thr3ads.net - samba - [Samba] SAMBA failed join domain DC [Feb 2018]

If this information is useful, please help other people find it:
Share via:

denis.shigapov

2018-Feb-20 03:47 UTC

[Samba] SAMBA failed join domain DC

samba-tool domain join example.ru DC --server=srv-dc01.example.ru
--username=vas.lah --password=password --realm=EXAMPLE.RU --site=SITE2
-d 1 > /tmp/log.txt 2>&1

--------- config ---------
workgroup is EXAMPLE
realm is example.ru
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
The Kerberos KDC configuration for Samba AD is located at
/var/lib/samba/private/kdc.conf
A Kerberos configuration suitable for Samba AD has been generated at
/var/lib/samba/private/krb5.conf
Merge the contents of this file with your system krb5.conf or replace
it with this one. Do not create a symlink!
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=ru]
objects[402/2684] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=ru]
objects[804/2684] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=ru]
objects[1206/2684] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=ru]
objects[1608/2684] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=ru]
objects[2010/2684] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=ru]
objects[2412/2684] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=ru]
objects[2654/2684] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=example,DC=ru] objects[402/7264]
linked_values[0/1969]
Partition[CN=Configuration,DC=example,DC=ru] objects[804/7264]
linked_values[0/1969]
......
Partition[CN=Configuration,DC=example,DC=ru] objects[5903/7264]
linked_values[98/1969]
Partition[CN=Configuration,DC=example,DC=ru] objects[6223/7264]
linked_values[326/1969]
Partition[CN=Configuration,DC=example,DC=ru] objects[6387/7264]
linked_values[427/1969]
Partition[DC=example,DC=ru] objects[165/1306] linked_values[89/25513]
Partition[DC=example,DC=ru] objects[235/1306] linked_values[0/25513]
Partition[DC=example,DC=ru] objects[494/42568] linked_values[28/25513]
Partition[DC=example,DC=ru] objects[744/42568] linked_values[0/25513]
Partition[DC=example,DC=ru] objects[986/42568] linked_values[498/25513]
Partition[DC=example,DC=ru] objects[1182/42568]
linked_values[303/25513]
......
Partition[DC=example,DC=ru] objects[42791/42568] linked_values[1/25513]
Partition[DC=example,DC=ru] objects[42887/42568] linked_values[3/25513]
Partition[DC=example,DC=ru] objects[42984/42568] linked_values[0/25513]
Partition[DC=example,DC=ru] objects[43020/42568] linked_values[0/25513]
Partition[DC=DomainDnsZones,DC=example,DC=ru] objects[402/16777]
linked_values[0/0]
Partition[DC=DomainDnsZones,DC=example,DC=ru] objects[775/16777]
linked_values[0/0]
Partition[DC=DomainDnsZones,DC=example,DC=ru] objects[1144/16777]
linked_values[0/0]
Partition[DC=DomainDnsZones,DC=example,DC=ru] objects[1519/16777]
linked_values[0/0]
......
Partition[DC=DomainDnsZones,DC=example,DC=ru] objects[21170/16777]
linked_values[0/0]
Partition[DC=DomainDnsZones,DC=example,DC=ru] objects[21564/16777]
linked_values[0/0]
Partition[DC=DomainDnsZones,DC=example,DC=ru] objects[21873/16777]
linked_values[0/0]
Partition[DC=DomainDnsZones,DC=example,DC=ru] objects[22275/16777]
linked_values[0/0]
Partition[DC=DomainDnsZones,DC=example,DC=ru] objects[22297/16777]
linked_values[0/0]
Partition[DC=ForestDnsZones,DC=example,DC=ru] objects[402/2041]
linked_values[0/0]
Partition[DC=ForestDnsZones,DC=example,DC=ru] objects[775/2041]
linked_values[0/0]
.......
linked_values[0/0]
Partition[DC=ForestDnsZones,DC=example,DC=ru] objects[2522/2041]
linked_values[0/0]
Exop on[CN=RID Manager$,CN=System,DC=example,DC=ru] objects[3]
linked_values[0]
Adding 1 remote DNS records for SRV-SITE2-DC1.example.ru
Adding DNS A record SRV-SITE2-DC1.example.ru for IPv4 IP: 10.2.1.15
Could not find machine account in secrets database: Failed to fetch
machine account password for EXAMPLE from both secrets.ldb (Could not
find entry to match filter:
'(&(flatname=EXAMPLE)(objectclass=primaryDomain))' base:
'cn=Primary
Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4636) and from
/var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
ERROR(runtime): uncaught exception - (9003,
'WERR_DNS_ERROR_RCODE_NAME_ERROR')
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py",
line 661, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs,
dns_backend=dns_backend)
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1474,
in join_DC
    ctx.do_join()
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1384,
in do_join
    ctx.join_add_dns_records()
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1116,
in join_add_dns_records
    dns_partition=domaindns_zone_dn)
  File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 939,
in dns_lookup
    dns_partition=dns_partition)
Adding CN=SRV-SITE2-DC1,OU=Domain Controllers,DC=example,DC=ru
Adding CN=SRV-SITE2-
DC1,CN=Servers,CN=SITE2,CN=Sites,CN=Configuration,DC=example,DC=ru
Adding CN=NTDS Settings,CN=SRV-SITE2-
DC1,CN=Servers,CN=SITE2,CN=Sites,CN=Configuration,DC=example,DC=ru
Adding SPNs to CN=SRV-SITE2-DC1,OU=Domain Controllers,DC=example,DC=ru
Setting account password for SRV-SITE2-DC1$
Enabling account
Calling bare provision
Provision OK for domain DN DC=example,DC=ru
Starting replication
Replicating critical objects from the base DN of the domain
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=example,DC=ru
Replicating DC=ForestDnsZones,DC=example,DC=ru
Committing SAM database
Join failed - cleaning up
Deleted CN=RID Set,CN=SRV-SITE2-DC1,OU=Domain
Controllers,DC=example,DC=ru
Deleted CN=SRV-SITE2-DC1,OU=Domain Controllers,DC=example,DC=ru
Deleted CN=NTDS Settings,CN=SRV-SITE2-
DC1,CN=Servers,CN=SITE2,CN=Sites,CN=Configuration,DC=example,DC=ru
Deleted CN=SRV-SITE2-
DC1,CN=Servers,CN=SITE2,CN=Sites,CN=Configuration,DC=example,DC=ru

