franta
2019-Mar-25 14:12 UTC
[Samba] samba 4.9.5 - joining Samba DC to existing Samba AD failed
Hi team, I have Samba (4.9.5) AD DC, and when trying to add second DC, join fail: # samba-tool domain join zamecek.home DC -U"SSUPS-ZAMECEK\administrator" --option='idmap_ldb:use rfc2307 = yes' --dns-backend=BIND9_DLZ Finding a writeable DC for domain 'zamecek.home' Found DC dc1.zamecek.home Password for [SSUPS-ZAMECEK\administrator]: workgroup is SSUPS-ZAMECEK realm is zamecek.home Adding CN=DC2-LYNX,OU=Domain Controllers,DC=zamecek,DC=home Adding CN=DC2-LYNX,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zamecek,DC=home Adding CN=NTDS Settings,CN=DC2-LYNX,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zamecek,DC=home Adding SPNs to CN=DC2-LYNX,OU=Domain Controllers,DC=zamecek,DC=home Setting account password for DC2-LYNX$ Enabling account Adding DNS account CN=dns-DC2-LYNX,CN=Users,DC=zamecek,DC=home with dns/ SPN Setting account password for dns-DC2-LYNX Calling bare provision Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink! Provision OK for domain DN DC=zamecek,DC=home Starting replication Schema-DN[CN=Schema,CN=Configuration,DC=zamecek,DC=home] objects[402/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=zamecek,DC=home] objects[804/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=zamecek,DC=home] objects[1206/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=zamecek,DC=home] objects[1550/1550] linked_values[0/0] Analyze and apply schema objects Partition[CN=Configuration,DC=zamecek,DC=home] objects[402/1628] linked_values[0/1] Partition[CN=Configuration,DC=zamecek,DC=home] objects[804/1628] linked_values[0/1] Partition[CN=Configuration,DC=zamecek,DC=home] objects[1206/1628] linked_values[0/1] Partition[CN=Configuration,DC=zamecek,DC=home] objects[1608/1628] linked_values[0/1] Partition[CN=Configuration,DC=zamecek,DC=home] objects[1628/1628] linked_values[42/42] Failed to commit objects: DOS code 0x000021bf Missing target object - retrying with DRS_GET_TGT Partition[CN=Configuration,DC=zamecek,DC=home] objects[2030/1628] linked_values[1/1] Partition[CN=Configuration,DC=zamecek,DC=home] objects[2432/1628] linked_values[0/1] Partition[CN=Configuration,DC=zamecek,DC=home] objects[2834/1628] linked_values[0/1] Partition[CN=Configuration,DC=zamecek,DC=home] objects[3236/1628] linked_values[0/1] Partition[CN=Configuration,DC=zamecek,DC=home] objects[3256/1628] linked_values[41/42] Replicating critical objects from the base DN of the domain Partition[DC=zamecek,DC=home] objects[98/97] linked_values[141/141] Partition[DC=zamecek,DC=home] objects[500/700] linked_values[0/22] Partition[DC=zamecek,DC=home] objects[798/700] linked_values[653/653] Done with always replicated NC (base, config, schema) Replicating DC=DomainDnsZones,DC=zamecek,DC=home Partition[DC=DomainDnsZones,DC=zamecek,DC=home] objects[59/59] linked_values[0/0] Replicating DC=ForestDnsZones,DC=zamecek,DC=home Partition[DC=ForestDnsZones,DC=zamecek,DC=home] objects[18/18] linked_values[0/0] Exop on[CN=RID Manager$,CN=System,DC=zamecek,DC=home] objects[3] linked_values[0] Committing SAM database Join failed - cleaning up Deleted CN=RID Set,CN=DC2-LYNX,OU=Domain Controllers,DC=zamecek,DC=home Deleted CN=DC2-LYNX,OU=Domain Controllers,DC=zamecek,DC=home Deleted CN=dns-DC2-LYNX,CN=Users,DC=zamecek,DC=home Deleted CN=NTDS Settings,CN=DC2-LYNX,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zamecek,DC=home Deleted CN=DC2-LYNX,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zamecek,DC=home ERROR(ldb): uncaught exception - descriptor_modify on CN=Administrator,CN=Users,DC=zamecek,DC=home failed: operations error at ../source4/dsdb/samdb/ldb_modules/descriptor.c:819 File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 177, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 716, in run backend_store=backend_store) File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1501, in join_DC ctx.do_join() File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1399, in do_join ctx.join_replicate() File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1005, in join_replicate ctx.local_samdb.transaction_commit() I have no idea, where is problem and how solve it - can anyone help? Both systems runs Fedora 29 x86_64 Linux, Samba is builded with Heimdal 7.5.0 Kerberos, tdb 1.3.16, ldb 1.4.6, first DC was provisioned with '--use-rfc2307' and BIND9_DLZ (bind-9.11.5) DNS backend. Thanks, Franta
Rowland Penny
2019-Mar-25 15:02 UTC
[Samba] samba 4.9.5 - joining Samba DC to existing Samba AD failed
On Mon, 25 Mar 2019 15:12:16 +0100 franta via samba <samba at lists.samba.org> wrote:> Hi team, > I have Samba (4.9.5) AD DC, and when trying to add second DC, join > fail: > > # samba-tool domain join zamecek.home DC > -U"SSUPS-ZAMECEK\administrator" --option='idmap_ldb:use rfc2307 > yes' --dns-backend=BIND9_DLZ Finding a writeable DC for domain > 'zamecek.home' Found DC dc1.zamecek.home > Password for [SSUPS-ZAMECEK\administrator]: > workgroup is SSUPS-ZAMECEK > realm is zamecek.home > Adding CN=DC2-LYNX,OU=Domain Controllers,DC=zamecek,DC=home > Adding > CN=DC2-LYNX,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zamecek,DC=home > Adding CN=NTDS > Settings,CN=DC2-LYNX,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zamecek,DC=home > Adding SPNs to CN=DC2-LYNX,OU=Domain Controllers,DC=zamecek,DC=home > Setting account password for DC2-LYNX$ > Enabling account > Adding DNS account CN=dns-DC2-LYNX,CN=Users,DC=zamecek,DC=home with > dns/ SPN > Setting account password for dns-DC2-LYNX > Calling bare provision > Looking up IPv4 addresses > Looking up IPv6 addresses > No IPv6 address will be assigned > Setting up share.ldb > Setting up secrets.ldb > Setting up the registry > Setting up the privileges database > Setting up idmap db > Setting up SAM db > Setting up sam.ldb partitions and settings > Setting up sam.ldb rootDSE > Pre-loading the Samba 4 and AD schema > Unable to determine the DomainSID, can not enforce uniqueness > constraint on local domainSIDs > > A Kerberos configuration suitable for Samba AD has been generated at > /var/lib/samba/private/krb5.conf > Merge the contents of this file with your system krb5.conf or replace > it with this one. Do not create a symlink! > Provision OK for domain DN DC=zamecek,DC=home > Starting replication > Schema-DN[CN=Schema,CN=Configuration,DC=zamecek,DC=home] > objects[402/1550] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=zamecek,DC=home] > objects[804/1550] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=zamecek,DC=home] > objects[1206/1550] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=zamecek,DC=home] > objects[1550/1550] linked_values[0/0] > Analyze and apply schema objects > Partition[CN=Configuration,DC=zamecek,DC=home] objects[402/1628] > linked_values[0/1] > Partition[CN=Configuration,DC=zamecek,DC=home] objects[804/1628] > linked_values[0/1] > Partition[CN=Configuration,DC=zamecek,DC=home] objects[1206/1628] > linked_values[0/1] > Partition[CN=Configuration,DC=zamecek,DC=home] objects[1608/1628] > linked_values[0/1] > Partition[CN=Configuration,DC=zamecek,DC=home] objects[1628/1628] > linked_values[42/42] > Failed to commit objects: DOS code 0x000021bf > Missing target object - retrying with DRS_GET_TGT > Partition[CN=Configuration,DC=zamecek,DC=home] objects[2030/1628] > linked_values[1/1] > Partition[CN=Configuration,DC=zamecek,DC=home] objects[2432/1628] > linked_values[0/1] > Partition[CN=Configuration,DC=zamecek,DC=home] objects[2834/1628] > linked_values[0/1] > Partition[CN=Configuration,DC=zamecek,DC=home] objects[3236/1628] > linked_values[0/1] > Partition[CN=Configuration,DC=zamecek,DC=home] objects[3256/1628] > linked_values[41/42] > Replicating critical objects from the base DN of the domain > Partition[DC=zamecek,DC=home] objects[98/97] linked_values[141/141] > Partition[DC=zamecek,DC=home] objects[500/700] linked_values[0/22] > Partition[DC=zamecek,DC=home] objects[798/700] linked_values[653/653] > Done with always replicated NC (base, config, schema) > Replicating DC=DomainDnsZones,DC=zamecek,DC=home > Partition[DC=DomainDnsZones,DC=zamecek,DC=home] objects[59/59] > linked_values[0/0] > Replicating DC=ForestDnsZones,DC=zamecek,DC=home > Partition[DC=ForestDnsZones,DC=zamecek,DC=home] objects[18/18] > linked_values[0/0] > Exop on[CN=RID Manager$,CN=System,DC=zamecek,DC=home] objects[3] > linked_values[0] > Committing SAM database > Join failed - cleaning up > Deleted CN=RID Set,CN=DC2-LYNX,OU=Domain > Controllers,DC=zamecek,DC=home Deleted CN=DC2-LYNX,OU=Domain > Controllers,DC=zamecek,DC=home Deleted > CN=dns-DC2-LYNX,CN=Users,DC=zamecek,DC=home Deleted CN=NTDS > Settings,CN=DC2-LYNX,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zamecek,DC=home > Deleted > CN=DC2-LYNX,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zamecek,DC=home > ERROR(ldb): uncaught exception - descriptor_modify on > CN=Administrator,CN=Users,DC=zamecek,DC=home failed: operations error > at ../source4/dsdb/samdb/ldb_modules/descriptor.c:819 > File > "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line > 177, in _run return self.run(*args, **kwargs) > File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", > line 716, in run > backend_store=backend_store) > File "/usr/lib64/python2.7/site-packages/samba/join.py", line > 1501, in join_DC > ctx.do_join() > File "/usr/lib64/python2.7/site-packages/samba/join.py", line > 1399, in do_join > ctx.join_replicate() > File "/usr/lib64/python2.7/site-packages/samba/join.py", line > 1005, in join_replicate > ctx.local_samdb.transaction_commit() > > I have no idea, where is problem and how solve it - can anyone help? > Both systems runs Fedora 29 x86_64 Linux, Samba is builded with > Heimdal 7.5.0 Kerberos, tdb 1.3.16, ldb 1.4.6, first DC was > provisioned with '--use-rfc2307' and BIND9_DLZ (bind-9.11.5) DNS > backend. Thanks, Franta > >You should only build Samba with the Heimdal version supplied with Samba, you do not need to and shouldn't install Heimdal. Rowland
franta
2019-Mar-25 15:20 UTC
[Samba] samba 4.9.5 - joining Samba DC to existing Samba AD failed
Dne 2019-03-25 16:02, Rowland Penny via samba napsal:> On Mon, 25 Mar 2019 15:12:16 +0100 > franta via samba <samba at lists.samba.org> wrote: > >> Hi team, >> I have Samba (4.9.5) AD DC, and when trying to add second DC, join >> fail: >> >> # samba-tool domain join zamecek.home DC >> -U"SSUPS-ZAMECEK\administrator" --option='idmap_ldb:use rfc2307 >> yes' --dns-backend=BIND9_DLZ Finding a writeable DC for domain >> 'zamecek.home' Found DC dc1.zamecek.home >> Password for [SSUPS-ZAMECEK\administrator]: >> workgroup is SSUPS-ZAMECEK >> realm is zamecek.home >> Adding CN=DC2-LYNX,OU=Domain Controllers,DC=zamecek,DC=home >> Adding >> CN=DC2-LYNX,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zamecek,DC=home >> Adding CN=NTDS >> Settings,CN=DC2-LYNX,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zamecek,DC=home >> Adding SPNs to CN=DC2-LYNX,OU=Domain Controllers,DC=zamecek,DC=home >> Setting account password for DC2-LYNX$ >> Enabling account >> Adding DNS account CN=dns-DC2-LYNX,CN=Users,DC=zamecek,DC=home with >> dns/ SPN >> Setting account password for dns-DC2-LYNX >> Calling bare provision >> Looking up IPv4 addresses >> Looking up IPv6 addresses >> No IPv6 address will be assigned >> Setting up share.ldb >> Setting up secrets.ldb >> Setting up the registry >> Setting up the privileges database >> Setting up idmap db >> Setting up SAM db >> Setting up sam.ldb partitions and settings >> Setting up sam.ldb rootDSE >> Pre-loading the Samba 4 and AD schema >> Unable to determine the DomainSID, can not enforce uniqueness >> constraint on local domainSIDs >> >> A Kerberos configuration suitable for Samba AD has been generated at >> /var/lib/samba/private/krb5.conf >> Merge the contents of this file with your system krb5.conf or replace >> it with this one. Do not create a symlink! >> Provision OK for domain DN DC=zamecek,DC=home >> Starting replication >> Schema-DN[CN=Schema,CN=Configuration,DC=zamecek,DC=home] >> objects[402/1550] linked_values[0/0] >> Schema-DN[CN=Schema,CN=Configuration,DC=zamecek,DC=home] >> objects[804/1550] linked_values[0/0] >> Schema-DN[CN=Schema,CN=Configuration,DC=zamecek,DC=home] >> objects[1206/1550] linked_values[0/0] >> Schema-DN[CN=Schema,CN=Configuration,DC=zamecek,DC=home] >> objects[1550/1550] linked_values[0/0] >> Analyze and apply schema objects >> Partition[CN=Configuration,DC=zamecek,DC=home] objects[402/1628] >> linked_values[0/1] >> Partition[CN=Configuration,DC=zamecek,DC=home] objects[804/1628] >> linked_values[0/1] >> Partition[CN=Configuration,DC=zamecek,DC=home] objects[1206/1628] >> linked_values[0/1] >> Partition[CN=Configuration,DC=zamecek,DC=home] objects[1608/1628] >> linked_values[0/1] >> Partition[CN=Configuration,DC=zamecek,DC=home] objects[1628/1628] >> linked_values[42/42] >> Failed to commit objects: DOS code 0x000021bf >> Missing target object - retrying with DRS_GET_TGT >> Partition[CN=Configuration,DC=zamecek,DC=home] objects[2030/1628] >> linked_values[1/1] >> Partition[CN=Configuration,DC=zamecek,DC=home] objects[2432/1628] >> linked_values[0/1] >> Partition[CN=Configuration,DC=zamecek,DC=home] objects[2834/1628] >> linked_values[0/1] >> Partition[CN=Configuration,DC=zamecek,DC=home] objects[3236/1628] >> linked_values[0/1] >> Partition[CN=Configuration,DC=zamecek,DC=home] objects[3256/1628] >> linked_values[41/42] >> Replicating critical objects from the base DN of the domain >> Partition[DC=zamecek,DC=home] objects[98/97] linked_values[141/141] >> Partition[DC=zamecek,DC=home] objects[500/700] linked_values[0/22] >> Partition[DC=zamecek,DC=home] objects[798/700] linked_values[653/653] >> Done with always replicated NC (base, config, schema) >> Replicating DC=DomainDnsZones,DC=zamecek,DC=home >> Partition[DC=DomainDnsZones,DC=zamecek,DC=home] objects[59/59] >> linked_values[0/0] >> Replicating DC=ForestDnsZones,DC=zamecek,DC=home >> Partition[DC=ForestDnsZones,DC=zamecek,DC=home] objects[18/18] >> linked_values[0/0] >> Exop on[CN=RID Manager$,CN=System,DC=zamecek,DC=home] objects[3] >> linked_values[0] >> Committing SAM database >> Join failed - cleaning up >> Deleted CN=RID Set,CN=DC2-LYNX,OU=Domain >> Controllers,DC=zamecek,DC=home Deleted CN=DC2-LYNX,OU=Domain >> Controllers,DC=zamecek,DC=home Deleted >> CN=dns-DC2-LYNX,CN=Users,DC=zamecek,DC=home Deleted CN=NTDS >> Settings,CN=DC2-LYNX,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zamecek,DC=home >> Deleted >> CN=DC2-LYNX,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zamecek,DC=home >> ERROR(ldb): uncaught exception - descriptor_modify on >> CN=Administrator,CN=Users,DC=zamecek,DC=home failed: operations error >> at ../source4/dsdb/samdb/ldb_modules/descriptor.c:819 >> File >> "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line >> 177, in _run return self.run(*args, **kwargs) >> File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", >> line 716, in run >> backend_store=backend_store) >> File "/usr/lib64/python2.7/site-packages/samba/join.py", line >> 1501, in join_DC >> ctx.do_join() >> File "/usr/lib64/python2.7/site-packages/samba/join.py", line >> 1399, in do_join >> ctx.join_replicate() >> File "/usr/lib64/python2.7/site-packages/samba/join.py", line >> 1005, in join_replicate >> ctx.local_samdb.transaction_commit() >> >> I have no idea, where is problem and how solve it - can anyone help? >> Both systems runs Fedora 29 x86_64 Linux, Samba is builded with >> Heimdal 7.5.0 Kerberos, tdb 1.3.16, ldb 1.4.6, first DC was >> provisioned with '--use-rfc2307' and BIND9_DLZ (bind-9.11.5) DNS >> backend. Thanks, Franta >> >> > > You should only build Samba with the Heimdal version supplied with > Samba, you do not need to and shouldn't install Heimdal.My mistake in description - I have installed (it seems unnecessarily) only heimdal-libs package (no -devel ones) and samba itself is not linked with it: # ldd /usr/sbin/samba|grep heim libheimbase-samba4.so.1 => /usr/lib64/samba/libheimbase-samba4.so.1 (0x00007f911e8da000) Thus my problem should be something else - but what? TIA, Franta
Apparently Analagous Threads
- samba 4.9.5 - joining Samba DC to existing Samba AD failed
- samba 4.9.5 - joining Samba DC to existing Samba AD failed
- samba 4.9.5 - joining Samba DC to existing Samba AD failed
- samba 4.9.5 - joining Samba DC to existing Samba AD failed
- samba 4.9.5 - joining Samba DC to existing Samba AD failed