rpenny at samba.org
Thu Dec 12 13:53:04 UTC 2024
On Thu, 12 Dec 2024 13:11:55 +0000
Peter Mittermayer via samba <samba at lists.samba.org> wrote:
> So, without doing a fresh install on the system the join succeeded
> with 4.14.9. What does it mean?
> In the end I want to end up with a much later version which is still
> getting security fixes.
>
> I went through the readme of CVE-2020-25717 as mentioned but did not
> really understand how this impacts the join procedure. Up to now I
> was using DOMAIN\administrator or its kerberos ticket for the join.
> But I also tried with other user from Domain Admins group.
>
> Additionally, I set up a new domain with 4.11.17 (the version I'm on
> right now). I added a domain member, created a user account, added a
> few DNS records. Then I tried to add a new DC to this domain. No
> issues.
>
> This leads to the conclusion that there is something in my current
> domain databases which does not meet the new security constraints
> introduced with 4.14.10 (or 4.13.14, or 4.15.2).
>
> Questions how do I find the culprit, and how to fix it?
>
Good question and I think you will have to wait for Douglas on that one
and he is in New Zealand, so it will be the very early hours of the
morning there.
So, just to try and get a handle on this, you can get 4.14.9 to join as
a DC, but 4.14.10 will not, nor will anything later.
Have you run:
samba-tool dbcheck
samba-tool domain tombstones expunge --tombstone-lifetime=0
The first will show if you have any errors, the second will remove all
tombstone records.
As always, you should take a backup before you do anything.
Rowland
More information about the samba
mailing list