René Schmidt
2019-Jul-19 16:40 UTC
[Samba] Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC'
Hello everybody, ? I have a new AD which is installed on a Windows Server 2019. Now I want to add a Samba DC to this AD. The Samba DC is in the same subnet. Samba Server: Ubuntu 18.04 Samba 4.10.6 ? The Windows AD has the following settings: PS C: \ Users \ Administrator> Get-ADForest ApplicationPartitions: {DC = DomainDnsZones, DC = mydom, DC = local, DC = ForestDnsZones, DC = mydom, DC = local} CrossForestReferences: {} DomainNamingMaster: WAD.mydom.local Domains: {mydom.local} ForestMode: Windows2008R2Forest GlobalCatalogs: {WAD.mydom.local} Name: mydom.local PartitionContainer: CN = Partitions, CN = Configuration, DC = mydom, DC = local RootDomain: mydom.local SchemaMaster: WAD.mydom.local Sites: {Default First Site Name} SPNSuffixes: {} ? ? When I try to join the Samba server I get the following message: samba-tool domain join mydom.local DC -k yes INFO 2019-07-19 18:30:06,496 pid:25035 /usr/local/samba/lib/python3.6/site-packages/samba/join.py #103: Finding a writeable DC for domain mydom.local' INFO 2019-07-19 18:30:06,533 pid:25035 /usr/local/samba/lib/python3.6/site-packages/samba/join.py #105: Found DC WAD. mydom.local INFO 2019-07-19 18:30:06,783 pid:25035 /usr/local/samba/lib/python3.6/site-packages/samba/join.py #1519: workgroup is mydom INFO 2019-07-19 18:30:06,789 pid:25035 /usr/local/samba/lib/python3.6/site-packages/samba/join.py #1522: realm is mydom.local Adding CN=SAD,OU=Domain Controllers,DC= mydom,DC=local Adding CN=SAD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC= mydom,DC=local Adding CN=NTDS Settings,CN=DE03VM13,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC= mydom,DC=local DsAddEntry failed with status WERR_ACCESS_DENIED info (8363, 'WERR_DS_NO_CROSSREF_FOR_NC') Join failed - cleaning up Deleted CN=SAD,OU=Domain Controllers,DC= mydom,DC=local Deleted CN=SAD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC= mydom,DC=local ERROR(runtime): uncaught exception - DsAddEntry failed ? File "/usr/local/samba/lib/python3.6/site-packages/samba/netcmd/__init__.py", line 185, in _run ??? return self.run(*args, **kwargs) ? File "/usr/local/samba/lib/python3.6/site-packages/samba/netcmd/domain.py", line 700, in run ??? backend_store=backend_store) ? File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 1535, in join_DC ??? ctx.do_join() ? File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 1427, in do_join ??? ctx.join_add_objects() ? File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 669, in join_add_objects ??? ctx.join_add_ntdsdsa() ? File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 594, in join_add_ntdsdsa ??? ctx.DsAddEntry([rec]) ? File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 543, in DsAddEntry ??? raise RuntimeError("DsAddEntry failed") ? What can I do?
Rowland penny
2019-Jul-19 16:44 UTC
[Samba] Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC'
On 19/07/2019 17:40, Ren? Schmidt via samba wrote:> Hello everybody, > > > I have a new AD which is installed on a Windows Server 2019. Now I want to add a Samba DC to this AD. >Sorry, but you cannot join Samba as a DC to a 2019 domain (yet). Rowland
René Schmidt
2019-Jul-20 14:59 UTC
[Samba] Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC'
Hello, I have now set up a new Windows Server 2012 R2 and configured as an AD. "kinit administrator" works. Now when I try to accept the AD with a Samba DC I still get the following error message: samba-tool domain join mydom.local DC -U "MYDOM\ dministrator" INFO 2019-07-20 16: 55: 53,030 pid: 1280 /usr/local/samba/lib/python3.6/site-packages/samba/join.py # 103: Finding a writeable DC for domain mydom.local' INFO 2019-07-20 16: 55: 53,064 pid: 1280 /usr/local/samba/lib/python3.6/site-packages/samba/join.py # 105: Found DC WDC. mydom.local Password for [MYDOM \ administrator]: INFO 2019-07-20 16: 55: 56,210 pid: 1280 /usr/local/samba/lib/python3.6/site-packages/samba/join.py # 1519: workgroup is MYDOM INFO 2019-07-20 16: 55: 56,215 pid: 1280 /usr/local/samba/lib/python3.6/site-packages/samba/join.py # 1522: realm is mydom.local Adding CN = SAD, OU = domain controllers, DC = mydom, DC = local Adding CN = SAD, CN = Servers, CN = Default First Site Name, CN = Sites, CN = Configuration, DC = mydom, DC = local Adding CN = NTDS Settings, CN = SAD, CN = Servers, CN = Default First Site Name, CN = Sites, CN = Configuration, DC = mydom, DC = local DsAddEntry failed with status WERR_ACCESS_DENIED info (8363, 'WERR_DS_NO_CROSSREF_FOR_NC') Join failed - cleaning up Deleted CN = SAD, OU = domain controllers, DC = mydom, DC = local Deleted CN = SAD, CN = Servers, CN = Default First Site Name, CN = Sites, CN = Configuration, DC = mydom, DC = local ERROR (runtime): uncaught exception - DsAddEntry failed ??File "/usr/local/samba/lib/python3.6/site-packages/samba/netcmd/__init__.py", line 185, in _run ????return self.run (* args, ** kwargs) ??File "/usr/local/samba/lib/python3.6/site-packages/samba/netcmd/domain.py", line 700, in run ????backend_store = backend_store) ??File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 1535, in join_DC ????ctx.do_join () ??File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 1427, in do_join ????ctx.join_add_objects () ??File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 669, in join_add_objects ????ctx.join_add_ntdsdsa () ??File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 594, in join_add_ntdsdsa ????ctx.DsAddEntry ([REC]) ??File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 543, in DsAddEntry ????raise RuntimeError ("DsAddEntry failed") As described in the wiki, I have set the functional levels to 2008 R2: Set-ADForestMode -Identity "mydom.local" -ForestMode Windows2008R2Forest Set-ADForestMode -Identity "mydom.local" domainMode Windows2008R2Forest Do you have another idea? Ren? -----Urspr?ngliche Nachricht----- Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland penny via samba Gesendet: Freitag, 19. Juli 2019 19:48 An: sambalist <samba at lists.samba.org> Betreff: Re: [Samba] Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC' On 19/07/2019 18:13, Ren? Schmidt wrote:> Hello, > > would it work with Windows Server 2016? > It is a completely new AD, so I could reinstall the server again? > > Does not it work even though I have set ForestMode to Windows2008R2Forest? > is foreseeable when this could work?No, you 'might' be able to get 2012R2 to work, try reading this: https://wiki.samba.org/index.php/Windows_2012_Server_compatibility Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland penny
2019-Jul-20 15:21 UTC
[Samba] Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC'
On 20/07/2019 15:59, Ren? Schmidt wrote:> Hello, > > I have now set up a new Windows Server 2012 R2 and configured as an AD. > > "kinit administrator" works. > > Now when I try to accept the AD with a Samba DC I still get the following error message: > samba-tool domain join mydom.local DC -U "MYDOM\ dministrator" > INFO 2019-07-20 16: 55: 53,030 pid: 1280 /usr/local/samba/lib/python3.6/site-packages/samba/join.py # 103: Finding a writeable DC for domain mydom.local' > INFO 2019-07-20 16: 55: 53,064 pid: 1280 /usr/local/samba/lib/python3.6/site-packages/samba/join.py # 105: Found DC WDC. mydom.local > Password for [MYDOM \ administrator]: > INFO 2019-07-20 16: 55: 56,210 pid: 1280 /usr/local/samba/lib/python3.6/site-packages/samba/join.py # 1519: workgroup is MYDOM > INFO 2019-07-20 16: 55: 56,215 pid: 1280 /usr/local/samba/lib/python3.6/site-packages/samba/join.py # 1522: realm is mydom.local > Adding CN = SAD, OU = domain controllers, DC = mydom, DC = local > Adding CN = SAD, CN = Servers, CN = Default First Site Name, CN = Sites, CN = Configuration, DC = mydom, DC = local > Adding CN = NTDS Settings, CN = SAD, CN = Servers, CN = Default First Site Name, CN = Sites, CN = Configuration, DC = mydom, DC = local > DsAddEntry failed with status WERR_ACCESS_DENIED info (8363, 'WERR_DS_NO_CROSSREF_FOR_NC') > Join failed - cleaning up > Deleted CN = SAD, OU = domain controllers, DC = mydom, DC = local > Deleted CN = SAD, CN = Servers, CN = Default First Site Name, CN = Sites, CN = Configuration, DC = mydom, DC = local > ERROR (runtime): uncaught exception - DsAddEntry failed > ??File "/usr/local/samba/lib/python3.6/site-packages/samba/netcmd/__init__.py", line 185, in _run > ????return self.run (* args, ** kwargs) > ??File "/usr/local/samba/lib/python3.6/site-packages/samba/netcmd/domain.py", line 700, in run > ????backend_store = backend_store) > ??File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 1535, in join_DC > ????ctx.do_join () > ??File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 1427, in do_join > ????ctx.join_add_objects () > ??File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 669, in join_add_objects > ????ctx.join_add_ntdsdsa () > ??File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 594, in join_add_ntdsdsa > ????ctx.DsAddEntry ([REC]) > ??File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 543, in DsAddEntry > ????raise RuntimeError ("DsAddEntry failed") > > As described in the wiki, I have set the functional levels to 2008 R2: > Set-ADForestMode -Identity "mydom.local" -ForestMode Windows2008R2Forest > Set-ADForestMode -Identity "mydom.local" domainMode Windows2008R2Forest > > Do you have another idea? > > Ren? > > -----Urspr?ngliche Nachricht----- > Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland penny via samba > Gesendet: Freitag, 19. Juli 2019 19:48 > An: sambalist <samba at lists.samba.org> > Betreff: Re: [Samba] Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC' > > On 19/07/2019 18:13, Ren? Schmidt wrote: >> Hello, >> >> would it work with Windows Server 2016? >> It is a completely new AD, so I could reinstall the server again? >> >> Does not it work even though I have set ForestMode to Windows2008R2Forest? >> is foreseeable when this could work? > No, you 'might' be able to get 2012R2 to work, try reading this: > > https://wiki.samba.org/index.php/Windows_2012_Server_compatibility > > Rowland > > > >I did say 'might' ;-) Try this way: go here: http://apt.van-belle.nl/ Set up the repo for 18.04 as described on that page Install these packages: attr samba smbclient dnsutils acl krb5-user winbind libpam-winbind libpam-krb5 libnss-winbind bind9utils Ensure /etc/samba/smb.conf does not exist and try again. Can I ask, what is the burning need to join a computer as a Samba DC to a Windows DC ? Rowland
René Schmidt
2019-Jul-20 20:20 UTC
[Samba] Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC'
Hello Rowland, I also tried that again. Even now I get exactly the same mistake again: DsAddEntry failed with status WERR_ACCESS_DENIED info (8363, 'WERR_DS_NO_CROSSREF_FOR_NC') To your question: I look after a number of clubs, e.g. to use a web application for time recording, to work partly on a terminal server, or to have an Exchange mailbox in the future. However, the Exchange mailboxes should be hosted at Microsoft in the cloud. For this I need a sync to Office365. Unfortunately, this only works conditionally with Samba. I found out that there are quite a few problems with the Azure AD Connector: - the password sync does not work at all - Group memberships are not synced - Restriction to sync groups does not work Since these problems do not occur with a Windows server, I would like to have a Windows server as domaincontoler on which runs the sync. Do you have any idea what else could be a problem? Ren? -----Urspr?ngliche Nachricht----- Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland penny via samba Gesendet: Samstag, 20. Juli 2019 17:21 An: sambalist <samba at lists.samba.org> Betreff: Re: [Samba] Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC' On 20/07/2019 15:59, Ren? Schmidt wrote:> Hello, > > I have now set up a new Windows Server 2012 R2 and configured as an AD. > > "kinit administrator" works. > > Now when I try to accept the AD with a Samba DC I still get the following error message: > samba-tool domain join mydom.local DC -U "MYDOM\ dministrator" > INFO 2019-07-20 16: 55: 53,030 pid: 1280 /usr/local/samba/lib/python3.6/site-packages/samba/join.py # 103: Finding a writeable DC for domain mydom.local' > INFO 