Hi, We have a samba 4.2.2 setup compiled from source, single DC, internal DNS. We've been using this samba setup in production since version 4.0.3. All clients are Windows 7-x64. Since we upgraded to samba 4.2.0 back in march 2015, we are not able to join client machines to the domain using our sysprep unattended image, but joining machines via the manual procedure using the Windows GUI works perfectly. Perhaps we're overlooking something very obvious, but we've done 3+ weeks of research on the issue and we've come up to these conclusions: - samba < 4.2.0: unattended joins using sysprep work OK - samba >= 4.2.0 unattended joins using sysprep fail. Netsetup.log errors 0x54a and 1354 (ERROR_INVALID_DOMAIN_ROLE This operation is only allowed for the primary Domain Controller of the domain.) To discard possible own database corruptions, we've rolled back to our past 4.1.17 setup and sysprep domain join works flawlessly. Then we update this environment to 4.2.2 and it stops working. We've also tested pushing all our current databases from our current setup (4.2.2) into a 4.1.17 samba and it works! So it leads us to think it might be a problem with some change introduced at 4.2.0 regarding domain join that only shows up when trying to do unattended joins. In case this is of any help, packet-level research using wireshark shows that the only difference between versions that work and those which doesn't is the following: - samba < 4.2.0 (works): the RPC_NETL DsrGetDcNameEx2 response returns the DC name field as DCSERVER.DOMAIN.LOCAL and the unattended join process works OK from that point onwards. - samba >= 4.2.0 (fails): the DsrGetDcNameEx2 response returns the DC name field as DCSERVER and the unattended join process doesn't work. It keeps retrying that DsrGetDcNameEx2 request to no avail. Are there any changes on 4.2.0 that might point to this failure for unattended joins? Joining the domain through the usual GUI procedure in Windows 7 works OK using any version. NB. We are using a .local TLD, and our current fileserver is the same as the DC. We missed those recommendations Thanks in advance for any help Regards, IT Team IES Chan do Monte
Isn't anyone around using > 4.2 and SYSPREP with AUTO JOIN? 2015-06-24 10:52 GMT+02:00 Webmaster IESCDM <admies at ieschandomonte.edu.es>:> Hi, > > We have a samba 4.2.2 setup compiled from source, single DC, internal DNS. > We've been using this samba setup in production since version 4.0.3. All > clients are Windows 7-x64. > > Since we upgraded to samba 4.2.0 back in march 2015, we are not able to > join client machines to the domain using our sysprep unattended image, but > joining machines via the manual procedure using the Windows GUI works > perfectly. > > Perhaps we're overlooking something very obvious, but we've done 3+ weeks > of research on the issue and we've come up to these conclusions: > > - samba < 4.2.0: unattended joins using sysprep work OK > > - samba >= 4.2.0 unattended joins using sysprep fail. Netsetup.log errors > 0x54a and 1354 (ERROR_INVALID_DOMAIN_ROLE This operation is only allowed > for the primary Domain Controller of the domain.) > > To discard possible own database corruptions, we've rolled back to our > past 4.1.17 setup and sysprep domain join works flawlessly. Then we update > this environment to 4.2.2 and it stops working. > > We've also tested pushing all our current databases from our current setup > (4.2.2) into a 4.1.17 samba and it works! > > So it leads us to think it might be a problem with some change introduced > at 4.2.0 > regarding domain join that only shows up when trying to do unattended > joins. > > In case this is of any help, packet-level research using wireshark shows > that the only difference between versions that work and those which > doesn't > is the following: > > - samba < 4.2.0 (works): the RPC_NETL DsrGetDcNameEx2 response returns the > DC name field as DCSERVER.DOMAIN.LOCAL and the unattended join process > works OK from that point onwards. > > - samba >= 4.2.0 (fails): the DsrGetDcNameEx2 response returns the DC name > field as > DCSERVER and the unattended join process doesn't work. It keeps retrying > that > DsrGetDcNameEx2 request to no avail. > > Are there any changes on 4.2.0 that might point to this failure for > unattended joins? Joining the domain through the usual GUI procedure in > Windows 7 works OK using any version. > > NB. We are using a .local TLD, and our current fileserver is the same as > the DC. We missed those recommendations > > Thanks in advance for any help > > Regards, > > IT Team IES Chan do Monte > > >
I just tried 4.3.0rc3 and continues failing. Thanks! 2015-08-04 8:37 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:> Hai, > > Have you tried 4.2.3 ? which contains lots of fixes. > > But im intrested in your setup for sysprep with auto join, > i was just looking in to that, any tips for me. > Then i can try to reproduce your problem here then also. > i upgraded my sernet samba yesterday to 4.2.3. > > Greetz, > > Louis > > > >-----Oorspronkelijk bericht----- > >Van: samba [mailto:samba-bounces at lists.samba.org] Namens > >Webmaster IESCDM > >Verzonden: maandag 3 augustus 2015 16:02 > >Aan: samba at lists.samba.org > >Onderwerp: Re: [Samba] Sysprep joins fail on Samba >= 4.2.0 > > > >Isn't anyone around using > 4.2 and SYSPREP with AUTO JOIN? > > > >2015-06-24 10:52 GMT+02:00 Webmaster IESCDM > ><admies at ieschandomonte.edu.es>: > > > >> Hi, > >> > >> We have a samba 4.2.2 setup compiled from source, single DC, > >internal DNS. > >> We've been using this samba setup in production since > >version 4.0.3. All > >> clients are Windows 7-x64. > >> > >> Since we upgraded to samba 4.2.0 back in march 2015, we are > >not able