samba - Apr 2018 - Unable to join Windows 2008 R2 server DC to Samba DC

I’m unable to successfully join a Windows 2008 R2 server DC to my Samba4 domain.

I’ve followed the steps on the wiki of joining a Server 2008 R2 DC to a Samba
domain. After I reboot the domain controller, I receive a blue screen in regards
to a corrupt AD database. I’ve tried Samba v4.6.7 and Samba 4.9.0pre1.

Prior to the reboot, I see the following three events on the Windows DC:
----- 
Attempt to update DNS Host Name of the computer object in Active Directory
failed. The updated value was 'DC8.us.dignitastech.com'. The following
error occurred:
Access is denied.
----- 
Attempt to update HOST Service Principal Names (SPNs) of the computer object in
Active Directory failed. The updated values were
'RestrictedKrbHost/DC8.us.dignitastech.com' and
'RestrictedKrbHost/DC8'. The following error occurred:
Access is denied.
----- 
Internal error: An Active Directory Domain Services error has occurred.

Additional Data
Error value (decimal):
8374
Error value (hex):
20b6
Internal ID:
30d07c5
—— 

On the samba server, the only error that I can pick out in the log.samba (at
debug 4) is the following DNS update failure:

  ../source4/dsdb/dns/dns_update.c:330: Failed DNS update - with error code 110

Any assistance is greatly appreciated as we have an (unfortunate) impending
organizational requirement to use Windows domain controllers.

Thanks,
Justin

I hate to bump this, but we could really use some ideas here. Andrew, you had
indicated that our Windows 2008 R2 DC join issues may be related to duplicate
SPNs (with different case). Does this look like the same problem? Next
troubleshooting steps?

Justin
> On Apr 3, 2018, at 11:05 PM, Justin Foreman <jforeman at
dignitastechnologies.com> wrote:
> 
> I’m unable to successfully join a Windows 2008 R2 server DC to my Samba4
domain.
> 
> I’ve followed the steps on the wiki of joining a Server 2008 R2 DC to a
Samba domain. After I reboot the domain controller, I receive a blue screen in
regards to a corrupt AD database. I’ve tried Samba v4.6.7 and Samba 4.9.0pre1.
> 
> Prior to the reboot, I see the following three events on the Windows DC:
> ----- 
> Attempt to update DNS Host Name of the computer object in Active Directory
failed. The updated value was 'DC8.us.dignitastech.com'. The following
error occurred:
> Access is denied.
> ----- 
> Attempt to update HOST Service Principal Names (SPNs) of the computer
object in Active Directory failed. The updated values were
'RestrictedKrbHost/DC8.us.dignitastech.com' and
'RestrictedKrbHost/DC8'. The following error occurred:
> Access is denied.
> ----- 
> Internal error: An Active Directory Domain Services error has occurred.
> 
> Additional Data
> Error value (decimal):
> 8374
> Error value (hex):
> 20b6
> Internal ID:
> 30d07c5
> —— 
> 
> On the samba server, the only error that I can pick out in the log.samba
(at debug 4) is the following DNS update failure:
> 
>  ../source4/dsdb/dns/dns_update.c:330: Failed DNS update - with error code
110
> 
> Any assistance is greatly appreciated as we have an (unfortunate) impending
organizational requirement to use Windows domain controllers.
> 
> Thanks,
> Justin

I have identified and fixed the problem!

The wellKnownObject for the default computer container was missing! I’m
wondering if this was a bug from an old version of Samba, as we provisioned the
domain with Samba 4.0.3.

I used ldbedit to manually modify the directory and add CN=Computers as the
wellKnownObject default computer container. Windows 2008 R2 now joins
successfully.

