On 12/30/2017 05:22 PM, Paul R. Ganci via samba wrote:> 1.) net ads leave -U administrator
> 2.) Remove the machine entry on the 1st DC (used ldbedit)
> 3.) mv /var/lib/samba /var/lib/samba-client
> 4.) mv /etc/krb5.keytab /etc/krb5.keytab-client
> 5.) samba-tool domain join 2nd DC
I tried this procedure and it just doesn't want to work. I have this error:
>samba-tool domain join mydc.mydom.com DC -U"MYDC\administrator"
--dns-backend=SAMBA_INTERNAL
Password for [MYDC\administrator]:
workgroup is MYDC
realm is mydc.mydom.com
Deleted CN=DC2,CN=Computers,DC=mydc,DC=mydom,DC=com
Adding CN=DC2,OU=Domain Controllers,DC=mydc,DC=mydom,DC=com
Adding
CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydc,DC=mydom,DC=com
Adding CN=NTDS
Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydc,DC=mydom,DC=com
Adding SPNs to CN=DC2,OU=Domain Controllers,DC=mydc,DC=mydom,DC=com
Setting account password for DC2$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba AD has been generated at
/var/lib/samba/private/krb5.conf
Join failed - cleaning up
Deleted CN=DC2,OU=Domain Controllers,DC=mydc,DC=mydom,DC=com
Deleted CN=NTDS
Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydc,DC=mydom,DC=com
Deleted
CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydc,DC=mydom,DC=com
ERROR(ldb): uncaught exception - Failed to setup krb5_context: Invalid
argument
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py",
line 661, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1474,
in join_DC
ctx.do_join()
File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1376,
in do_join
ctx.join_provision()
File "/usr/lib64/python2.7/site-packages/samba/join.py", line 840,
in
join_provision
use_ntvfs=ctx.use_ntvfs, dns_backend=ctx.dns_backend)
File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line
2199, in provision
secrets_ldb.transaction_commit()
The kerberos setup is per the wiki and seems to be correct:
> kinit administrator
Password for administrator at MYDC.MYDOM.COM:
> klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at MYDC.MYDOM.COM
Valid starting Expires Service principal
12/30/2017 19:43:53 12/31/2017 05:43:53
krbtgt/MYDC>MYDOM.COM at MYDC.MYDOM.COM
I don't have a clue as to why this join would have failed. I put back
the member server setup and have no problems joining the domain. Any
clues as to what else I have to remove in order to turn this member
server into a DC? Should I just delete everything including the Sernet
samba distro and re-install from scratch?
--
Paul (ganci at nurdog.com)
Cell: (303)257-5208