to > >> join client machines to the domain using our sysprep > >unattended image, but > >> joining machines via the manual procedure using the Windows GUI works > >> perfectly. > >> > >> Perhaps we're overlooking something very obvious, but we've > >done 3+ weeks > >> of research on the issue and we've come up to these conclusions: > >> > >> - samba < 4.2.0: unattended joins using sysprep work OK > >> > >> - samba >= 4.2.0 unattended joins using sysprep fail. > >Netsetup.log errors > >> 0x54a and 1354 (ERROR_INVALID_DOMAIN_ROLE This operation is > >only allowed > >> for the primary Domain Controller of the domain.) > >> > >> To discard possible own database corruptions, we've rolled > >back to our > >> past 4.1.17 setup and sysprep domain join works flawlessly. > >Then we update > >> this environment to 4.2.2 and it stops working. > >> > >> We've also tested pushing all our current databases from our > >current setup > >> (4.2.2) into a 4.1.17 samba and it works! > >> > >> So it leads us to think it might be a problem with some > >change introduced > >> at 4.2.0 > >> regarding domain join that only shows up when trying to do unattended > >> joins. > >> > >> In case this is of any help, packet-level research using > >wireshark shows > >> that the only difference between versions that work and those which > >> doesn't > >> is the following: > >> > >> - samba < 4.2.0 (works): the RPC_NETL DsrGetDcNameEx2 > >response returns the > >> DC name field as DCSERVER.DOMAIN.LOCAL and the unattended > >join process > >> works OK from that point onwards. > >> > >> - samba >= 4.2.0 (fails): the DsrGetDcNameEx2 response > >returns the DC name > >> field as > >> DCSERVER and the unattended join process doesn't work. It > >keeps retrying > >> that > >> DsrGetDcNameEx2 request to no avail. > >> > >> Are there any changes on 4.2.0 that might point to this failure for > >> unattended joins? Joining the domain through the usual GUI > >procedure in > >> Windows 7 works OK using any version. > >> > >> NB. We are using a .local TLD, and our current fileserver is > >the same as > >> the DC. We missed those recommendations > >> > >> Thanks in advance for any help > >> > >> Regards, > >> > >> IT Team IES Chan do Monte > >> > >> > >> > >-- > >To unsubscribe from this list go to the following URL and read the > >instructions: https://lists.samba.org/mailman/options/samba > > > > > >
Hello, I switched recently my AD from w2k3/w2k8 to samba-4.8.3 and I have the very same problem. When I join my w2k8r2 and w2k16 machines manually, the domain join works flawlessly. As soon as I do a sysprep with domain join it fails, w2k8r2 just hangs endlessly, w2k16 finishes the sysprep but does not join the domain. If you say it worked with pre 4.2.0 maybe I should do a git bisect to find the offending commit. Has anybody else the issue and maybe has resolved the same? Cheers, Thomas
On Mon, 2018-07-16 at 18:13 +0200, Thomas Glanzmann via samba wrote:> Hello, > I switched recently my AD from w2k3/w2k8 to samba-4.8.3 and I have > the > very same problem. When I join my w2k8r2 and w2k16 machines manually, > the domain join works flawlessly. As soon as I do a sysprep with > domain > join it fails, w2k8r2 just hangs endlessly, w2k16 finishes the > sysprep > but does not join the domain. If you say it worked with pre 4.2.0 > maybe > I should do a git bisect to find the offending commit. Has anybody > else > the issue and maybe has resolved the same? > > Cheers, > Thomas >Before you focus on Samba, it is generally good form to prove it or get as close as you can. So: you can domain join OK but when using sysprep (Microsoft provided utility), it fails. I don't think your problem is with Samba but with sysprep. Cheers Jon
Hello, * Jon Gerdes <gerdesj at blueloop.net> [2018-07-17 02:45]:> Before you focus on Samba, it is generally good form to prove it or > get as close as you can. So: you can domain join OK but when using > sysprep (Microsoft provided utility), it fails. I don't think your > problem is with Samba but with sysprep.you're right. I tried a lot of things in the last 12 hours and it tears down, to the following: Sysprep has some sort of race condition which breaks the domain join as soon as dual stack is used. Probably IPv6 is ready while IPv4 is not ready, than it tries the domain join, fails for whatever reason and gives up. My old ADs were dual stack but only had an IPv4 DNS entry for the AD. My Samba AD setup was dual stack, but the setup domain process uses IPv4 and IPv6 addressed to point to the ad. To summarize: - If I disable IPv6 on the to be syspreped machine, it works. - If I disable IPv6 on the Samba AD, it works. In between I tried a lot of things including disabling WINS, Netbios, use w2k8r2, use w2k16, adding fec0:0:0:ffff::1-3/64 to my AD to allow DNS to work bevor IPv4 was ready. All did not bring the expected results. The only thing that works is either disabling IPv6 on the to be syspred machine or disabling IPv6 on the SAMBA AD: interfaces = 10.101.0.1 I went with disabling IPv6 on the Samba AD because I want IPv6 on my workstations. So Samba is not the culprit, sysprep has a racy ip setup. I'll do two more tests: - Add an IPv6 DNS entry to my old AD and confirm that sysprep breaks as well. - Disable IPv4 alltogether and try a domain join with and without sysprep. I'll report back on my findings. Cheers, Thomas
Possibly Parallel Threads
- Sysprep joins fail on Samba >= 4.2.0
- Sysprep AD Join fails on Dual Stack
- Failed to join domain: failed to join domain 'XXX.YYY' over rpc: Access denied
- krb5_cc_get_principal failed (No such file or directory)
- samba 4 domain join to win 2008r2 level DC w/ a schema with exchange 2010 extensions: replication after the join is broken