В Пн, 19/02/2018 в 12:51 +0000, Rowland Penny via samba
пишет:> On Mon, 19 Feb 2018 17:40:25 +0500
> "denis.shigapov" <denis.shigapov at stroylandiya.ru> wrote:
> 
> > the first letter sent a journal
> > 
> > как можно 
> > ========== log messages join DC===========> > ....more than a
thousand lines of messages
> 
> OK, run the command again without the '-d7' and post that output, I
> am trying to see how far the join gets before failing.
> 
> Rowland
>  
>

denis.shigapov

2018-Feb-20 09:10 UTC

head link

[Samba] SAMBA failed join domain DC

Is there any idea why Samba does not join the domain in the DC role?


By the way, to compile samba us need packages

bind-utils  libblkid-devel  libsemanage-python  libxml2-devel  perl-
Test-Base  policycoreutils-python  gcc  gdb  openldap-devel  python-
devel  readline-devel  audit-lib    s-
python  checkpolicy  libcgroup  libselinux-python  libselinux-
utils  mailcap  perl-Algorithm-Diff  perl-Archive-Extract  perl-
Archive-Zip  perl-Business-ISBN  perl-Bus    iness-ISBN-Data  perl-
CPAN  perl-CPAN-Meta  perl-CPAN-Meta-Requirements  perl-CPAN-Meta-
YAML  perl-CPANPLUS  perl-Compress-Raw-Bzip2  perl-Compress-Raw-
Zlib  perl-DBD-SQ    Lite  perl-DBI  perl-DBIx-Simple  perl-
Digest  perl-Digest-MD5  perl-Digest-SHA  perl-Digest-SHA1  perl-
Encode-Locale  perl-ExtUtils-CBuilder  perl-File-Fetch  perl-File    -
Listing  perl-File-Remove  perl-HTML-Parser  perl-HTML-Tagset  perl-
HTTP-Cookies  perl-HTTP-Daemon  perl-HTTP-Date  perl-HTTP-
Message  perl-HTTP-Negotiate  perl-IO-Comp    ress  perl-IO-HTML  perl-
IO-Socket-IP  perl-IO-Socket-SSL  perl-IPC-Cmd  perl-JSON-PP  perl-LWP-
MediaTypes  perl-Locale-Maketext  perl-Locale-Maketext-Simple  perl-
Log-M    essage  perl-Log-Message-Simple  perl-Module-Build  perl-
Module-CoreList  perl-Module-Install  perl-Module-Load  perl-Module-
Load-Conditional  perl-Module-Loaded  perl-M    odule-Metadata  perl-
Module-Pluggable  perl-Module-ScanDeps  perl-Module-Signature  perl-
Net-Daemon  perl-Net-HTTP  perl-Net-LibIDN  perl-Net-SSLeay  perl-
Object-Accesso    r  perl-PAR-Dist  perl-Package-Constants  perl-
Params-Check  perl-Parse-CPAN-Meta  perl-Perl-OSType  perl-PlRPC  perl-
Spiffy  perl-Term-UI  perl-Test-Deep  perl-Text-Dif    f  perl-
TimeDate  perl-URI  perl-WWW-RobotRules  perl-YAML  perl-YAML-
Tiny  perl-libwww-perl  perl-local-lib  perl-
version  policycoreutils  python-IPy  setools-libs  xz    -
devel  audit-
libs  cpp  libblkid  libgcc  libgomp  libmount  libselinux  libselinux-
devel  libsemanage  libuuid  libuuid-devel  openldap  python  python-
libs  readline      util-linux  

and what of them is necessary only for work?
What can I delete after compilation?

