join as DC fails: LDAP error 10 LDAP_REFERRAL, or how to properly create application directory partition
Alexey Sheplyakov
asheplyakov at basealt.ru
Mon Jun 25 12:36:52 UTC 2018
Hi!
I've got a domain with 2 controllers: Windows 2008 R2 (hostname: DCW)
and samba 4.6.16 (hostname: dc0).
An attempt to join yet another samba server as a controller fails with
the following error:
Finding a writable DC for domain 'domain.alt'
Found DC DCW.domain.alt
workgroup is DOMAIN
realm is domain.alt
Adding CN=DC1,OU=Domain Controllers,DC=domain,DC=alt
Adding
CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=alt
Adding CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=alt
Join failed - cleaning up
Deleted CN=DC1,OU=Domain Controllers,DC=domain,DC=alt
Deleted CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=alt
Deleted
CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=alt
ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL -
<0000202B: RefErr: DSID-030A0B09, data 0, 1 access points
ref 1: 'a93e4f02-8581-46bf-b3e8-8237c1172499._msdcs.domain.alt'
> <ldap://a93e4f02-8581-46bf-b3e8-8237c1172499._msdcs.domain.alt>
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py",
line 661, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1269,
in join_DC
ctx.do_join()
File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1175,
in do_join
ctx.join_add_objects()
File "/usr/lib64/python2.7/site-packages/samba/join.py", line 643, in
join_add_objects
ctx.samdb.modify(m)
(a similar log with debug level 10 is attached)
The problem here is that the join script tries to create an application
directory partition [1].
However the controller it talks with (DCW) has no `Domain naming master`
FSMO role:
$ samba-tool fsmo show
SchemaMasterRole owner: CN=NTDS
Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=alt
InfrastructureMasterRole owner: CN=NTDS
Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=alt
RidAllocationMasterRole owner: CN=NTDS
Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=alt
PdcEmulationMasterRole owner: CN=NTDS
Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=alt
DomainNamingMasterRole owner: CN=NTDS
Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=alt
DomainDnsZonesMasterRole owner: CN=NTDS
Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=alt
ForestDnsZonesMasterRole owner: CN=NTDS
Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=alt
so the DCW (Windows 2008 R2) controller returns an error (a referral
pointing to the controller DC0).
Any ideas how to handle an error properly (so join `just works' without
specifying the server explicitly)?
Is it OK to 1) find out which DC is domain naming master, 2) connect to
that DC and ask it to create a directory partition, 3) continue as
nothing bad has happened?
[1]
https://git.samba.org/?p=samba.git;a=blob;f=python/samba/join.py;h=30ecce77c55852ed5ff542ea05c3e5f0c535835c;hb=a261a2a4294a588b07297f3b75ef98cd14984b99#l668
Best regards,
Alexey
-------------- next part --------------
A non-text attachment was scrubbed...
Name: join.log.gz
Type: application/gzip
Size: 8676 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180625/9f893a47/join.log.gz>
More information about the samba-technical
mailing list