[Samba] Users appears as SID instead of their own name.
Josep Maria Gorro
jmgorro at gmail.com
Sat Jun 15 10:52:10 UTC 2024
Helo Rowland.
I think I won't be able to thank you enough for everything you are doing
for me.
I've tried and seems to run fine. But finally it throws an error and
performs a rollback for all changes on AD.
This is the transcript for the messages.
root at montsec:/usr/local/samba/etc# samba-tool domain join DOMAINNAME
DC -U"administrator"
INFO 2024-06-15 10:28:20,881 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/join.py #104:
Finding a writeable DC for domain 'DOMAINNAME'
INFO 2024-06-15 10:28:20,966 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/join.py #106:
Found DC tibidabo.domainname.lan
Password for [DOMAINNAME\administrator]:
INFO 2024-06-15 10:28:33,460 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/join.py #1605:
workgroup is DOMAINNAME
INFO 2024-06-15 10:28:33,460 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/join.py #1608:
realm is domainname.lan
Adding CN=MONTSEC,OU=Domain Controllers,DC=domainname,DC=lan
Adding
CN=MONTSEC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domainname,DC=lan
Adding CN=NTDS
Settings,CN=MONTSEC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domainname,DC=lan
Adding SPNs to CN=MONTSEC,OU=Domain Controllers,DC=domainname,DC=lan
Setting account password for MONTSEC$
Enabling account
Calling bare provision
INFO 2024-06-15 10:28:34,333 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py
#2110: Looking up IPv4 addresses
INFO 2024-06-15 10:28:34,333 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py
#2127: Looking up IPv6 addresses
WARNING 2024-06-15 10:28:34,334 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py
#2134: No IPv6 address will be assigned
INFO 2024-06-15 10:28:34,641 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py
#2300: Setting up share.ldb
INFO 2024-06-15 10:28:34,668 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py
#2304: Setting up secrets.ldb
INFO 2024-06-15 10:28:34,680 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py
#2309: Setting up the registry
INFO 2024-06-15 10:28:34,702 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py
#2312: Setting up the privileges database
INFO 2024-06-15 10:28:34,715 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py
#2315: Setting up idmap db
INFO 2024-06-15 10:28:34,725 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py
#2322: Setting up SAM db
INFO 2024-06-15 10:28:34,729 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py
#882: Setting up sam.ldb partitions and settings
INFO 2024-06-15 10:28:34,730 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py
#894: Setting up sam.ldb rootDSE
INFO 2024-06-15 10:28:34,732 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py
#1310: Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness
constraint on local domainSIDs
INFO 2024-06-15 10:28:34,767 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py
#2412: A Kerberos configuration suitable for Samba AD has been
generated at /usr/local/samba/private/krb5.conf
INFO 2024-06-15 10:28:34,767 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py
#2414: Merge the contents of this file with your system krb5.conf or
replace it with this one. Do not create a symlink!
Provision OK for domain DN DC=domainname,DC=lan
INFO 2024-06-15 10:28:34,769 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/join.py #964:
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=domainname,DC=lan]
objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=domainname,DC=lan]
objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=domainname,DC=lan]
objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=domainname,DC=lan]
objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=domainname,DC=lan] objects[402/1648]
linked_values[0/1]
Partition[CN=Configuration,DC=domainname,DC=lan] objects[804/1648]
linked_values[0/1]
Partition[CN=Configuration,DC=domainname,DC=lan] objects[1206/1648]
linked_values[0/1]
Partition[CN=Configuration,DC=domainname,DC=lan] objects[1608/1648]
linked_values[0/1]
Partition[CN=Configuration,DC=domainname,DC=lan] objects[1648/1648]
linked_values[64/64]
Failed to commit objects: WERR_DS_DRA_RECYCLED_TARGET
Missing target object - retrying with DRS_GET_TGT
Partition[CN=Configuration,DC=domainname,DC=lan] objects[2050/1648]
linked_values[64/1]
Partition[CN=Configuration,DC=domainname,DC=lan] objects[2452/1648]