В Вт, 20/02/2018 в 08:47 +0500, denis.shigapov via samba
пишет:> samba-tool domain join example.ru DC --server=srv-dc01.example.ru
> --username=vas.lah --password=password --realm=EXAMPLE.RU --
> site=SITE2
> -d 1 > /tmp/log.txt 2>&1
> 
> --------- config ---------
> workgroup is EXAMPLE
> realm is example.ru
> Looking up IPv4 addresses
> Looking up IPv6 addresses
> No IPv6 address will be assigned
> Setting up secrets.ldb
> Setting up the registry
> Setting up the privileges database
> Setting up idmap db
> Setting up SAM db
> Setting up sam.ldb partitions and settings
> Setting up sam.ldb rootDSE
> Pre-loading the Samba 4 and AD schema
> The Kerberos KDC configuration for Samba AD is located at
> /var/lib/samba/private/kdc.conf
> A Kerberos configuration suitable for Samba AD has been generated at
> /var/lib/samba/private/krb5.conf
> Merge the contents of this file with your system krb5.conf or replace
> it with this one. Do not create a symlink!
> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=ru]
> objects[402/2684] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=ru]
> objects[804/2684] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=ru]
> objects[1206/2684] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=ru]
> objects[1608/2684] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=ru]
> objects[2010/2684] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=ru]
> objects[2412/2684] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=ru]
> objects[2654/2684] linked_values[0/0]
> Analyze and apply schema objects
> Partition[CN=Configuration,DC=example,DC=ru] objects[402/7264]
> linked_values[0/1969]
> Partition[CN=Configuration,DC=example,DC=ru] objects[804/7264]
> linked_values[0/1969]
> ......
> Partition[CN=Configuration,DC=example,DC=ru] objects[5903/7264]
> linked_values[98/1969]
> Partition[CN=Configuration,DC=example,DC=ru] objects[6223/7264]
> linked_values[326/1969]
> Partition[CN=Configuration,DC=example,DC=ru] objects[6387/7264]
> linked_values[427/1969]
> Partition[DC=example,DC=ru] objects[165/1306] linked_values[89/25513]
> Partition[DC=example,DC=ru] objects[235/1306] linked_values[0/25513]
> Partition[DC=example,DC=ru] objects[494/42568]
> linked_values[28/25513]
> Partition[DC=example,DC=ru] objects[744/42568] linked_values[0/25513]
> Partition[DC=example,DC=ru] objects[986/42568]
> linked_values[498/25513]
> Partition[DC=example,DC=ru] objects[1182/42568]
> linked_values[303/25513]
> ......
> Partition[DC=example,DC=ru] objects[42791/42568]
> linked_values[1/25513]
> Partition[DC=example,DC=ru] objects[42887/42568]
> linked_values[3/25513]
> Partition[DC=example,DC=ru] objects[42984/42568]
> linked_values[0/25513]
> Partition[DC=example,DC=ru] objects[43020/42568]
> linked_values[0/25513]
> Partition[DC=DomainDnsZones,DC=example,DC=ru] objects[402/16777]
> linked_values[0/0]
> Partition[DC=DomainDnsZones,DC=example,DC=ru] objects[775/16777]
> linked_values[0/0]
> Partition[DC=DomainDnsZones,DC=example,DC=ru] objects[1144/16777]
> linked_values[0/0]
> Partition[DC=DomainDnsZones,DC=example,DC=ru] objects[1519/16777]
> linked_values[0/0]
> ......
> Partition[DC=DomainDnsZones,DC=example,DC=ru] objects[21170/16777]
> linked_values[0/0]
> Partition[DC=DomainDnsZones,DC=example,DC=ru] objects[21564/16777]
> linked_values[0/0]
> Partition[DC=DomainDnsZones,DC=example,DC=ru] objects[21873/16777]
> linked_values[0/0]
> Partition[DC=DomainDnsZones,DC=example,DC=ru] objects[22275/16777]
> linked_values[0/0]
> Partition[DC=DomainDnsZones,DC=example,DC=ru] objects[22297/16777]
> linked_values[0/0]
> Partition[DC=ForestDnsZones,DC=example,DC=ru] objects[402/2041]
> linked_values[0/0]
> Partition[DC=ForestDnsZones,DC=example,DC=ru] objects[775/2041]
> linked_values[0/0]
> .......
> linked_values[0/0]
> Partition[DC=ForestDnsZones,DC=example,DC=ru] objects[2522/2041]
> linked_values[0/0]
> Exop on[CN=RID Manager$,CN=System,DC=example,DC=ru] objects[3]