2019-07-20 16: 55: 53,064 pid: 1280 > /usr/local/samba/lib/python3.6/site-packages/samba/join.py # 105: Found DC WDC. mydom.local Password for [MYDOM \ administrator]: > INFO 2019-07-20 16: 55: 56,210 pid: 1280 > /usr/local/samba/lib/python3.6/site-packages/samba/join.py # 1519: > workgroup is MYDOM INFO 2019-07-20 16: 55: 56,215 pid: 1280 > /usr/local/samba/lib/python3.6/site-packages/samba/join.py # 1522: > realm is mydom.local Adding CN = SAD, OU = domain controllers, DC = > mydom, DC = local Adding CN = SAD, CN = Servers, CN = Default First > Site Name, CN = Sites, CN = Configuration, DC = mydom, DC = local > Adding CN = NTDS Settings, CN = SAD, CN = Servers, CN = Default First > Site Name, CN = Sites, CN = Configuration, DC = mydom, DC = local > DsAddEntry failed with status WERR_ACCESS_DENIED info (8363, > 'WERR_DS_NO_CROSSREF_FOR_NC') Join failed - cleaning up Deleted CN = > SAD, OU = domain controllers, DC = mydom, DC = local Deleted CN = SAD, > CN = Servers, CN = Default First Site Name, CN = Sites, CN = > Configuration, DC = mydom, DC = local ERROR (runtime): uncaught > exception - DsAddEntry failed > ??File > "/usr/local/samba/lib/python3.6/site-packages/samba/netcmd/__init__.py > ", line 185, in _run > ????return self.run (* args, ** kwargs) > ??File > "/usr/local/samba/lib/python3.6/site-packages/samba/netcmd/domain.py", > line 700, in run > ????backend_store = backend_store) > ??File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", > line 1535, in join_DC > ????ctx.do_join () > ??File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", > line 1427, in do_join > ????ctx.join_add_objects () > ??File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", > line 669, in join_add_objects > ????ctx.join_add_ntdsdsa () > ??File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", > line 594, in join_add_ntdsdsa > ????ctx.DsAddEntry ([REC]) > ??File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", > line 543, in DsAddEntry > ????raise RuntimeError ("DsAddEntry failed") > > As described in the wiki, I have set the functional levels to 2008 R2: > Set-ADForestMode -Identity "mydom.local" -ForestMode > Windows2008R2Forest Set-ADForestMode -Identity "mydom.local" > domainMode Windows2008R2Forest > > Do you have another idea? > > Ren? > > -----Urspr?ngliche Nachricht----- > Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von > Rowland penny via samba > Gesendet: Freitag, 19. Juli 2019 19:48 > An: sambalist <samba at lists.samba.org> > Betreff: Re: [Samba] Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC' > > On 19/07/2019 18:13, Ren? Schmidt wrote: >> Hello, >> >> would it work with Windows Server 2016? >> It is a completely new AD, so I could reinstall the server again? >> >> Does not it work even though I have set ForestMode to Windows2008R2Forest? >> is foreseeable when this could work? > No, you 'might' be able to get 2012R2 to work, try reading this: > > https://wiki.samba.org/index.php/Windows_2012_Server_compatibility > > Rowland > > > >I did say 'might' ;-) Try this way: go here: http://apt.van-belle.nl/ Set up the repo for 18.04 as described on that page Install these packages: attr samba smbclient dnsutils acl krb5-user winbind libpam-winbind libpam-krb5 libnss-winbind bind9utils Ensure /etc/samba/smb.conf does not exist and try again. Can I ask, what is the burning need to join a computer as a Samba DC to a Windows DC ? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland penny
2019-Jul-20 20:55 UTC
[Samba] Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC'
On 20/07/2019 21:20, Ren? Schmidt wrote:> Hello Rowland, > > I also tried that again. > > Even now I get exactly the same mistake again: > DsAddEntry failed with status WERR_ACCESS_DENIED info (8363, 'WERR_DS_NO_CROSSREF_FOR_NC') > > To your question: > I look after a number of clubs, e.g. to use a web application for time recording, to work partly on a terminal server, or to have an Exchange mailbox in the future. However, the Exchange mailboxes should be hosted at Microsoft in the cloud. For this I need a sync to Office365. Unfortunately, this only works conditionally with Samba. > I found out that there are quite a few problems with the Azure AD Connector: > - the password sync does not work at all > - Group memberships are not synced > - Restriction to sync groups does not work > Since these problems do not occur with a Windows server, I would like to have a Windows server as domaincontoler on which runs the sync. > > Do you have any idea what else could be a problem? > > Ren? > -----Urspr?ngliche Nachricht----- > Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland penny via samba > Gesendet: Samstag, 20. Juli 2019 17:21 > An: sambalist <samba at lists.samba.org> > Betreff: Re: [Samba] Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC' > > On 20/07/2019 15:59, Ren? Schmidt wrote: >> Hello, >> >> I have now set up a new Windows Server 2012 R2 and configured as an AD. >> >> "kinit administrator" works. >> >> Now when I try to accept the AD with a Samba DC I still get the following error message: >> samba-tool domain join mydom.local DC -U "MYDOM\ dministrator" >> INFO 2019-07-20 16: 55: 53,030 pid: 1280 /usr/local/samba/lib/python3.6/site-packages/samba/join.py # 103: Finding a writeable DC for domain mydom.local' >> INFO 2019-07-20 16: 55: 53,064 pid: 1280 >> /usr/local/samba/lib/python3.6/site-packages/samba/join.py # 105: Found DC WDC. mydom.local Password for [MYDOM \ administrator]: >> INFO 2019-07-20 16: 55: 56,210 pid: 1280 >> /usr/local/samba/lib/python3.6/site-packages/samba/join.py # 1519: >> workgroup is MYDOM INFO 2019-07-20 16: 55: 56,215 pid: 1280 >> /usr/local/samba/lib/python3.6/site-packages/samba/join.py # 1522: >> realm is mydom.local Adding CN = SAD, OU = domain controllers, DC >> mydom, DC = local Adding CN = SAD, CN = Servers, CN = Default First >> Site Name, CN = Sites, CN = Configuration, DC = mydom, DC = local >> Adding CN = NTDS Settings, CN = SAD, CN = Servers, CN = Default First >> Site Name, CN = Sites, CN = Configuration, DC = mydom, DC = local >> DsAddEntry failed with status WERR_ACCESS_DENIED info (8363, >> 'WERR_DS_NO_CROSSREF_FOR_NC') Join failed - cleaning up Deleted CN >> SAD, OU = domain controllers, DC = mydom, DC = local Deleted CN = SAD, >> CN = Servers, CN = Default First Site Name, CN = Sites, CN >> Configuration, DC = mydom, DC = local ERROR (runtime): uncaught >> exception - DsAddEntry failed >> ??File >> "/usr/local/samba/lib/python3.6/site-packages/samba/netcmd/__init__.py >> ", line 185, in _run >> ????return self.run (* args, ** kwargs) >> ??File >> "/usr/local/samba/lib/python3.6/site-packages/samba/netcmd/domain.py", >> line 700, in run >> ????backend_store = backend_store) >> ??File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", >> line 1535, in join_DC >> ????ctx.do_join () >> ??File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", >> line 1427, in do_join >> ????ctx.join_add_objects () >> ??File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", >> line 669, in join_add_objects >> ????ctx.join_add_ntdsdsa () >> ??File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", >> line 594, in join_add_ntdsdsa >> ????ctx.DsAddEntry ([REC]) >> ??File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", >> line 543, in DsAddEntry >> ????raise RuntimeError ("DsAddEntry failed") >> >> As described in the wiki, I have set the functional levels to 2008 R2: >> Set-ADForestMode -Identity "mydom.local" -ForestMode >> Windows2008R2Forest Set-ADForestMode -Identity "mydom.local" >> domainMode Windows2008R2Forest >> >> Do you have another idea? >> >> Ren? >> >> -----Urspr?ngliche Nachricht----- >> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von >> Rowland penny via samba >> Gesendet: Freitag, 19. Juli 2019 19:48 >> An: sambalist <samba at lists.samba.org> >> Betreff: Re: [Samba] Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC' >> >> On 19/07/2019 18:13, Ren? Schmidt wrote: >>> Hello, >>> >>> would it work with Windows Server 2016? >>> It is a completely new AD, so I could reinstall the server again? >>> >>> Does not it work even though I have set ForestMode to Windows2008R2Forest? >>> is foreseeable when this could work? >> No, you 'might' be able to get 2012R2 to work, try reading this: >> >> https://wiki.samba.org/index.php/Windows_2012_Server_compatibility >> >> Rowland >> >> >> >> > I did say 'might' ;-) > > Try this way: > > go here: http://apt.van-belle.nl/ > > Set up the repo for 18.04 as described on that page > > Install these packages: attr samba smbclient dnsutils acl krb5-user winbind libpam-winbind libpam-krb5 libnss-winbind bind9utils > > Ensure /etc/samba/smb.conf does not exist and try again. > > Can I ask, what is the burning need to join a computer as a Samba DC to a Windows DC ? > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >OK, but you might think it a bit strange, try joining Samba 4.7.X instead, if this works, walk Samba up the minor versions, 4.7.x --> 4.8.x --> 4.9.x --> 4.10.x Rowland
René Schmidt
2019-Jul-21 09:22 UTC
[Samba] Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC'
Hello Rowland, I have started again: - new Window Server 2012 R2 installed - DNS server set up - once again the Ubunut 18.04 freshly installed - entered the IP of the Windows server as DNS server - Installed the Samba Packet from the official Ubunut source: dpkg -l | grep samba ii python-samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Python bindings for Samba ii samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 all common files used by both the Samba server and client ii samba-common-bin 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba common files used by both the server and the client ii samba-dsdb-modules 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba Directory Services Database ii samba-libs:amd64 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba core libraries ii samba-vfs-modules 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba Virtual FileSystem plugins if I am now samba-tool domain join mydom.local DC -U "MYDOM\administrator" -d3 I get the following message: Adding 1 remote DNS records for SAD. mydom.local Using binding ncacn_ip_tcp: WAD. mydom.local [, sign] resolve_lmhosts: Attempting lmhosts lookup for name WAD. mydom.local <0x20> resolve_lmhosts: Attempting lmhosts lookup for name WAD. mydom.local <0x20> Adding DNS A record WAD.schmidthome.local for IPv4 IP: 192.168.159.98 Join failed - cleaning up ldb_wrap open of secrets.ldb Could not find machine account in secrets database: Failed to fetch machine account password for MYDOM from both secrets.ldb (Could not find entry to match filter: '(& (flatname = MYDOM) (objectclass = primaryDomain))' base: 'cn = Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4636) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO Deleted CN = RID Set, CN = SAD, OU = Domain Controller, DC = mydom, DC = local Deleted CN = SAD, OU = domain controllers, DC = myadmon, DC = local Deleted CN = NTDS Settings, CN = SAD, CN = Servers, CN = Default First Site Name, CN = Sites, CN = Configuration, DC = mydom, DC = local Deleted CN = SAD, CN = Servers, CN = Default First Site Name, CN = Sites, CN = Configuration, DC = mydom, DC = local ERROR (runtime): uncaught exception - (9003, 'WERR_DNS_ERROR_RCODE_NAME_ERROR') ??File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run ????return self.run (* args, ** kwargs) ??File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, in run ????machinepass = machinepass, use_ntvfs = use_ntvfs, dns_backend = dns_backend) ??File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in join_DC ????ctx.do_join () ??File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1384, in do_join ????ctx.join_add_dns_records () ??File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1116, in join_add_dns_records ????dns_partition = domaindns_zone_dn) ??File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 939, in dns_lookup ????dns_partition = dns_partition) Do you have an idea? The DNS entry is created on the Windows server for the Samba server. Ren? -----Urspr?ngliche Nachricht----- Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland penny via samba Gesendet: Samstag, 20. Juli 