Hi Denis,
Thanks for your advices.
I have in mind about your kerberos problem in a large environment but i was
thinking about problem occuring at 20 and more DCC's
So last night, i modified all my krb5.conf (DC and file server) as you suggest
but problem persist.
root at dc111:~# samba-tool domain join pr.educationetformation.fr DC -U
administrator --realm=PR.EDUCATIONETFORMATION.FR -W PR --dns-backend=BIND9_DLZ
--site=PetitQuevilly --server=smb4dc.pr.educationetformation.fr
Password for [PR\administrator]:
workgroup is PR
realm is pr.educationetformation.fr
checking sAMAccountName
Adding CN=DC111,OU=Domain Controllers,DC=pr,DC=educationetformation,DC=fr
Adding
CN=DC111,CN=Servers,CN=PetitQuevilly,CN=Sites,CN=Configuration,DC=pr,DC=educationetformation,DC=fr
Adding CN=NTDS
Settings,CN=DC111,CN=Servers,CN=PetitQuevilly,CN=Sites,CN=Configuration,DC=pr,DC=educationetformation,DC=fr
Adding SPNs to CN=DC111,OU=Domain
Controllers,DC=pr,DC=educationetformation,DC=fr
Setting account password for DC111$
Join failed - cleaning up
checking sAMAccountName
ERROR(runtime): uncaught exception - samr_LookupNames for [DC111$] failed:
NT_STATUS_NONE_MAPPED
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
621, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1170, in
join_DC
ctx.do_join()
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1073, in
do_join
ctx.join_add_objects()
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 602, in
join_add_objects
newpassword=ctx.acct_pass)
Today, I will try to join domain as member server instead of DC.
The new Douglas KCC is not working as expected in my environment.
I follow all instruction (smb.conf modification, restart samba) etc...
Step by step i deleted ntds connection and created by hand a star topology:
Smb4dc is my bridge head, there is a manual ntds connection replicating to all
other DC
Each of my DC has a unique manual ntds connection replicating to smb4dc
The new Douglas KCC seems pretty good because there is no more automatic self
generated connection in active directory "sites and services" but
samba-tool drs showrepl is always showing a full mesh replication.
RepsFrom and RepsTo in each of ldap partition have not being updated/deleted
even if i manually launch samba_kcc by hand.
Cheers
Jordi
-----Message d'origine-----
De : Denis Cardon [mailto:denis.cardon at tranquil-it-systems.fr]
Envoyé : jeudi 10 mars 2016 09:39
À : MORILLO Jordi <J.Morillo at educationetformation.fr>; samba at
lists.samba.org
Objet : Re: [Samba] Can't add new DC
Hi Jordi,
> I'm trying to add new DC to my existent domain (18 Samba4 DC) but this
time, domain join stuck after setting account password.
> I have tried so many things but at this point, i really don't know what
to do.
>
> I can see the new dc111 computer object on smb4dc serveur but the object is
disable.
> If someone have an idea...
Could you try to see if it gets better if you don't use auto-discovery in
/etc/krb5.conf. That is to say, you point krb5.conf kdc to itself and the kdc on
the main site.
this is one issue I had once on a project in Africa with about 24 sites, and
after setting up 12-13 DCs, I started to have timeout on join.
Indeed during the join, it looks like the process tries to contact all the kdc
referenced in the /etc/krb5.conf file (which is all DCs if you use
auto-discovery), even if you have already configured "sites and
services" properly.
In that case, the VPN had a star topology, with no icmp-unreachable reply (ie.
DROP rules) when a branch tries to contact another branch, added 500ms latency
through sat link.
Changing the /etc/krb5.conf file did the trick. Something like this should to
it:
[libdefaults]
default_realm = TRANQUILIT.LAN
dns_lookup_realm=false
[realms]
TRANQUILIT.LAN = {
kdc = 10.100.0.11 # itself
kdc = 10.0.0.11 # hub site kdc
}
[domain_realms]
.tranquilit.lan = TRANQUILIT.LAN
tranquilit.lan = TRANQUILIT.LAN
Once the DC is up and running, it should take into account the "site and
services" topology definition and only try to contact the hub site DCs (if
that is what is configured).
By the way, are you using the Douglas new KCC? It is a must when you have a
larger topology!
Cheers,
Denis
>
> Best regards
>
>
> root at dc111:~# samba-tool domain join pr.educationetformation.fr DC -U
> administrator --realm=PR.EDUCATIONETFORMATION.FR -W PR
> --dns-backend=BIND9_DLZ --site=PetitQuevilly
> --server=smb4dc.pr.educationetformation.fr
> Password for [PR\administrator]:
> workgroup is PR
> realm is pr.educationetformation.fr
> checking sAMAccountName
> Adding CN=DC111,OU=Domain
> Controllers,DC=pr,DC=educationetformation,DC=fr
> Adding
> CN=DC111,CN=Servers,CN=PetitQuevilly,CN=Sites,CN=Configuration,DC=pr,D
> C=educationetformation,DC=fr Adding CN=NTDS
> Settings,CN=DC111,CN=Servers,CN=PetitQuevilly,CN=Sites,CN=Configuratio
> n,DC=pr,DC=educationetformation,DC=fr
> Adding SPNs to CN=DC111,OU=Domain
> Controllers,DC=pr,DC=educationetformation,DC=fr
> Setting account password for DC111$
>
>
> ________________________________
> This email was scanned by Bitdefender
>
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr
________________________
This email was scanned by Bitdefender