Thanks,
Justin
> On Apr 3, 2018, at 11:05 PM, Justin Foreman <jforeman at
dignitastechnologies.com> wrote:
> 
> I’m unable to successfully join a Windows 2008 R2 server DC to my Samba4
domain.
> 
> I’ve followed the steps on the wiki of joining a Server 2008 R2 DC to a
Samba domain. After I reboot the domain controller, I receive a blue screen in
regards to a corrupt AD database. I’ve tried Samba v4.6.7 and Samba 4.9.0pre1.
> 
> Prior to the reboot, I see the following three events on the Windows DC:
> ----- 
> Attempt to update DNS Host Name of the computer object in Active Directory
failed. The updated value was 'DC8.us.dignitastech.com'. The following
error occurred:
> Access is denied.
> ----- 
> Attempt to update HOST Service Principal Names (SPNs) of the computer
object in Active Directory failed. The updated values were
'RestrictedKrbHost/DC8.us.dignitastech.com' and
'RestrictedKrbHost/DC8'. The following error occurred:
> Access is denied.
> ----- 
> Internal error: An Active Directory Domain Services error has occurred.
> 
> Additional Data
> Error value (decimal):
> 8374
> Error value (hex):
> 20b6
> Internal ID:
> 30d07c5
> —— 
> 
> On the samba server, the only error that I can pick out in the log.samba
(at debug 4) is the following DNS update failure:
> 
>  ../source4/dsdb/dns/dns_update.c:330: Failed DNS update - with error code
110
> 
> Any assistance is greatly appreciated as we have an (unfortunate) impending
organizational requirement to use Windows domain controllers.
> 
> Thanks,
> Justin

Hi,

It definitely appears to be the case that 4.0 should have been
provisioned with the correct link. It could have been some other bug
which meant it was lost somehow that we've probably fixed, or it was
accidentally deleted (or redirected in some way). I'm glad you were able
to identify the problem, Windows generally doesn't make it easy to debug
faults which occur during the join like this.


It seems to me that there needs to be a check in samba-tool dbcheck for
this perhaps (and maybe some of the other well known objects, if they're
that important). I don't suppose you have any interest in trying to do
that? Otherwise, file a bug for now.


Cheers,

Garming

On 26/04/18 03:43, Justin Foreman via samba wrote:
> I have identified and fixed the problem!
>
> The wellKnownObject for the default computer container was missing! I’m
wondering if this was a bug from an old version of Samba, as we provisioned the
domain with Samba 4.0.3.
>
> I used ldbedit to manually modify the directory and add CN=Computers as the
wellKnownObject default computer container. Windows 2008 R2 now joins
successfully.
>
> Thanks,
> Justin
>
>> On Apr 3, 2018, at 11:05 PM, Justin Foreman <jforeman at
dignitastechnologies.com> wrote:
>>
>> I’m unable to successfully join a Windows 2008 R2 server DC to my
Samba4 domain.
>>
>> I’ve followed the steps on the wiki of joining a Server 2008 R2 DC to a
Samba domain. After I reboot the domain controller, I receive a blue screen in
regards to a corrupt AD database. I’ve tried Samba v4.6.7 and Samba 4.9.0pre1.
>>
>> Prior to the reboot, I see the following three events on the Windows
DC:
>> ----- 
>> Attempt to update DNS Host Name of the computer object in Active
Directory failed. The updated value was 'DC8.us.dignitastech.com'. The
following error occurred:
>> Access is denied.
>> ----- 
>> Attempt to update HOST Service Principal Names (SPNs) of the computer
object in Active Directory failed. The updated values were
'RestrictedKrbHost/DC8.us.dignitastech.com' and
'RestrictedKrbHost/DC8'. The following error occurred:
>> Access is denied.
>> ----- 
>> Internal error: An Active Directory Domain Services error has occurred.
>>
>> Additional Data
>> Error value (decimal):
>> 8374
>> Error value (hex):
>> 20b6
>> Internal ID:
>> 30d07c5
>> —— 
>>
>> On the samba server, the only error that I can pick out in the
log.samba (at debug 4) is the following DNS update failure:
>>
>>  ../source4/dsdb/dns/dns_update.c:330: Failed DNS update - with error
code 110
>>
>> Any assistance is greatly appreciated as we have an (unfortunate)
impending organizational requirement to use Windows domain controllers.
>>
>> Thanks,
>> Justin
>