2019 22:56 An: sambalist <samba at lists.samba.org> Betreff: Re: [Samba] Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC' On 20/07/2019 21:20, Ren? Schmidt wrote:> Hello Rowland, > > I also tried that again. > > Even now I get exactly the same mistake again: > DsAddEntry failed with status WERR_ACCESS_DENIED info (8363, > 'WERR_DS_NO_CROSSREF_FOR_NC') > > To your question: > I look after a number of clubs, e.g. to use a web application for time recording, to work partly on a terminal server, or to have an Exchange mailbox in the future. However, the Exchange mailboxes should be hosted at Microsoft in the cloud. For this I need a sync to Office365. Unfortunately, this only works conditionally with Samba. > I found out that there are quite a few problems with the Azure AD Connector: > - the password sync does not work at all > - Group memberships are not synced > - Restriction to sync groups does not work Since these problems do not > occur with a Windows server, I would like to have a Windows server as domaincontoler on which runs the sync. > > Do you have any idea what else could be a problem? > > Ren? > -----Urspr?ngliche Nachricht----- > Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von > Rowland penny via samba > Gesendet: Samstag, 20. Juli 2019 17:21 > An: sambalist <samba at lists.samba.org> > Betreff: Re: [Samba] Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC' > > On 20/07/2019 15:59, Ren? Schmidt wrote: >> Hello, >> >> I have now set up a new Windows Server 2012 R2 and configured as an AD. >> >> "kinit administrator" works. >> >> Now when I try to accept the AD with a Samba DC I still get the following error message: >> samba-tool domain join mydom.local DC -U "MYDOM\ dministrator" >> INFO 2019-07-20 16: 55: 53,030 pid: 1280 /usr/local/samba/lib/python3.6/site-packages/samba/join.py # 103: Finding a writeable DC for domain mydom.local' >> INFO 2019-07-20 16: 55: 53,064 pid: 1280 >> /usr/local/samba/lib/python3.6/site-packages/samba/join.py # 105: Found DC WDC. mydom.local Password for [MYDOM \ administrator]: >> INFO 2019-07-20 16: 55: 56,210 pid: 1280 >> /usr/local/samba/lib/python3.6/site-packages/samba/join.py # 1519: >> workgroup is MYDOM INFO 2019-07-20 16: 55: 56,215 pid: 1280 >> /usr/local/samba/lib/python3.6/site-packages/samba/join.py # 1522: >> realm is mydom.local Adding CN = SAD, OU = domain controllers, DC = >> mydom, DC = local Adding CN = SAD, CN = Servers, CN = Default First >> Site Name, CN = Sites, CN = Configuration, DC = mydom, DC = local >> Adding CN = NTDS Settings, CN = SAD, CN = Servers, CN = Default First >> Site Name, CN = Sites, CN = Configuration, DC = mydom, DC = local >> DsAddEntry failed with status WERR_ACCESS_DENIED info (8363, >> 'WERR_DS_NO_CROSSREF_FOR_NC') Join failed - cleaning up Deleted CN = >> SAD, OU = domain controllers, DC = mydom, DC = local Deleted CN = >> SAD, CN = Servers, CN = Default First Site Name, CN = Sites, CN = >> Configuration, DC = mydom, DC = local ERROR (runtime): uncaught >> exception - DsAddEntry failed >> ??File >> "/usr/local/samba/lib/python3.6/site-packages/samba/netcmd/__init__.p >> y >> ", line 185, in _run >> ????return self.run (* args, ** kwargs) >> ??File >> "/usr/local/samba/lib/python3.6/site-packages/samba/netcmd/domain.py" >> , >> line 700, in run >> ????backend_store = backend_store) >> ??File >> "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", >> line 1535, in join_DC >> ????ctx.do_join () >> ??File >> "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", >> line 1427, in do_join >> ????ctx.join_add_objects () >> ??File >> "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", >> line 669, in join_add_objects >> ????ctx.join_add_ntdsdsa () >> ??File >> "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", >> line 594, in join_add_ntdsdsa >> ????ctx.DsAddEntry ([REC]) >> ??File >> "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", >> line 543, in DsAddEntry >> ????raise RuntimeError ("DsAddEntry failed") >> >> As described in the wiki, I have set the functional levels to 2008 R2: >> Set-ADForestMode -Identity "mydom.local" -ForestMode >> Windows2008R2Forest Set-ADForestMode -Identity "mydom.local" >> domainMode Windows2008R2Forest >> >> Do you have another idea? >> >> Ren? >> >> -----Urspr?ngliche Nachricht----- >> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von >> Rowland penny via samba >> Gesendet: Freitag, 19. Juli 2019 19:48 >> An: sambalist <samba at lists.samba.org> >> Betreff: Re: [Samba] Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC' >> >> On 19/07/2019 18:13, Ren? Schmidt wrote: >>> Hello, >>> >>> would it work with Windows Server 2016? >>> It is a completely new AD, so I could reinstall the server again? >>> >>> Does not it work even though I have set ForestMode to Windows2008R2Forest? >>> is foreseeable when this could work? >> No, you 'might' be able to get 2012R2 to work, try reading this: >> >> https://wiki.samba.org/index.php/Windows_2012_Server_compatibility >> >> Rowland >> >> >> >> > I did say 'might' ;-) > > Try this way: > > go here: http://apt.van-belle.nl/ > > Set up the repo for 18.04 as described on that page > > Install these packages: attr samba smbclient dnsutils acl krb5-user > winbind libpam-winbind libpam-krb5 libnss-winbind bind9utils > > Ensure /etc/samba/smb.conf does not exist and try again. > > Can I ask, what is the burning need to join a computer as a Samba DC to a Windows DC ? > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >OK, but you might think it a bit strange, try joining Samba 4.7.X instead, if this works, walk Samba up the minor versions, 4.7.x --> 4.8.x --> 4.9.x --> 4.10.x Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland penny
2019-Jul-21 09:41 UTC
[Samba] Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC'
On 21/07/2019 10:22, Ren? Schmidt wrote:> Hello Rowland, > > I have started again: > - new Window Server 2012 R2 installed > - DNS server set up > - once again the Ubunut 18.04 freshly installed > - entered the IP of the Windows server as DNS server > - Installed the Samba Packet from the official Ubunut source: > dpkg -l | grep samba > ii python-samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Python bindings for Samba > ii samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 SMB/CIFS file, print, and login server for Unix > ii samba-common 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 all common files used by both the Samba server and client > ii samba-common-bin 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba common files used by both the server and the client > ii samba-dsdb-modules 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba Directory Services Database > ii samba-libs:amd64 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba core libraries > ii samba-vfs-modules 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba Virtual FileSystem plugins > > > if I am now > samba-tool domain join mydom.local DC -U "MYDOM\administrator" -d3 > I get the following message: > Adding 1 remote DNS records for SAD. mydom.local > Using binding ncacn_ip_tcp: WAD. mydom.local [, sign] > resolve_lmhosts: Attempting lmhosts lookup for name WAD. mydom.local <0x20> > resolve_lmhosts: Attempting lmhosts lookup for name WAD. mydom.local <0x20> > Adding DNS A record WAD.schmidthome.local for IPv4 IP: 192.168.159.98 > Join failed - cleaning upAnything after this point is an artefact of the failure and can be ignored.> Do you have an idea? > The DNS entry is created on the Windows server for the Samba server.You are getting closer, the join is now failing at the last hurdle and we had this very recently with a user trying to join to Windows 2003 DC. The cure was to stop the join creating the DC records. Find 'join.py (/usr/lib/python2.7/dist-packages/samba/join.py on my DC) and open it in your favourite editor, find these lines: ??????????? if ctx.dns_backend != "NONE": ??????????????? ctx.join_add_dns_records() ??????????????? ctx.join_replicate_new_dns_records() Line 1405 in my version, under '??? def do_join(ctx):' just comment out those three lines, save & close, then try the join again. Rowland
René Schmidt
2019-Jul-21 18:53 UTC
[Samba] Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC'
Hello Rowland, Thank you very much for your support so far. Now I could join. But: Now I have a problem with the DNS. I use the samba internal DNS. When I try to reach mydom.local or SAD.mydom.local, I only get the error: ? nslookup SAD.mydom.local Server: 192.168.159.98 Address: 192.168.159.98 # 53 Non-authoritative answer: *** Can not find SAD.mydom.local: No answer -------------------------------------- nslookup mydom.local Server: 192.168.159.98 Address: 192.168.159.98 # 53 Non-authoritative answer: *** Can not find mydom.local: No answer a nslookup on google.de works. (I added the following entry to smb.conf: dns forwarder = 8.8.8.8) Also, I can not address the Samba server with the Windows DNS Tools: The Active Directory is not available. in the jornalctl I have the following messages: Jul 21 20:47:54 SAD samba[1328]: [2019/07/21 20:47:54.453639, 0] ../source4/rpc_server/dnsserver/dnsdb.c:112(dnsserver_db_enumerate_zones) Jul 21 20:47:54 SAD samba[1328]: dnsserver: Failed to find DNS Zones in CN=MicrosoftDNS,DC=ForestDnsZones,DC=mydom,DC=local Jul 21 20:47:54 SAD samba[1345]: [2019/07/21 20:47:54.462358, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) Jul 21 20:47:54 SAD samba[1345]: /usr/sbin/samba_dnsupdate: ERROR(runtime): uncaught exception - (9717, 'WERR_DNS_ERROR_DS_UNAVAILABLE') Jul 21 20:47:54 SAD samba[1345]: [2019/07/21 20:47:54.465301, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) Jul 21 20:47:54 SAD samba[1345]: /usr/sbin/samba_dnsupdate: File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run Jul 21 20:47:54 SAD samba[1345]: [2019/07/21 20:47:54.466339, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) Jul 21 20:47:54 SAD samba[1345]: /usr/sbin/samba_dnsupdate: return self.run(*args, **kwargs) Jul 21 20:47:54 SAD samba[1345]: [2019/07/21 20:47:54.466904, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) Jul 21 20:47:54 SAD samba[1345]: /usr/sbin/samba_dnsupdate: File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 940, in run Jul 21 20:47:54 SAD samba[1345]: [2019/07/21 20:47:54.467333, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) Jul 21 20:47:54 SAD samba[1345]: /usr/sbin/samba_dnsupdate: raise e Jul 21 20:47:54 SAD samba[1328]: [2019/07/21 20:47:54.507343, 0] ../source4/rpc_server/dnsserver/dnsdb.c:112(dnsserver_db_enumerate_zones) Jul 21 20:47:54 SAD samba[1328]: dnsserver: Failed to find DNS Zones in CN=MicrosoftDNS,DC=ForestDnsZones,DC=mydom,DC=local Jul 21 20:47:54 SAD samba[1345]: [2019/07/21 20:47:54.510181, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) Jul 21 20:47:54 SAD samba[1345]: /usr/sbin/samba_dnsupdate: ERROR(runtime): uncaught exception - (9717, 'WERR_DNS_ERROR_DS_UNAVAILABLE') Jul 21 20:47:54 SAD samba[1345]: [2019/07/21 20:47:54.511217, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) Jul 21 20:47:54 SAD samba[1345]: /usr/sbin/samba_dnsupdate: File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run Jul 21 20:47:54 SAD samba[1345]: [2019/07/21 20:47:54.512146, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) Jul 21 20:47:54 SAD samba[1345]: /usr/sbin/samba_dnsupdate: return self.run(*args, **kwargs) Jul 21 20:47:54 SAD samba[1345]: [2019/07/21 20:47:54.513033, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) Jul 21 20:47:54 SAD samba[1345]: /usr/sbin/samba_dnsupdate: File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 940, in run Jul 21 20:47:54 SAD samba[1345]: [2019/07/21 20:47:54.514036, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) Jul 21 20:47:54 SAD samba[1345]: /usr/sbin/samba_dnsupdate: raise e Jul 21 20:47:54 SAD samba[1328]: [2019/07/21 20:47:54.552053, 0] ../source4/rpc_server/dnsserver/dnsdb.c:112(dnsserver_db_enumerate_zones) Jul 21 20:47:54 SAD samba[1328]: dnsserver: Failed to find DNS Zones in CN=MicrosoftDNS,DC=ForestDnsZones,DC=mydom,DC=local Jul 21 20:47:54 SAD samba[1345]: [2019/07/21 20:47:54.554169, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) Jul 21 20:47:54 SAD samba[1345]: /usr/sbin/samba_dnsupdate: ERROR(runtime): uncaught