me at tdiehl.org
2018-Jun-21 16:02 UTC
[Samba] Problem joining a samba Dc to a winbdows domain
Hi,
I am trying to join a self compiled samba 4.8.2 DC to an existing Windows domain
using
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller
as instructions.
The smb.conf looks like the following:
[global]
netbios name = PHT-VDC1
realm = EXAMPLE.COM
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
workgroup = EXAMPLE
[netlogon]
path = /usr/local/samba/var/locks/sysvol/example.com/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
The above was generated by the following samba-tool command line:
samba-tool domain join example.com DC -U"example\admin"
--dns-backend=BIND9_DLZ
When I run samba-tool I get the following output:
(pht-vdc1 pts10) # samba-tool domain join example.com DC
-U"example\admin" --dns-backend=BIND9_DLZ
Finding a writeable DC for domain 'example.com'
Found DC PHT1.example.com
Password for [EXAMPLE\admin]:
workgroup is EXAMPLE
realm is example.com
Adding CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com
Adding
CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
Adding CN=NTDS
Settings,CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
Adding SPNs to CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com
Setting account password for PHT-VDC1$
Enabling account
Adding DNS account CN=dns-PHT-VDC1,CN=Users,DC=example,DC=com with dns/ SPN
Setting account password for dns-PHT-VDC1
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on
local domainSIDs
A Kerberos configuration suitable for Samba AD has been generated at
/usr/local/samba/private/krb5.conf
Merge the contents of this file with your system krb5.conf or replace it with
this one. Do not create a symlink!
Provision OK for domain DN DC=example,DC=com
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[402/4383]
linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[804/4383]
linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[1206/4383]
linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[1608/4383]
linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[2010/4383]
linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[2412/4383]
linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[2814/4383]
linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[3216/4383]
linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[3618/4383]
linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[3735/4383]
linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=example,DC=com] objects[402/7722]
linked_values[0/355]
Partition[CN=Configuration,DC=example,DC=com] objects[804/7722]
linked_values[0/355]
...
Partition[CN=Configuration,DC=example,DC=com] objects[6376/7722]
linked_values[0/355]
Partition[CN=Configuration,DC=example,DC=com] objects[6510/7722]
linked_values[12/355]
Replicating critical objects from the base DN of the domain
Partition[DC=example,DC=com] objects[105/156] linked_values[42/388]
Partition[DC=example,DC=com] objects[296/7902] linked_values[1/388]
Partition[DC=example,DC=com] objects[466/7902] linked_values[72/388]
Failed to commit objects: DOS code 0x000021bf
Join failed - cleaning up
Deleted CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com
Deleted CN=dns-PHT-VDC1,CN=Users,DC=example,DC=com
Deleted CN=NTDS
Settings,CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
Deleted
CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
ERROR(<type 'exceptions.AttributeError'>): uncaught exception -
'drsuapi.DsGetNCChangesRequest8' object has no attribute
'more_flags'
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py",
line 706, in run
plaintext_secrets=plaintext_secrets)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
1482, in join_DC
ctx.do_join()
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
1383, in do_join
ctx.join_replicate()
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
942, in join_replicate
replica_flags=ctx.domain_replica_flags)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py",
line 322, in replicate
if self._should_retry_with_get_tgt(e[0], req):
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py",
line 213, in _should_retry_with_get_tgt
(req.more_flags & drsuapi.DRSUAPI_DRS_GET_TGT) == 0 and
As can be seen from above there is an error that says
"Unable to determine the DomainSID, can not enforce uniqueness constraint
on local domainSIDs"
and then of course the join fails.
In case anyone is wondering yes, the domain is really in the form of
example.com. This domain was created over 10 years ago and upgraded several
times using MS based DC's. We are trying to move away from MS DC's but
would
like to be spared the pain of creating a whole new domain.
Anyone have any idea how to fix this?
Regards,
--
Tom me at tdiehl.org
me at tdiehl.org
2018-Jun-21 17:23 UTC
[Samba] Problem joining a samba Dc to a winbdows domain
Hi, Sorry to reply to my own post but I have additional info. I removed samba 4.8.2 and compiled samba 4.7.7 and the join succeeded without error using the exact same configuration. I am hesitant to upgrade to 4.8.2 for fear of breaking something and having to forcibly remove the samba DC from the domain but I suppose now is the time to do it since it is not really in production yet. Suggestions? Regards, -- Tom me at tdiehl.org On Thu, 21 Jun 2018, Tom Diehl via samba wrote:> Hi, > > I am trying to join a self compiled samba 4.8.2 DC to an existing Windows > domain > using > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller > as instructions. > > The smb.conf looks like the following: > > [global] > netbios name = PHT-VDC1 > realm = EXAMPLE.COM > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate > workgroup = EXAMPLE > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/example.com/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > The above was generated by the following samba-tool command line: > samba-tool domain join example.com DC -U"example\admin" > --dns-backend=BIND9_DLZ > > When I run samba-tool I get the following output: > (pht-vdc1 pts10) # samba-tool domain join example.com DC -U"example\admin" > --dns-backend=BIND9_DLZ > Finding a writeable DC for domain 'example.com' > Found DC PHT1.example.com > Password for [EXAMPLE\admin]: > workgroup is EXAMPLE > realm is example.com > Adding CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com > Adding > CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > Adding CN=NTDS > Settings,CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > Adding SPNs to CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com > Setting account password for PHT-VDC1$ > Enabling account > Adding DNS account CN=dns-PHT-VDC1,CN=Users,DC=example,DC=com with dns/ SPN > Setting account password for dns-PHT-VDC1 > Calling bare provision > Looking up IPv4 addresses > Looking up IPv6 addresses > No IPv6 address will be assigned > Setting up share.ldb > Setting up secrets.ldb > Setting up the registry > Setting up the privileges database > Setting up idmap db > Setting up SAM db > Setting up sam.ldb partitions and settings > Setting up sam.ldb rootDSE > Pre-loading the Samba 4 and AD schema > Unable to determine the DomainSID, can not enforce uniqueness constraint on > local domainSIDs > > A Kerberos configuration suitable for Samba AD has been generated at > /usr/local/samba/private/krb5.conf > Merge the contents of this file with your system krb5.conf or replace it with > this one. Do not create a symlink! > Provision OK for domain DN DC=example,DC=com > Starting replication > Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[402/4383] > linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[804/4383] > linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[1206/4383] > linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[1608/4383] > linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[2010/4383] > linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[2412/4383] > linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[2814/4383] > linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[3216/4383] > linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[3618/4383] > linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[3735/4383] > linked_values[0/0] > Analyze and apply schema objects > Partition[CN=Configuration,DC=example,DC=com] objects[402/7722] > linked_values[0/355] > Partition[CN=Configuration,DC=example,DC=com] objects[804/7722] > linked_values[0/355] > ... > Partition[CN=Configuration,DC=example,DC=com] objects[6376/7722] > linked_values[0/355] > Partition[CN=Configuration,DC=example,DC=com] objects[6510/7722] > linked_values[12/355] > Replicating critical objects from the base DN of the domain > Partition[DC=example,DC=com] objects[105/156] linked_values[42/388] > Partition[DC=example,DC=com] objects[296/7902] linked_values[1/388] > Partition[DC=example,DC=com] objects[466/7902] linked_values[72/388] > Failed to commit objects: DOS code 0x000021bf > Join failed - cleaning up > Deleted CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com > Deleted CN=dns-PHT-VDC1,CN=Users,DC=example,DC=com > Deleted CN=NTDS > Settings,CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > Deleted > CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > ERROR(<type 'exceptions.AttributeError'>): uncaught exception - > 'drsuapi.DsGetNCChangesRequest8' object has no attribute 'more_flags' > File > "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File > "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py", > line 706, in run > plaintext_secrets=plaintext_secrets) > File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line > 1482, in join_DC > ctx.do_join() > File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line > 1383, in do_join > ctx.join_replicate() > File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line > 942, in join_replicate > replica_flags=ctx.domain_replica_flags) > File "/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py", > line 322, in replicate > if self._should_retry_with_get_tgt(e[0], req): > File "/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py", > line 213, in _should_retry_with_get_tgt > (req.more_flags & drsuapi.DRSUAPI_DRS_GET_TGT) == 0 and > > As can be seen from above there is an error that says "Unable to determine > the DomainSID, can not enforce uniqueness constraint on local domainSIDs" > and then of course the join fails. > > In case anyone is wondering yes, the domain is really in the form of > example.com. This domain was created over 10 years ago and upgraded several > times using MS based DC's. We are trying to move away from MS DC's but would > like to be spared the pain of creating a whole new domain. > > Anyone have any idea how to fix this?
