Hi,
me and my coworkers are trying to migrate a Samba 3 domain to a Samba4 one.
As for now we did a classicupgrade and imported all the ldap entry to a
DC following the guide without problems following the doc
https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_domain_to_a_Samba_AD_domain_(classic_upgrade)
Now as we try to join another DC following this guide
https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory#Preconditions
but when we try to join we fail with the attacched error.
with --debug=4 i see that it stops there before failing the
join.> DRS replication uptodate modify message: > dn: DC=mydomain,DC=net >
changetype: modify > replace:
replUpToDateVector > replUpToDateVector:: [Data here too] > - >
replace:
repsFrom > repsFrom:: [data here] > - > > > Replicated 402
objects (0
linked attributes) for DC=mydomain,DC=net >
If i do the join while DC01 is empty of any ldap records it has no problem.
I spent a couple of days with this problem searching and trying and i
really have no idea how to solve this problem.
Any kind of advice would be useful.
PS: if it can be usefull i'm using samba 4.3.3, but i tried with the
latest version from git and the problem is exactly the same.
Thank you in advance
--
Francesco Berni
Laboratori Guglielmo Marconi S.p.a.
web: http://www.labs.it - email: francesco.berni at labs.it
-------------- next part --------------
$ samba-tool domain join mydomain.net DC -Umorigi --realm=MYDOMAIN.NET
--dns-backend=BIND9_DLZ -d3 --server=dc01.mydomain.net
lpcfg_load: refreshing parameters from /usr/local/samba-4.3.3/etc/smb.conf
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
resolve_lmhosts: Attempting lmhosts lookup for name
dc01.mydomain.net<0x20>
Password for [MY_DOMAIN\morigi]:
Server ldap/dc01.mydomain.net at MYDOMAIN.NET is not registered with our KDC:
Miscellaneous failure (see text): Server (ldap/dc01.mydomain.net at
MYDOMAIN.NET) unknown
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER
Got challenge flags:
Got NTLMSSP neg_flags=0x60898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088235
workgroup is MY_DOMAIN
realm is mydomain.net
checking sAMAccountName
Adding CN=DC02,OU=Domain Controllers,DC=mydomain,DC=net
Adding
CN=DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
Adding CN=NTDS
Settings,CN=DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
Using binding ncacn_ip_tcp:dc01.mydomain.net[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name
dc01.mydomain.net<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
dc01.mydomain.net<0x20>
Server ldap/DC01.MYDOMAIN.NET at MYDOMAIN.NET is not registered with our KDC:
Miscellaneous failure (see text): Server (ldap/DC01.MYDOMAIN.NET at
MYDOMAIN.NET) unknown
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER
Got challenge flags:
Got NTLMSSP neg_flags=0x60898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088235
Adding SPNs to CN=DC02,OU=Domain Controllers,DC=mydomain,DC=net
Setting account password for DC02$
Enabling account
Adding DNS account CN=dns-DC02,CN=Users,DC=mydomain,DC=net with dns/ SPN
Setting account password for dns-DC02
Calling bare provision
lpcfg_load: refreshing parameters from /usr/local/samba-4.3.3/etc/smb.conf
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
ldb_wrap open of hklm.ldb
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
partition_metadata: Migrating partition metadata: open of metadata.tdb gave:
(null)
A Kerberos configuration suitable for Samba 4 has been generated at
/usr/local/samba-4.3.3/private/krb5.conf
Provision OK for domain DN DC=mydomain,DC=net
Starting replication
Using binding ncacn_ip_tcp:dc01.mydomain.net[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name
dc01.mydomain.net<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
dc01.mydomain.net<0x20>
Server ldap/DC01.MYDOMAIN.NET at MYDOMAIN.NET is not registered with our KDC:
Miscellaneous failure (see text): Server (ldap/DC01.MYDOMAIN.NET at
MYDOMAIN.NET) unknown
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER
Got challenge flags:
Got NTLMSSP neg_flags=0x60898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088235
Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=net] objects[402/1550]
linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=net] objects[804/1550]
linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=net] objects[1206/1550]
linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=net] objects[1550/1550]
linked_values[0/0]
Analyze and apply schema objects
Replicated 1550 objects (0 linked attributes) for
CN=Schema,CN=Configuration,DC=mydomain,DC=net
Partition[CN=Configuration,DC=mydomain,DC=net] objects[402/1691]
linked_values[0/0]
Replicated 402 objects (0 linked attributes) for
CN=Configuration,DC=mydomain,DC=net
Partition[CN=Configuration,DC=mydomain,DC=net] objects[804/1691]
linked_values[0/0]
1Replicated 402 objects (0 linked attributes) for
CN=Configuration,DC=mydomain,DC=net
Partition[CN=Configuration,DC=mydomain,DC=net] objects[1206/1691]
linked_values[0/0]
Replicated 402 objects (0 linked attributes) for
CN=Configuration,DC=mydomain,DC=net
Partition[CN=Configuration,DC=mydomain,DC=net] objects[1608/1691]
linked_values[0/0]
Replicated 402 objects (0 linked attributes) for
CN=Configuration,DC=mydomain,DC=net
Partition[CN=Configuration,DC=mydomain,DC=net] objects[1691/1691]
linked_values[28/0]
Replicated 83 objects (28 linked attributes) for
CN=Configuration,DC=mydomain,DC=net
Replicating critical objects from the base DN of the domain
Partition[DC=mydomain,DC=net] objects[98/98] linked_values[1069/0]
Replicated 98 objects (1069 linked attributes) for DC=mydomain,DC=net
Partition[DC=mydomain,DC=net] objects[500/16885] linked_values[0/0]
Replicated 402 objects (0 linked attributes) for DC=mydomain,DC=net
Join failed - cleaning up
checking sAMAccountName
Deleted CN=DC02,OU=Domain Controllers,DC=mydomain,DC=net
Deleted CN=dns-DC02,CN=Users,DC=mydomain,DC=net
Deleted CN=NTDS
Settings,CN=DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
Deleted
CN=DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
ERROR(runtime): uncaught exception - (31, 'WERR_GENERAL_FAILURE')
File
"/usr/local/samba-4.3.3/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba-4.3.3/lib/python2.7/site-packages/samba/netcmd/domain.py",
line 651, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File
"/usr/local/samba-4.3.3/lib/python2.7/site-packages/samba/join.py",
line 1205, in join_DC
ctx.do_join()
File
"/usr/local/samba-4.3.3/lib/python2.7/site-packages/samba/join.py",
line 1109, in do_join
ctx.join_replicate()
File
"/usr/local/samba-4.3.3/lib/python2.7/site-packages/samba/join.py",
line 838, in join_replicate
replica_flags=ctx.domain_replica_flags)
File
"/usr/local/samba-4.3.3/lib/python2.7/site-packages/samba/drs_utils.py",
line 253, in replicate
(level, ctr) = self.drs.DsGetNCChanges(self.drs_handle, req_level, req)