[Samba] Samba Join error: WERR_DS_ADD_REPLICA_INHIBITED
Rowland Penny
rpenny at samba.org
Mon Jun 23 18:04:42 UTC 2025
On Mon, 23 Jun 2025 14:23:47 -0300
Nicolás Hermida <nhermida at init.ar> wrote:
> Thank you Rowland for always being there to help us.
>
> I have updated Samba from bookworm-backports:
> # apt-cache policy samba
> samba:
> Installed: 2:4.22.2+dfsg-1~bpo12+1
> Candidate: 2:4.22.2+dfsg-1~bpo12+1
> Version table:
> *** 2:4.22.2+dfsg-1~bpo12+1 100
> 100 http://deb.debian.org/debian bookworm-backports/main
> amd64 Packages 100 /var/lib/dpkg/status
> 2:4.17.12+dfsg-0+deb12u1 500
> 500 http://deb.debian.org/debian bookworm/main amd64 Packages
> 500 http://security.debian.org/debian-security
> bookworm-security/main amd64 Packages
>
>
> I do not understand how can I use this, because I have domain
> functional level 2008 R2, and not 2012 R2. Perhaps I am not
> understanding the documentation:
> https://wiki.samba.org/index.php/Samba_4.20_Features_added/changed#AD_DC_support_for_Authentication_Silos_and_Authentication_Policies
>
> You are trying to tell me too first raise the domain functional level
> and then retry the process with Samba taking into account the
> configurations shown in the link?
>
>
> After updating the Samba version, I have tried again to make the join,
> but it fails again:
> root at dc05:/etc/apt/sources.list.d# samba-tool domain join viamonte.lan
> DC -U"viamonte\sysadminUser" --dns-backend=SAMBA_INTERNAL
> INFO 2025-06-23 14:02:09,375 pid:74534
> /usr/lib/python3/dist-packages/samba/join.py #104: Finding a writeable
> DC for domain 'viamonte.lan'
> INFO 2025-06-23 14:02:09,385 pid:74534
> /usr/lib/python3/dist-packages/samba/join.py #106: Found DC
> SERVER1.viamonte.lan
> Password for [VIAMONTE\sysadminUser]:
> INFO 2025-06-23 14:02:12,885 pid:74534
> /usr/lib/python3/dist-packages/samba/join.py #1605: workgroup is
> VIAMONTE
> INFO 2025-06-23 14:02:12,885 pid:74534
> /usr/lib/python3/dist-packages/samba/join.py #1608: realm is
> viamonte.lan
> Adding CN=DC05,OU=Domain Controllers,DC=viamonte,DC=lan
> Adding
> CN=DC05,CN=Servers,CN=Ravignani,CN=Sites,CN=Configuration,DC=viamonte,DC=lan
> Adding CN=NTDS
> Settings,CN=DC05,CN=Servers,CN=Ravignani,CN=Sites,CN=Configuration,DC=viamonte,DC=lan
> Adding SPNs to CN=DC05,OU=Domain Controllers,DC=viamonte,DC=lan
> Setting account password for DC05$ Enabling account Calling bare
> provision INFO 2025-06-23 14:02:14,114 pid:74534
> /usr/lib/python3/dist-packages/samba/provision/__init__.py #2112:
> Looking up IPv4 addresses
> INFO 2025-06-23 14:02:14,115 pid:74534
> /usr/lib/python3/dist-packages/samba/provision/__init__.py #2129:
> Looking up IPv6 addresses
> WARNING 2025-06-23 14:02:14,115 pid:74534
> /usr/lib/python3/dist-packages/samba/provision/__init__.py #2136: No
> IPv6 address will be assigned
> INFO 2025-06-23 14:02:14,478 pid:74534
> /usr/lib/python3/dist-packages/samba/provision/__init__.py #2306:
> Setting up secrets.ldb
> INFO 2025-06-23 14:02:14,694 pid:74534
> /usr/lib/python3/dist-packages/samba/provision/__init__.py #2311:
> Setting up the registry
> INFO 2025-06-23 14:02:14,844 pid:74534
> /usr/lib/python3/dist-packages/samba/provision/__init__.py #2314:
> Setting up the privileges database
> INFO 2025-06-23 14:02:15,245 pid:74534
> /usr/lib/python3/dist-packages/samba/provision/__init__.py #2317:
> Setting up idmap db
> INFO 2025-06-23 14:02:16,214 pid:74534
> /usr/lib/python3/dist-packages/samba/provision/__init__.py #2324:
> Setting up SAM db
> INFO 2025-06-23 14:02:16,290 pid:74534
> /usr/lib/python3/dist-packages/samba/provision/__init__.py #887:
> Setting up sam.ldb partitions and settings
> INFO 2025-06-23 14:02:16,291 pid:74534
> /usr/lib/python3/dist-packages/samba/provision/__init__.py #899:
> Setting up sam.ldb rootDSE
> INFO 2025-06-23 14:02:16,341 pid:74534
> /usr/lib/python3/dist-packages/samba/provision/__init__.py #1312:
> Pre-loading the Samba 4 and AD schema
> Unable to determine the DomainSID, can not enforce uniqueness
> constraint on local domainSIDs
>
> INFO 2025-06-23 14:02:16,495 pid:74534
> /usr/lib/python3/dist-packages/samba/provision/__init__.py #2425: A
> Kerberos configuration suitable for Samba AD has been generated at
> /var/lib/samba/private/krb5.conf
> INFO 2025-06-23 14:02:16,495 pid:74534
> /usr/lib/python3/dist-packages/samba/provision/__init__.py #2427:
> Merge the contents of this file with your system krb5.conf or replace
> it with this one. Do not create a symlink!
> Provision OK for domain DN DC=viamonte,DC=lan
> INFO 2025-06-23 14:02:16,543 pid:74534
> /usr/lib/python3/dist-packages/samba/join.py #964: Starting
> replication
> Schema-DN[CN=Schema,CN=Configuration,DC=viamonte,DC=lan]
> objects[402/1322] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=viamonte,DC=lan]
> objects[804/1322] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=viamonte,DC=lan]
> objects[1206/1322] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=viamonte,DC=lan]
> objects[1608/1322] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=viamonte,DC=lan]
> objects[1773/1322] linked_values[0/0]
> Analyze and apply schema objects
> Partition[CN=Configuration,DC=viamonte,DC=lan] objects[402/2045]
> linked_values[0/67]
> Partition[CN=Configuration,DC=viamonte,DC=lan] objects[804/2045]
> linked_values[0/67]
> Partition[CN=Configuration,DC=viamonte,DC=lan] objects[1206/2045]
> linked_values[0/67]
> Partition[CN=Configuration,DC=viamonte,DC=lan] objects[1608/2045]
> linked_values[10/67]
> Partition[CN=Configuration,DC=viamonte,DC=lan] objects[1904/2045]
> linked_values[67/67]
> dsdb_replicated_objects_convert: Ignoring object outside partition
> cf1247a6-cab9-4041-8541-76d924301fa5
> CN=Schema,CN=Configuration,DC=viamonte,DC=lan:
> WERR_DS_ADD_REPLICA_INHIBITED
> Partition[CN=Configuration,DC=viamonte,DC=lan] objects[1904/2045]
> linked_values[67/67]
> Replicating critical objects from the base DN of the domain
> Partition[DC=viamonte,DC=lan] objects[119/198] linked_values[10/344]
> Partition[DC=viamonte,DC=lan] objects[243/3139] linked_values[0/344]
> Partition[DC=viamonte,DC=lan] objects[412/3139] linked_values[0/344]
> Partition[DC=viamonte,DC=lan] objects[617/3139] linked_values[192/344]
> Failed to commit objects: WERR_DS_DRA_RECYCLED_TARGET
> Missing target object - retrying with DRS_GET_TGT
> Partition[DC=viamonte,DC=lan] objects[802/3139] linked_values[295/344]
> Partition[DC=viamonte,DC=lan] objects[985/3139] linked_values[493/344]
> Partition[DC=viamonte,DC=lan] objects[1142/3139]
> linked_values[544/344] dsdb_replicated_objects_convert: Ignoring
> object outside partition f8e9f320-a7a8-466e-9813-9291b4a0887a
> CN=Configuration,DC=viamonte,DC=lan: WERR_DS_ADD_REPLICA_INHIBITED
> dsdb_replicated_objects_convert: Ignoring object outside partition
> 83dff523-3add-4db8-8418-d98304629e8a
> DC=DomainDnsZones,DC=viamonte,DC=lan: WERR_DS_ADD_REPLICA_INHIBITED
> dsdb_replicated_objects_convert: Ignoring object outside partition
> 1325c57e-9ef3-45c8-b81b-1b8c8c8cd574
> DC=ForestDnsZones,DC=viamonte,DC=lan: WERR_DS_ADD_REPLICA_INHIBITED
> Done with always replicated NC (base, config, schema)
> Replicating DC=DomainDnsZones,DC=viamonte,DC=lan
> Partition[DC=DomainDnsZones,DC=viamonte,DC=lan] objects[64/64]
> linked_values[0/0]
> Replicating DC=ForestDnsZones,DC=viamonte,DC=lan
> Partition[DC=ForestDnsZones,DC=viamonte,DC=lan] objects[25/25]
> linked_values[0/0]
> Exop on[CN=RID Manager$,CN=System,DC=viamonte,DC=lan] objects[3]
> linked_values[0]
> INFO 2025-06-23 14:02:23,444 pid:74534
> /usr/lib/python3/dist-packages/samba/join.py #1084: Committing SAM
> database - this may take some time
> Repacking database from v1 to v2 format (first record
> CN=Person,CN=Schema,CN=Configuration,DC=viamonte,DC=lan)
> Repack: re-packed 10000 records so far
> Repacking database from v1 to v2 format (first record
> CN=msCOM-Partition-Display,CN=413,CN=DisplaySpecifiers,CN=Configuration,DC=viamonte,DC=lan)
> Repacking database from v1 to v2 format (first record
> DC=NB-lan-169,DC=viamonte.lan,CN=MicrosoftDNS,DC=DomainDnsZones,DC=viamonte,DC=lan)
> Repacking database from v1 to v2 format (first record
> DC=dc04.viamonte.lan.,DC=_msdcs.viamonte.lan,CN=MicrosoftDNS,DC=ForestDnsZones,DC=viamonte,DC=lan)
> Repacking database from v1 to v2 format (first record
> CN=WS40,CN=Computers,DC=viamonte,DC=lan)
> An operation failed during a batch mode transaction, the transaction
> was rolled back
> Join failed - cleaning up
> Deleted CN=RID Set,CN=DC05,OU=Domain Controllers,DC=viamonte,DC=lan
> Deleted CN=DC05,OU=Domain Controllers,DC=viamonte,DC=lan
> Deleted CN=NTDS
> Settings,CN=DC05,CN=Servers,CN=Ravignani,CN=Sites,CN=Configuration,DC=viamonte,DC=lan
> Deleted
> CN=DC05,CN=Servers,CN=Ravignani,CN=Sites,CN=Configuration,DC=viamonte,DC=lan
> ERROR(ldb): uncaught exception - end_trans error on
> DC=viamonte,DC=lan: An operation failed during a batch mode
> transaction, the transaction was rolled back File
> "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 356,
> in _run return self.run(*args, **kwargs)
> ^^^^^^^^^^^^^^^^^^^^^^^^^
> File "/usr/lib/python3/dist-packages/samba/netcmd/domain/join.py",
> line 128, in run
> join_DC(logger=logger, server=server, creds=creds, lp=lp,
> domain=domain, File "/usr/lib/python3/dist-packages/samba/join.py",
> line 1621, in join_DC ctx.do_join()
> File "/usr/lib/python3/dist-packages/samba/join.py", line 1511, in
> do_join ctx.join_replicate()
> File "/usr/lib/python3/dist-packages/samba/join.py", line 1101, in
> join_replicate
> ctx.local_samdb.transaction_commit()
You have a 2008R2 DC, which is normally schema version 47, but there is also a 2016 DC, which is schema 87, so that has possibly updated the schema on the 2008R2. You then tried to join a Samba 4.17.12 machine, this normally uses schema 69, so this may be why you got the error. Samba 4.19.0 and up now allows schema 88, so this may join, if it doesn't, then this will need to be looked at.
The link I provided was just to show that Samba can now do functional level 2016, not that you must use that functional level.
I suggest that you check your Windows AD database, it appears that there is something in there that Samba does not like, are there any site created attributes or similar ?
Rowland
More information about the samba
mailing list