> linked_values[0]
> Adding 1 remote DNS records for SRV-SITE2-DC1.example.ru
> Adding DNS A record SRV-SITE2-DC1.example.ru for IPv4 IP: 10.2.1.15
> Could not find machine account in secrets database: Failed to fetch
> machine account password for EXAMPLE from both secrets.ldb (Could not
> find entry to match filter:
> '(&(flatname=EXAMPLE)(objectclass=primaryDomain))' base:
'cn=Primary
> Domains': No such object: dsdb_search at
> ../source4/dsdb/common/util.c:4636) and from
> /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> ERROR(runtime): uncaught exception - (9003,
> 'WERR_DNS_ERROR_RCODE_NAME_ERROR')
>   File
"/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File
"/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py",
> line 661, in run
>     machinepass=machinepass, use_ntvfs=use_ntvfs,
> dns_backend=dns_backend)
>   File "/usr/lib64/python2.7/site-packages/samba/join.py", line
1474,
> in join_DC
>     ctx.do_join()
>   File "/usr/lib64/python2.7/site-packages/samba/join.py", line
1384,
> in do_join
>     ctx.join_add_dns_records()
>   File "/usr/lib64/python2.7/site-packages/samba/join.py", line
1116,
> in join_add_dns_records
>     dns_partition=domaindns_zone_dn)
>   File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line
939,
> in dns_lookup
>     dns_partition=dns_partition)
> Adding CN=SRV-SITE2-DC1,OU=Domain Controllers,DC=example,DC=ru
> Adding CN=SRV-SITE2-
> DC1,CN=Servers,CN=SITE2,CN=Sites,CN=Configuration,DC=example,DC=ru
> Adding CN=NTDS Settings,CN=SRV-SITE2-
> DC1,CN=Servers,CN=SITE2,CN=Sites,CN=Configuration,DC=example,DC=ru
> Adding SPNs to CN=SRV-SITE2-DC1,OU=Domain
> Controllers,DC=example,DC=ru
> Setting account password for SRV-SITE2-DC1$
> Enabling account
> Calling bare provision
> Provision OK for domain DN DC=example,DC=ru
> Starting replication
> Replicating critical objects from the base DN of the domain
> Done with always replicated NC (base, config, schema)
> Replicating DC=DomainDnsZones,DC=example,DC=ru
> Replicating DC=ForestDnsZones,DC=example,DC=ru
> Committing SAM database
> Join failed - cleaning up
> Deleted CN=RID Set,CN=SRV-SITE2-DC1,OU=Domain
> Controllers,DC=example,DC=ru
> Deleted CN=SRV-SITE2-DC1,OU=Domain Controllers,DC=example,DC=ru
> Deleted CN=NTDS Settings,CN=SRV-SITE2-
> DC1,CN=Servers,CN=SITE2,CN=Sites,CN=Configuration,DC=example,DC=ru
> Deleted CN=SRV-SITE2-
> DC1,CN=Servers,CN=SITE2,CN=Sites,CN=Configuration,DC=example,DC=ru
> 
> В Пн, 19/02/2018 в 12:51 +0000, Rowland Penny via samba пишет:
> > On Mon, 19 Feb 2018 17:40:25 +0500
> > "denis.shigapov" <denis.shigapov at stroylandiya.ru>
wrote:
> > 
> > > the first letter sent a journal
> > > 
> > > как можно 
> > > ========== log messages join DC===========> > > ....more
than a thousand lines of messages
> > 
> > OK, run the command again without the '-d7' and post that
output, I
> > am trying to see how far the join gets before failing.
> > 
> > Rowland
> >  
> > 
> 
>

Rowland Penny

2018-Feb-20 11:47 UTC

head link

[Samba] SAMBA failed join domain DC

On Tue, 20 Feb 2018 14:10:16 +0500
"denis.shigapov" <denis.shigapov at stroylandiya.ru> wrote:

It seems that the problem starts here:

Could not find machine account in secrets database

Yet near the top there is: Setting up secrets.ldb

It seems that either 'secrets.ldb' doesn't contain the required info
or
'vas.lah' doesn't have the required permissions to read it.

You also shouldn't need to set the DC to join to, Samba can find a DC
to use.

Is it possible you could try the join command like this:

samba-tool domain join EXAMPLE DC -UAdministrator --password=password
--realm=EXAMPLE.RU --site=SITE2

Rowland

Apparently Analagous Threads

Search for more maybe matching threads

samba - Feb 2018 - SAMBA failed join domain DC

[Samba] SAMBA failed join domain DC

[Samba] SAMBA failed join domain DC

[Samba] SAMBA failed join domain DC

Apparently Analagous Threads