exception - (9717, 'WERR_DNS_ERROR_DS_UNAVAILABLE') Jul 21 20:47:54 SAD samba[1345]: [2019/07/21 20:47:54.555017, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) Jul 21 20:47:54 SAD samba[1345]: /usr/sbin/samba_dnsupdate: File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run Jul 21 20:47:54 SAD samba[1345]: [2019/07/21 20:47:54.555884, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) Jul 21 20:47:54 SAD samba[1345]: /usr/sbin/samba_dnsupdate: return self.run(*args, **kwargs) Jul 21 20:47:54 SAD samba[1345]: [2019/07/21 20:47:54.556742, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) Jul 21 20:47:54 SAD samba[1345]: /usr/sbin/samba_dnsupdate: File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 940, in run Jul 21 20:47:54 SAD samba[1345]: [2019/07/21 20:47:54.557541, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) Jul 21 20:47:54 SAD samba[1345]: /usr/sbin/samba_dnsupdate: raise e Jul 21 20:47:54 SAD samba[1328]: [2019/07/21 20:47:54.590717, 0] ../source4/rpc_server/dnsserver/dnsdb.c:112(dnsserver_db_enumerate_zones) Jul 21 20:47:54 SAD samba[1328]: dnsserver: Failed to find DNS Zones in CN=MicrosoftDNS,DC=ForestDnsZones,DC=mydom,DC=local Jul 21 20:47:54 SAD samba[1345]: [2019/07/21 20:47:54.594188, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) Jul 21 20:47:54 SAD samba[1345]: /usr/sbin/samba_dnsupdate: ERROR(runtime): uncaught exception - (9717, 'WERR_DNS_ERROR_DS_UNAVAILABLE') Jul 21 20:47:54 SAD samba[1345]: [2019/07/21 20:47:54.595188, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) Jul 21 20:47:54 SAD samba[1345]: /usr/sbin/samba_dnsupdate: File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run Jul 21 20:47:54 SAD samba[1345]: [2019/07/21 20:47:54.596029, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) Jul 21 20:47:54 SAD samba[1345]: /usr/sbin/samba_dnsupdate: return self.run(*args, **kwargs) Jul 21 20:47:54 SAD samba[1345]: [2019/07/21 20:47:54.596741, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) Jul 21 20:47:54 SAD samba[1345]: /usr/sbin/samba_dnsupdate: File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 940, in run Jul 21 20:47:54 SAD samba[1345]: [2019/07/21 20:47:54.597532, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) Do you have an idea for this? Currently Samba 4.7.6 is still installed. Ren? -----Urspr?ngliche Nachricht----- Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland penny via samba Gesendet: Sonntag, 21. Juli 2019 11:41 An: sambalist <samba at lists.samba.org> Betreff: Re: [Samba] Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC' On 21/07/2019 10:22, Ren? Schmidt wrote:> Hello Rowland, > > I have started again: > - new Window Server 2012 R2 installed > - DNS server set up > - once again the Ubunut 18.04 freshly installed > - entered the IP of the Windows server as DNS server > - Installed the Samba Packet from the official Ubunut source: > dpkg -l | grep samba > ii python-samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Python bindings for Samba > ii samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 SMB/CIFS file, print, and login server for Unix > ii samba-common 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 all common files used by both the Samba server and client > ii samba-common-bin 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba common files used by both the server and the client > ii samba-dsdb-modules 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba Directory Services Database > ii samba-libs:amd64 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba core libraries > ii samba-vfs-modules 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba Virtual FileSystem plugins > > > if I am now > samba-tool domain join mydom.local DC -U "MYDOM\administrator" -d3 I > get the following message: > Adding 1 remote DNS records for SAD. mydom.local Using binding > ncacn_ip_tcp: WAD. mydom.local [, sign] > resolve_lmhosts: Attempting lmhosts lookup for name WAD. mydom.local > <0x20> > resolve_lmhosts: Attempting lmhosts lookup for name WAD. mydom.local > <0x20> Adding DNS A record WAD.schmidthome.local for IPv4 IP: > 192.168.159.98 Join failed - cleaning upAnything after this point is an artefact of the failure and can be ignored.> Do you have an idea? > The DNS entry is created on the Windows server for the Samba server.You are getting closer, the join is now failing at the last hurdle and we had this very recently with a user trying to join to Windows 2003 DC. The cure was to stop the join creating the DC records. Find 'join.py (/usr/lib/python2.7/dist-packages/samba/join.py on my DC) and open it in your favourite editor, find these lines: ??????????? if ctx.dns_backend != "NONE": ??????????????? ctx.join_add_dns_records() ??????????????? ctx.join_replicate_new_dns_records() Line 1405 in my version, under '??? def do_join(ctx):' just comment out those three lines, save & close, then try the join again. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland penny
2019-Jul-21 19:05 UTC
[Samba] Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC'
On 21/07/2019 19:53, Ren? Schmidt wrote:> Hello Rowland, > > Thank you very much for your support so far. > > Now I could join.Hurrah ;-)> > But: > Now I have a problem with the DNS. I use the samba internal DNS. > > When I try to reach mydom.local or SAD.mydom.local, I only get the error:Please tell me that .local? is sanitization, but if it isn't, try this: apt-get purge avahi-deamon> ? nslookup SAD.mydom.local > Server: 192.168.159.98 > Address: 192.168.159.98 # 53 > > Non-authoritative answer: > *** Can not find SAD.mydom.local: No answer > -------------------------------------- > nslookup mydom.local > Server: 192.168.159.98 > Address: 192.168.159.98 # 53 > > Non-authoritative answer: > *** Can not find mydom.local: No answerCan you post the following files: /etc/resolv.conf /etc/hostname /etc/hosts Also try restarting Samba, this should run samba_dnsupdate and hopefully fill in any missing dns entries. Rowland
Tim Beale
2019-Jul-22 05:18 UTC
[Samba] Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC'
