[Samba] Error when joining new DC

Peter Mittermayer samba.lists at outlook.com
Thu Dec 12 14:33:32 UTC 2024


BTW I did both dbcheck and remove tombstones ... Only things showing up are from trying to add the additional DC I think. And after fixing them the DB is clean.

________________________________________
From: samba <samba-bounces at lists.samba.org> on behalf of Rowland Penny via samba <samba at lists.samba.org>
Sent: Thursday, December 12, 2024 3:53 PM
To: samba at lists.samba.org
Cc: Rowland Penny
Subject: Re: [Samba] Error when joining new DC

On Thu, 12 Dec 2024 13:11:55 +0000
Peter Mittermayer via samba <samba at lists.samba.org> wrote:

> So, without doing a fresh install on the system the join succeeded
> with 4.14.9. What does it mean?
> In the end I want to end up with a much later version which is still
> getting security fixes.
>
> I went through the readme of CVE-2020-25717 as mentioned but did not
> really understand how this impacts the join procedure. Up to now I
> was using DOMAIN\administrator or its kerberos ticket for the join.
> But I also tried with other user from Domain Admins group.
>
> Additionally, I set up a new domain with 4.11.17 (the version I'm on
> right now). I added a domain member, created a user account, added a
> few DNS records. Then I tried to add a new DC to this domain. No
> issues.
>
> This leads to the conclusion that there is something in my current
> domain databases which does not meet the new security constraints
> introduced with 4.14.10 (or 4.13.14, or 4.15.2).
>
> Questions how do I find the culprit, and how to fix it?
>

Good question and I think you will have to wait for Douglas on that one
and he is in New Zealand, so it will be the very early hours of the
morning there.

So, just to try and get a handle on this, you can get 4.14.9 to join as
a DC, but 4.14.10 will not, nor will anything later.

Have you run:

samba-tool dbcheck

samba-tool domain tombstones expunge --tombstone-lifetime=0

The first will show if you have any errors, the second will remove all
tombstone records.

As always, you should take a backup before you do anything.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



More information about the samba mailing list