Rowland Penny
2018-Jun-21 17:46 UTC
[Samba] Problem joining a samba Dc to a winbdows domain
On Thu, 21 Jun 2018 12:02:41 -0400 (EDT) Tom Diehl via samba <samba at lists.samba.org> wrote:> Hi, > > I am trying to join a self compiled samba 4.8.2 DC to an existing > Windows domain using > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller > as instructions. > > The smb.conf looks like the following: > > [global] > netbios name = PHT-VDC1 > realm = EXAMPLE.COM > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = EXAMPLE > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/example.com/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > The above was generated by the following samba-tool command line: > samba-tool domain join example.com DC -U"example\admin" > --dns-backend=BIND9_DLZ > > When I run samba-tool I get the following output: > (pht-vdc1 pts10) # samba-tool domain join example.com DC > -U"example\admin" --dns-backend=BIND9_DLZ Finding a writeable DC for > domain 'example.com' Found DC PHT1.example.com > Password for [EXAMPLE\admin]: > workgroup is EXAMPLE > realm is example.com > Adding CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com > Adding > CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > Adding CN=NTDS > Settings,CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > Adding SPNs to CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com > Setting account password for PHT-VDC1$ Enabling account Adding DNS > account CN=dns-PHT-VDC1,CN=Users,DC=example,DC=com with dns/ SPN > Setting account password for dns-PHT-VDC1 Calling bare provision > Looking up IPv4 addresses > Looking up IPv6 addresses > No IPv6 address will be assigned > Setting up share.ldb > Setting up secrets.ldb > Setting up the registry > Setting up the privileges database > Setting up idmap db > Setting up SAM db > Setting up sam.ldb partitions and settings > Setting up sam.ldb rootDSE > Pre-loading the Samba 4 and AD schema > Unable to determine the DomainSID, can not enforce uniqueness > constraint on local domainSIDs > > A Kerberos configuration suitable for Samba AD has been generated > at /usr/local/samba/private/krb5.conf Merge the contents of this file > with your system krb5.conf or replace it with this one. Do not create > a symlink! Provision OK for domain DN DC=example,DC=com Starting > replication Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] > objects[402/4383] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] > objects[804/4383] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] > objects[1206/4383] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] > objects[1608/4383] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] > objects[2010/4383] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] > objects[2412/4383] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] > objects[2814/4383] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] > objects[3216/4383] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] > objects[3618/4383] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] > objects[3735/4383] linked_values[0/0] Analyze and apply schema > objects Partition[CN=Configuration,DC=example,DC=com] > objects[402/7722] linked_values[0/355] > Partition[CN=Configuration,DC=example,DC=com] objects[804/7722] > linked_values[0/355] ... > Partition[CN=Configuration,DC=example,DC=com] objects[6376/7722] > linked_values[0/355] Partition[CN=Configuration,DC=example,DC=com] > objects[6510/7722] linked_values[12/355] Replicating critical objects > from the base DN of the domain Partition[DC=example,DC=com] > objects[105/156] linked_values[42/388] Partition[DC=example,DC=com] > objects[296/7902] linked_values[1/388] Partition[DC=example,DC=com] > objects[466/7902] linked_values[72/388] Failed to commit objects: DOS > code 0x000021bf Join failed - cleaning upThis is where it seems to fail and 0x000021bf is this: The replication operation failed because the target object referenced by a link value is recycled. So it might be an idea to check the DC you are trying to join to. Rowland