On 21/07/19 2:59 AM, Ren? Schmidt via samba wrote:> Adding CN = SAD, CN = Servers, CN = Default First Site Name, CN = Sites, CN = Configuration, DC = mydom, DC = local > Adding CN = NTDS Settings, CN = SAD, CN = Servers, CN = Default First Site Name, CN = Sites, CN = Configuration, DC = mydom, DC = local > DsAddEntry failed with status WERR_ACCESS_DENIED info (8363, 'WERR_DS_NO_CROSSREF_FOR_NC') > Join failed - cleaning up > Deleted CN = SAD, OU = domain controllers, DC = mydom, DC = local > Deleted CN = SAD, CN = Servers, CN = Default First Site Name, CN = Sites, CN = Configuration, DC = mydom, DC = local > ERROR (runtime): uncaught exception - DsAddEntry failed > ??File "/usr/local/samba/lib/python3.6/site-packages/samba/netcmd/__init__.py", line 185, in _run > ????return self.run (* args, ** kwargs) > ??File "/usr/local/samba/lib/python3.6/site-packages/samba/netcmd/domain.py", line 700, in run > ????backend_store = backend_store) > ??File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 1535, in join_DC > ????ctx.do_join () > ??File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 1427, in do_join > ????ctx.join_add_objects () > ??File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 669, in join_add_objects > ????ctx.join_add_ntdsdsa () > ??File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 594, in join_add_ntdsdsa > ????ctx.DsAddEntry ([REC]) > ??File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 543, in DsAddEntry > ????raise RuntimeError ("DsAddEntry failed")I see this problem trying to join Windows too. I think this is broken on Samba v4.10 and v4.11/master. Using v4.7 and v4.9 seems to work OK. It looks like the problem might be a python2 vs python3 issue. So if anyone else hits this on v4.10 and has the samba python2 packages installed, then they could try running the samba-tool command under python2, e.g. '$(which python2) samba-tool domain join...'. Our current suspicion is that it's a list/dictionary ordering problem, so alternatively if you run the command enough times with python3 it might also eventually work...
René Schmidt
2019-Jul-22 15:01 UTC
[Samba] Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC'
Hello everybody, Thank you very much for your continued support. Unfortunately, I think that I will not get on with Samba in the situation. It is tried a lot and I come from one problem to the next. That's why I commissioned the Finazellen funds for Windows licenses for all sites today. Thus, I will run the Complete AD future on a pure Windows basis. Thank you for your help Best wishes Ren? -----Urspr?ngliche Nachricht----- Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Tim Beale via samba Gesendet: Montag, 22. Juli 2019 07:18 An: Ren? Schmidt <rene at schmidthome-sh.de>; samba at lists.samba.org Betreff: Re: [Samba] Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC' On 21/07/19 2:59 AM, Ren? Schmidt via samba wrote:> Adding CN = SAD, CN = Servers, CN = Default First Site Name, CN = > Sites, CN = Configuration, DC = mydom, DC = local Adding CN = NTDS > Settings, CN = SAD, CN = Servers, CN = Default First Site Name, CN = > Sites, CN = Configuration, DC = mydom, DC = local DsAddEntry failed > with status WERR_ACCESS_DENIED info (8363, > 'WERR_DS_NO_CROSSREF_FOR_NC') Join failed - cleaning up Deleted CN = > SAD, OU = domain controllers, DC = mydom, DC = local Deleted CN = SAD, > CN = Servers, CN = Default First Site Name, CN = Sites, CN = > Configuration, DC = mydom, DC = local ERROR (runtime): uncaught > exception - DsAddEntry failed > ??File > "/usr/local/samba/lib/python3.6/site-packages/samba/netcmd/__init__.py > ", line 185, in _run > ????return self.run (* args, ** kwargs) > ??File > "/usr/local/samba/lib/python3.6/site-packages/samba/netcmd/domain.py", > line 700, in run > ????backend_store = backend_store) > ??File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", > line 1535, in join_DC > ????ctx.do_join () > ??File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", > line 1427, in do_join > ????ctx.join_add_objects () > ??File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", > line 669, in join_add_objects > ????ctx.join_add_ntdsdsa () > ??File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", > line 594, in join_add_ntdsdsa > ????ctx.DsAddEntry ([REC]) > ??File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", > line 543, in DsAddEntry > ????raise RuntimeError ("DsAddEntry failed")I see this problem trying to join Windows too. I think this is broken on Samba v4.10 and v4.11/master. Using v4.7 and v4.9 seems to work OK. It looks like the problem might be a python2 vs python3 issue. So if anyone else hits this on v4.10 and has the samba python2 packages installed, then they could try running the samba-tool command under python2, e.g. '$(which python2) samba-tool domain join...'. Our current suspicion is that it's a list/dictionary ordering problem, so alternatively if you run the command enough times with python3 it might also eventually work... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Jeremy Allison
2019-Jul-30 15:56 UTC
[Samba] Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC'
On Mon, Jul 22, 2019 at 05:01:27PM +0200, Ren? Schmidt via samba wrote:> Hello everybody, > > Thank you very much for your continued support. > > Unfortunately, I think that I will not get on with Samba in the situation. It is tried a lot and I come from one problem to the next. > > That's why I commissioned the Finazellen funds for Windows licenses for all sites today. > Thus, I will run the Complete AD future on a pure Windows basis. > > Thank you for your help > > Best wishes > Ren?No problem, thanks for trying us out and working with us. We'll always be here if you need to dip your toes back in the Samba waters at a later date, in case we do something that the Windows environment can't supply. Cheers, Jeremy.
Reasonably Related Threads
- Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC'
- Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC'
- Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC'
- Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC'
- Joining to a Windows 2012 R2 DC