linked_values[64/1]
Partition[CN=Configuration,DC=domainname,DC=lan] objects[2854/1648]
linked_values[64/1]
Partition[CN=Configuration,DC=domainname,DC=lan] objects[3256/1648]
linked_values[64/1]
Partition[CN=Configuration,DC=domainname,DC=lan] objects[3296/1648]
linked_values[128/64]
Replicating critical objects from the base DN of the domain
Partition[DC=domainname,DC=lan] objects[97/97] linked_values[29/29]
Partition[DC=domainname,DC=lan] objects[402/484] linked_values[0/290]
Partition[DC=domainname,DC=lan] objects[484/484] linked_values[338/338]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=domainname,DC=lan
Join failed - cleaning up
Deleted CN=MONTSEC,OU=Domain Controllers,DC=domainname,DC=lan
Deleted CN=NTDS
Settings,CN=MONTSEC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domainname,DC=lan
Deleted
CN=MONTSEC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domainname,DC=lan
ERROR(runtime): uncaught exception - (8442,
'WERR_DS_DRA_INTERNAL_ERROR')
File
"/usr/local/samba/lib/python3.10/site-packages/samba/netcmd/__init__.py",
line 285, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python3.10/site-packages/samba/netcmd/domain/join.py",
line 128, in run
join_DC(logger=logger, server=server, creds=creds, lp=lp,
domain=domain,
File
"/usr/local/samba/lib/python3.10/site-packages/samba/join.py", line
1621, in join_DC
ctx.do_join()
File
"/usr/local/samba/lib/python3.10/site-packages/samba/join.py", line
1511, in do_join
ctx.join_replicate()
File
"/usr/local/samba/lib/python3.10/site-packages/samba/join.py", line
1055, in join_replicate
repl.replicate(nc, source_dsa_invocation_id,
File
"/usr/local/samba/lib/python3.10/site-packages/samba/drs_utils.py",
line 358, in replicate
(level, ctr) = self.drs.DsGetNCChanges(self.drs_handle,
req_level, req)
The /usr/local/samba/etc/smb.conf file contents is like this:
# Global parameters
[global]
netbios name = MONTSEC
realm = DOMAINNAME.LAN
workgroup = DOMAINNAME
dns forwarder = 80.58.61.250 80.58.61.250
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
# ldap server require strong auth = no
[netlogon]
path = /usr/local/samba/var/locks/sysvol/domainname.lan/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
Only I can see a possible issue. The new server is running at UTC, while
current AD server runs at CEST. For this I changed TZ properly and
launched again the samba-tool joining. Same result.
Also I can see some krb5 messages. For your info, the current AD server
is using this krb5.conf file
[libdefaults]
default_realm = DOMAINNAME.LAN
dns_lookup_realm = false
dns_lookup_kdc = true
And the new one, that has been created automatically, is this one:
[libdefaults]
default_realm = DOMAINNAME.LAN
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
DOMAINNAME.LAN = {
default_domain = domainname.lan
}
[domain_realm]
MONTSEC = DOMAINNAME.LAN
Regarding European support you're right. I'm waiting for a Sernet
response. I sent them a mail requesting support.
Thanks a lot.
El 15/06/2024 a las 11:53, Rowland Penny via samba escribió:
> On Sat, 15 Jun 2024 11:11:09 +0200
> Josep Maria Gorro via samba<samba at lists.samba.org> wrote:
>
>> Helo Rowland
>>
>> Thanks for your response.
>>
>> I'm using Centos7 as AD server.
>> At this time I'm trying to compile another server with Ubuntu 22.04
>> and Samba 4.20.1.
> Can I suggest Debian bookworm with Samba from backports instead, this
> will get you a very recent version of Samba.
>
>> I'm thinking to merge it as an AD on current
>> domain. If this runs I'll try to move FSMO from old to new.
>> Finally I'll demote old one.
>> Hope this will run and solve the issue.
> Worth trying, but if it does fail, then we need any and all error
> messages to try and help you.
>
>> Regarding support, I checked samba.org page for companies in Spain.
>> As anyone gives me reply, I started to locate other companies
>> worldwide. At this time I sent a request to another one (waiting for
>> reply). It will be useful if you can give me some choices. Better to
>> be on a similar time zone to be available at same time.
>>
> All I can suggest is that you try some of the local countries, perhaps
> Sernet in Germany.
>
> Rowland
>
--
------------------------------------------------------------------------
Josep M. Gorro <mailto:jmgorro at gmail.com>
*Systems engineer*
--
Este correo electrónico ha sido analizado en busca de virus por el software antivirus de Avast.
www.avast.com
More information about the samba
mailing list