me at tdiehl.org
2018-Jun-21 18:32 UTC
[Samba] Problem joining a samba Dc to a winbdows domain
Hi Rowland, On Thu, 21 Jun 2018, Rowland Penny via samba wrote:> On Thu, 21 Jun 2018 12:02:41 -0400 (EDT) > Tom Diehl via samba <samba at lists.samba.org> wrote: > >> Hi, >> >> I am trying to join a self compiled samba 4.8.2 DC to an existing >> Windows domain using >> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller >> as instructions. >> >> The smb.conf looks like the following: >> >> [global] >> netbios name = PHT-VDC1 >> realm = EXAMPLE.COM >> server role = active directory domain controller >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >> drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = EXAMPLE >> >> [netlogon] >> path = /usr/local/samba/var/locks/sysvol/example.com/scripts >> read only = No >> >> [sysvol] >> path = /usr/local/samba/var/locks/sysvol >> read only = No >> >> The above was generated by the following samba-tool command line: >> samba-tool domain join example.com DC -U"example\admin" >> --dns-backend=BIND9_DLZ >> >> When I run samba-tool I get the following output: >> (pht-vdc1 pts10) # samba-tool domain join example.com DC >> -U"example\admin" --dns-backend=BIND9_DLZ Finding a writeable DC for >> domain 'example.com' Found DC PHT1.example.com >> Password for [EXAMPLE\admin]: >> workgroup is EXAMPLE >> realm is example.com >> Adding CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com >> Adding >> CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com >> Adding CN=NTDS >> Settings,CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com >> Adding SPNs to CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com >> Setting account password for PHT-VDC1$ Enabling account Adding DNS >> account CN=dns-PHT-VDC1,CN=Users,DC=example,DC=com with dns/ SPN >> Setting account password for dns-PHT-VDC1 Calling bare provision >> Looking up IPv4 addresses >> Looking up IPv6 addresses >> No IPv6 address will be assigned >> Setting up share.ldb >> Setting up secrets.ldb >> Setting up the registry >> Setting up the privileges database >> Setting up idmap db >> Setting up SAM db >> Setting up sam.ldb partitions and settings >> Setting up sam.ldb rootDSE >> Pre-loading the Samba 4 and AD schema >> Unable to determine the DomainSID, can not enforce uniqueness >> constraint on local domainSIDs >> >> A Kerberos configuration suitable for Samba AD has been generated >> at /usr/local/samba/private/krb5.conf Merge the contents of this file >> with your system krb5.conf or replace it with this one. Do not create >> a symlink! Provision OK for domain DN DC=example,DC=com Starting >> replication Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] >> objects[402/4383] linked_values[0/0] >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] >> objects[804/4383] linked_values[0/0] >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] >> objects[1206/4383] linked_values[0/0] >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] >> objects[1608/4383] linked_values[0/0] >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] >> objects[2010/4383] linked_values[0/0] >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] >> objects[2412/4383] linked_values[0/0] >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] >> objects[2814/4383] linked_values[0/0] >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] >> objects[3216/4383] linked_values[0/0] >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] >> objects[3618/4383] linked_values[0/0] >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] >> objects[3735/4383] linked_values[0/0] Analyze and apply schema >> objects Partition[CN=Configuration,DC=example,DC=com] >> objects[402/7722] linked_values[0/355] >> Partition[CN=Configuration,DC=example,DC=com] objects[804/7722] >> linked_values[0/355] ... >> Partition[CN=Configuration,DC=example,DC=com] objects[6376/7722] >> linked_values[0/355] Partition[CN=Configuration,DC=example,DC=com] >> objects[6510/7722] linked_values[12/355] Replicating critical objects >> from the base DN of the domain Partition[DC=example,DC=com] >> objects[105/156] linked_values[42/388] Partition[DC=example,DC=com] >> objects[296/7902] linked_values[1/388] Partition[DC=example,DC=com] >> objects[466/7902] linked_values[72/388] Failed to commit objects: DOS >> code 0x000021bf Join failed - cleaning up > > This is where it seems to fail and 0x000021bf is this: > > The replication operation failed because the target object referenced > by a link value is recycled. > > So it might be an idea to check the DC you are trying to join to.Check it for what? If I understand correctly the error is saying that the target object is not there. The problem is I do not understand what the target object is or how to find it. Assuming that the error is referring to Partition[DC=example,DC=com] objects[466/7952] linked_values[72/388] How do I figure out what the error is referring to? As I said in a separate message, I can successfully join using 4.7.7. If this is a problem with the existing MS DC, why does 4.7.7 join without error? To be clear I am not doubting your advice and I do appreciate it. I am just trying to understand. Regards, -- Tom me at tdiehl.org
Andrew Bartlett
2018-Jun-21 20:22 UTC
[Samba] Problem joining a samba Dc to a winbdows domain
On Thu, 2018-06-21 at 18:46 +0100, Rowland Penny via samba wrote:> On Thu, 21 Jun 2018 12:02:41 -0400 (EDT) > Tom Diehl via samba <samba at lists.samba.org> wrote: > > > Hi, > > > > I am trying to join a self compiled samba 4.8.2 DC to an existing > > Windows domain using > > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller > > as instructions. > > > > The smb.conf looks like the following: > > > > [global] > > netbios name = PHT-VDC1 > > realm = EXAMPLE.COM > > server role = active directory domain controller > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > > drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = EXAMPLE > > > > [netlogon] > > path = /usr/local/samba/var/locks/sysvol/example.com/scripts > > read only = No > > > > [sysvol] > > path = /usr/local/samba/var/locks/sysvol > > read only = No > > > > The above was generated by the following samba-tool command line: > > samba-tool domain join example.com DC -U"example\admin" > > --dns-backend=BIND9_DLZ > > > > When I run samba-tool I get the following output: > > (pht-vdc1 pts10) # samba-tool domain join example.com DC > > -U"example\admin" --dns-backend=BIND9_DLZ Finding a writeable DC for > > domain 'example.com' Found DC PHT1.example.com > > Password for [EXAMPLE\admin]:....> > Partition[CN=Configuration,DC=example,DC=com] objects[804/7722] > > linked_values[0/355] ... > > Partition[CN=Configuration,DC=example,DC=com] objects[6376/7722] > > linked_values[0/355] Partition[CN=Configuration,DC=example,DC=com] > > objects[6510/7722] linked_values[12/355] Replicating critical objects > > from the base DN of the domain Partition[DC=example,DC=com] > > objects[105/156] linked_values[42/388] Partition[DC=example,DC=com] > > objects[296/7902] linked_values[1/388] Partition[DC=example,DC=com] > > objects[466/7902] linked_values[72/388] Failed to commit objects: DOS > > code 0x000021bf Join failed - cleaning up > > This is where it seems to fail and 0x000021bf is this: > > The replication operation failed because the target object referenced > by a link value is recycled. > > So it might be an idea to check the DC you are trying to join to.Thanks Rowland, What is happening here is that Samba is trying to find the end of a link that it has been given, so as to be able to set the backlink. This used to just result in the backlink being dropped, and now we have fixed that (never dropping the link). However it seems that goes a bit wrong here against Windows. The reason this works with 4.7 is that the backlink is just ignored and dropped in this case. I've CC'ed Tim Beale who was the developer of that code, who may have some insights. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba