Ming Li
2018-Oct-16 18:16 UTC
[Samba] Samba 4.3.11 join an exiting windows AD failed with timeout
Hello, I built a DNS and AD in windows 2012 as PDC, and would like to setup a BDC in linux. I followed this link https://www.server-world.info/en/note?os=Ubuntu_18.04&p=samba&f=7 . But got below error. Any ides would be appreciated. $ samba-tool domain join xxx.com DC -U "xxx\administrator" --dns-backend=SAMBA_INTERNAL Finding a writeable DC for domain 'xxx.com' Found DC DCPR1.xxx.com Password for [XXX\administrator]: workgroup is XXX realm is xxx.com checking sAMAccountName Adding CN=UBUNTUBDC,OU=Domain Controllers,DC=xxx,DC=com Adding CN=UBUNTUBDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxx,DC=com Adding CN=NTDS Settings,CN=UBUNTUBDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxx,DC=com Join failed - cleaning up checking sAMAccountName Deleted CN=UBUNTUBDC,OU=Domain Controllers,DC=xxx,DC=com Deleted CN=UBUNTUBDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxx,DC=com ERROR(runtime): uncaught exception - (-1073741643, '{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.') File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 621, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1170, in join_DC ctx.do_join() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1073, in do_join ctx.join_add_objects() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 562, in join_add_objects ctx.join_add_ntdsdsa() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 495, in join_add_ntdsdsa ctx.DsAddEntry([rec]) File "/usr/lib/python2.7/dist-packages/samba/join.py", line 432, in DsAddEntry (level, ctr) = ctx.drsuapi.DsAddEntry(ctx.drsuapi_handle, 2, req2) Thanks, Ming. Disclaimer: This e-mail and any attachments thereto are intended for use solely by the addressee(s) named herein, and the contents may contain legally privileged and/or confidential information. This e-mail messages should not be shown to or forwarded to anyone without the explicit, prior consent of the sender. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or other use of this e-mail and/or any of the attachments hereto, in whole or in part, is strictly prohibited. If you have received this e-mail in error, please notify the undersigned immediately by telephone and permanently delete the original and all copies of this e-mail, the attachments thereto, and any printouts, in whole or in part, thereof. Codeword:@#$AZDie934jSdi9#$iodusk#@!@ --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus
Andrew Bartlett
2018-Oct-16 18:45 UTC
[Samba] Samba 4.3.11 join an exiting windows AD failed with timeout
On Tue, 2018-10-16 at 18:16 +0000, Ming Li via samba wrote:> Hello, > > I built a DNS and AD in windows 2012 as PDC, and would like to setup a BDC in linux. I followed this link https://www.server-world.info/en/note?os=Ubuntu_18.04&p=samba&f=7 . But got below error. Any ides would be appreciated. > > $ samba-tool domain join xxx.com DC -U "xxx\administrator" --dns-backend=SAMBA_INTERNAL > > Finding a writeable DC for domain 'xxx.com' > Found DC DCPR1.xxx.com > Password for [XXX\administrator]: > workgroup is XXX > realm is xxx.com > checking sAMAccountName > Adding CN=UBUNTUBDC,OU=Domain Controllers,DC=xxx,DC=com > Adding CN=UBUNTUBDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxx,DC=com > Adding CN=NTDS Settings,CN=UBUNTUBDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxx,DC=com > Join failed - cleaning up > checking sAMAccountName > Deleted CN=UBUNTUBDC,OU=Domain Controllers,DC=xxx,DC=com > Deleted CN=UBUNTUBDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxx,DC=com > ERROR(runtime): uncaught exception - (-1073741643, '{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.') > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 621, in run > machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1170, in join_DC > ctx.do_join() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1073, in do_join > ctx.join_add_objects() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 562, in join_add_objects > ctx.join_add_ntdsdsa() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 495, in join_add_ntdsdsa > ctx.DsAddEntry([rec]) > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 432, in DsAddEntry > (level, ctr) = ctx.drsuapi.DsAddEntry(ctx.drsuapi_handle, 2, req2)I would check you have firewall access to the high DCE/RPC port uses for DRSUAPI, and that your windows server is happy in general. Is there a specific reason you are adding this additional DC? I suspect the domain isn't working correctly already. Finally, I would note that long-term windows/samba domains are supported, but rare. I would encourage a full migration if you intend this to be in production long-term. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Ming Li
2018-Oct-16 21:27 UTC
[Samba] Samba 4.3.11 join an exiting windows AD failed with timeout
Thanks. It is an internal network. We opened up firewall. And windows DC is working well. We have two windows DCs now one PDC, anther BDC. We are moving to linux. So would like to add this linux as BDC, and demote the currently windows BDC. And have a test. If all good, we will migrate it totally. But now cannot make it works. Any other place should I check to make it work? Thanks, Ming. -----Original Message----- From: Andrew Bartlett <abartlet at samba.org> Sent: Tuesday, October 16, 2018 1:46 PM To: Ming Li <Ming.Li at mtusa.com>; samba at lists.samba.org Subject: Re: [Samba] Samba 4.3.11 join an exiting windows AD failed with timeout On Tue, 2018-10-16 at 18:16 +0000, Ming Li via samba wrote:> Hello, > > I built a DNS and AD in windows 2012 as PDC, and would like to setup a BDC in linux. I followed this link https://www.server-world.info/en/note?os=Ubuntu_18.04&p=samba&f=7 . But got below error. Any ides would be appreciated. > > $ samba-tool domain join xxx.com DC -U "xxx\administrator" > --dns-backend=SAMBA_INTERNAL > > Finding a writeable DC for domain 'xxx.com' > Found DC DCPR1.xxx.com > Password for [XXX\administrator]: > workgroup is XXX > realm is xxx.com > checking sAMAccountName > Adding CN=UBUNTUBDC,OU=Domain Controllers,DC=xxx,DC=com Adding > CN=UBUNTUBDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configu > ration,DC=xxx,DC=com Adding CN=NTDS > Settings,CN=UBUNTUBDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C > N=Configuration,DC=xxx,DC=com > Join failed - cleaning up > checking sAMAccountName > Deleted CN=UBUNTUBDC,OU=Domain Controllers,DC=xxx,DC=com Deleted > CN=UBUNTUBDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configu > ration,DC=xxx,DC=com > ERROR(runtime): uncaught exception - (-1073741643, '{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.') > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 621, in run > machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1170, in join_DC > ctx.do_join() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1073, in do_join > ctx.join_add_objects() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 562, in join_add_objects > ctx.join_add_ntdsdsa() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 495, in join_add_ntdsdsa > ctx.DsAddEntry([rec]) > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 432, in DsAddEntry > (level, ctr) = ctx.drsuapi.DsAddEntry(ctx.drsuapi_handle, 2, req2)I would check you have firewall access to the high DCE/RPC port uses for DRSUAPI, and that your windows server is happy in general. Is there a specific reason you are adding this additional DC? I suspect the domain isn't working correctly already. Finally, I would note that long-term windows/samba domains are supported, but rare. I would encourage a full migration if you intend this to be in production long-term. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba Disclaimer: This e-mail and any attachments thereto are intended for use solely by the addressee(s) named herein, and the contents may contain legally privileged and/or confidential information. This e-mail messages should not be shown to or forwarded to anyone without the explicit, prior consent of the sender. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or other use of this e-mail and/or any of the attachments hereto, in whole or in part, is strictly prohibited. If you have received this e-mail in error, please notify the undersigned immediately by telephone and permanently delete the original and all copies of this e-mail, the attachments thereto, and any printouts, in whole or in part, thereof. Codeword:@#$AZDie934jSdi9#$iodusk#@!@ --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus