Marcio Demetrio Bacci
2019-Aug-08 14:25 UTC
[Samba] Problems joining Samba 4 in the domain
Hi, I have 2 DC in my network. DC master is a Samba 4 and the secondary is Windows Server 2008. I want to put another Samba 4 as DC to replace Windows Server, however the following errors are emerging: root at samba4-dc2:~# samba-tool domain join empresa.com.br DC -k yes -d 3 lpcfg_load: refreshing parameters from /etc/samba/smb.conf GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Finding a writeable DC for domain 'empresa.com.br' resolve_lmhosts: Attempting lmhosts lookup for name _ldap._ tcp.empresa.com.br<0x0> Found DC win-dc2.empresa.com.br resolve_lmhosts: Attempting lmhosts lookup for name win-dc2.empresa.com.br <0x20> workgroup is EMPRESA realm is empresa.com.br Adding CN=SAMBA4-DC2,OU=Domain Controllers,DC=empresa,DC=com,DC=br Adding CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br Adding CN=NTDS Settings,CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br Using binding ncacn_ip_tcp:win-dc2.empresa.com.br[,seal] resolve_lmhosts: Attempting lmhosts lookup for name win-dc2.empresa.com.br <0x20> resolve_lmhosts: Attempting lmhosts lookup for name win-dc2.empresa.com.br <0x20> Join failed - cleaning up ldb_wrap open of secrets.ldb resolve_lmhosts: Attempting lmhosts lookup for name win-dc2.empresa.com.br <0x20> Failed to get kerberos credentials (kerberos required): kinit for SAMBA4-DC2$@EMPRESA.COM.BR failed (Clients credentials have been revoked) Account locked out: kinit for SAMBA4-DC2$@EMPRESA.COM.BR failed (Clients credentials have been revoked) SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/win-dc2.empresa.com.br failed (next[(null)]): NT_STATUS_ACCOUNT_LOCKED_OUT Failed to bind - LDAP client internal error: NT_STATUS_ACCOUNT_LOCKED_OUT Failed to connect to 'ldap://win-dc2.empresa.com.br' with backend 'ldap': LDAP client internal error: NT_STATUS_ACCOUNT_LOCKED_OUT Deleted CN=SAMBA4-DC2,OU=Domain Controllers,DC=empresa,DC=com,DC=br Deleted CN=NTDS Settings,CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br Deleted CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL - <0000202B: RefErr: DSID-030A0AEB, data 0, 1 access points ref 1: 'a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br'> <ldap://a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br>File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in join_DC ctx.do_join() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in do_join ctx.join_add_objects() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 668, in join_add_objects ctx.samdb.modify(m) ############################################################################################################# root at samba4-dc2:~# samba-tool domain join empresa.com.br DC -U"EMPRESA\administrator" -d 3 lpcfg_load: refreshing parameters from /etc/samba/smb.conf GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Finding a writeable DC for domain 'empresa.com.br' resolve_lmhosts: Attempting lmhosts lookup for name _ldap._ tcp.empresa.com.br<0x0> Found DC win-dc2.empresa.com.br resolve_lmhosts: Attempting lmhosts lookup for name win-dc2.empresa.com.br <0x20> Password for [EMPRESA\administrador]: Cannot reach a KDC we require to contact (null) : kinit for administrador at EMPRESA failed (Cannot contact any KDC for requested realm) SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/win-dc2.empresa.com.br failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS Got challenge flags: Got NTLMSSP neg_flags=0x62898235 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088235 workgroup is EMPRESA realm is empresa.com.br Adding CN=SAMBA4-DC2,OU=Domain Controllers,DC=empresa,DC=com,DC=br Adding CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br Adding CN=NTDS Settings,CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br Using binding ncacn_ip_tcp:win-dc2.empresa.com.br[,seal] resolve_lmhosts: Attempting lmhosts lookup for name win-dc2.empresa.com.br <0x20> resolve_lmhosts: Attempting lmhosts lookup for name win-dc2.empresa.com.br <0x20> Cannot reach a KDC we require to contact (null) : kinit for administrador at EMPRESA failed (Cannot contact any KDC for requested realm) SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/WIN-DC2.EMPRESA.COM.BR failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS Got challenge flags: Got NTLMSSP neg_flags=0x62898235 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088235 Join failed - cleaning up ldb_wrap open of secrets.ldb resolve_lmhosts: Attempting lmhosts lookup for name win-dc2.empresa.com.br <0x20> Account locked out: kinit for SAMBA4-DC2$@EMPRESA.COM.BR failed (Clients credentials have been revoked) SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/win-dc2.empresa.com.br failed (next[ntlmssp]): NT_STATUS_ACCOUNT_LOCKED_OUT Got challenge flags: Got NTLMSSP neg_flags=0x62898235 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088235 Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C09052B, comment: AcceptSecurityContext error, data 52e, v1773> <> Failed to connect to 'ldap://win-dc2.empresa.com.br' with backend 'ldap': LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C09052B, comment: AcceptSecurityContext error, data 52e, v1773> <> Deleted CN=SAMBA4-DC2,OU=Domain Controllers,DC=empresa,DC=com,DC=br Deleted CN=NTDS Settings,CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br Deleted CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL - <0000202B: RefErr: DSID-030A0AEB, data 0, 1 access points ref 1: 'a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br'> <ldap://a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br>File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in join_DC ctx.do_join() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in do_join ctx.join_add_objects() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 668, in join_add_objects ctx.samdb.modify(m) ############################################################################################# I did some tests in the new Samaba4 DC and it seems OK as below: root at samba4-dc2:~# kinit Administrator Password for marcio at EMPRESA.COM.BR: root at samba4-dc2:~# klist -l Principal name Cache name -------------- ---------- Administrator at EMPRESA.COM.BR FILE:/tmp/krb5cc_0 root at samba4-dc2:~# host -t SRV _kerberos._udp.EMPRESA.COM.BR _kerberos._udp.EMPRESA.COM.BR has SRV record 0 100 88 samba4-dc1.empresa.com.br. _kerberos._udp.EMPRESA.COM.BR has SRV record 0 100 88 win-dc2.empresa.com.br . root at samba4-dc2:~# root at samba4-dc2:~# root at samba4-dc2:~# host -t SRV _ldap._tcp.EMPRESA.COM.BR _ldap._tcp.EMPRESA.COM.BR has SRV record 0 100 389 win-dc2.empresa.com.br. _ldap._tcp.EMPRESA.COM.BR has SRV record 0 100 389 samba4-dc1.empresa.com.br . root at samba4-dc2:~# root at samba4-dc2:~# cat /etc/krb5.conf [libdefaults] dns_lookup_realm = false dns_lookup_kdc = true default_realm = EMPRESA.COM.BR root at samba4-dc2:~# host -t EMPRESA.COM.BR host: invalid type: EMPRESA.COM.BR root at samba4-dc2:~# host -t A EMPRESA.COM.BR EMPRESA.COM.BR has address 10.133.84.135 # Wind-DC2 EMPRESA.COM.BR has address 192.168.1.20 # Samba4-DC1 EMPRESA.COM.BR has address 192.168.1.19 # Samba4-DC2 . I did not understand why. He hasn't joined in the domain yet. My kerberos configurations: cat /etc/krb5.conf [libdefaults] dns_lookup_realm = false dns_lookup_kdc = true default_realm = EMPRESA.COM.BR Another configurations: cat /etc/hosts 192.168.1.19 samba4-dc2.empresa.com.br samba4-dc2 192.168.1.20 samba4-dc1.empresa.com.br. samba4-dc1 10.133.84.135 win-dc2.empresa.com.br. wind-dc2 cat /etc/resolv.conf domain empresa.com.br search empresa.com.br nameserver 192.168.1.20 nameserver 10.133.84.135 Could anybody help me? Regards, M?rcio Bacci
Hai marcio, As far i can see, most look ok to me. A few very small points. First change this :> cat /etc/hosts > 192.168.1.19 samba4-dc2.empresa.com.br samba4-dc2 > 192.168.1.20 samba4-dc1.empresa.com.br. samba4-dc1 > 10.133.84.135 win-dc2.empresa.com.br. wind-dc2 > > > cat /etc/resolv.conf > domain empresa.com.br > search empresa.com.br > nameserver 192.168.1.20To /etc/hosts 192.168.1.19 samba4-dc2.empresa.com.br samba4-dc2 192.168.1.20 samba4-dc1.empresa.com.br samba4-dc1 10.133.84.135 win-dc2.empresa.com.br wind-dc2 /etc/resolv.conf search empresa.com.br nameserver 10.133.84.135 nameserver 192.168.1.20 nameserver 192.168.1.19 Now, question. If this the first attempt to join this server? Of not, what guess based on the output below. - Then verify in the dns and AD if the old server is completely removed. And take you time for this. - cleanup /var/lib/samba ( remove all files there and in subfolders, keep the folders ) - cleanup /var/cache/samba ( remove all files there and in subfolders, keep the folders ) - remove /etc/samba/smb.conf> Failed to get kerberos credentials (kerberos required): kinit for > SAMBA4-DC2$@EMPRESA.COM.BR failed (Clients credentials have > been revoked)So this really looks like leftovers from previous attempt, so there must be something in the AD domain with that hostname. That that one is revoked. Then, after a good cleanup, you can try to join again. After the join, reboot Then change : /etc/resolv.conf search empresa.com.br nameserver 192.168.1.19 nameserver 192.168.1.20 nameserver 10.133.84.135 Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marcio Demetrio Bacci via samba > Verzonden: donderdag 8 augustus 2019 16:26 > Aan: sambalist > Onderwerp: [Samba] Problems joining Samba 4 in the domain > > Hi, > > I have 2 DC in my network. > > DC master is a Samba 4 and the secondary is Windows Server 2008. > > I want to put another Samba 4 as DC to replace Windows > Server, however the > following errors are emerging: > > root at samba4-dc2:~# samba-tool domain join empresa.com.br DC > -k yes -d 3 > lpcfg_load: refreshing parameters from /etc/samba/smb.conf > GENSEC backend 'gssapi_spnego' registered > GENSEC backend 'gssapi_krb5' registered > GENSEC backend 'gssapi_krb5_sasl' registered > GENSEC backend 'spnego' registered > GENSEC backend 'schannel' registered > GENSEC backend 'naclrpc_as_system' registered > GENSEC backend 'sasl-EXTERNAL' registered > GENSEC backend 'ntlmssp' registered > GENSEC backend 'ntlmssp_resume_ccache' registered > GENSEC backend 'http_basic' registered > GENSEC backend 'http_ntlm' registered > GENSEC backend 'krb5' registered > GENSEC backend 'fake_gssapi_krb5' registered > Finding a writeable DC for domain 'empresa.com.br' > resolve_lmhosts: Attempting lmhosts lookup for name _ldap._ > tcp.empresa.com.br<0x0> > Found DC win-dc2.empresa.com.br > resolve_lmhosts: Attempting lmhosts lookup for name > win-dc2.empresa.com.br > <0x20> > workgroup is EMPRESA > realm is empresa.com.br > Adding CN=SAMBA4-DC2,OU=Domain Controllers,DC=empresa,DC=com,DC=br > Adding > CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br> Adding CN=NTDS > Settings,CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br> Using binding ncacn_ip_tcp:win-dc2.empresa.com.br[,seal] > resolve_lmhosts: Attempting lmhosts lookup for name > win-dc2.empresa.com.br > <0x20> > resolve_lmhosts: Attempting lmhosts lookup for name > win-dc2.empresa.com.br > <0x20> > Join failed - cleaning up > ldb_wrap open of secrets.ldb > resolve_lmhosts: Attempting lmhosts lookup for name > win-dc2.empresa.com.br > <0x20> > Failed to get kerberos credentials (kerberos required): kinit for > SAMBA4-DC2$@EMPRESA.COM.BR failed (Clients credentials have > been revoked) > > Account locked out: kinit for SAMBA4-DC2$@EMPRESA.COM.BR > failed (Clients > credentials have been revoked) > > SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for > ldap/win-dc2.empresa.com.br > failed (next[(null)]): NT_STATUS_ACCOUNT_LOCKED_OUT > Failed to bind - LDAP client internal error: > NT_STATUS_ACCOUNT_LOCKED_OUT > Failed to connect to 'ldap://win-dc2.empresa.com.br' with > backend 'ldap': > LDAP client internal error: NT_STATUS_ACCOUNT_LOCKED_OUT > Deleted CN=SAMBA4-DC2,OU=Domain Controllers,DC=empresa,DC=com,DC=br > Deleted CN=NTDS > Settings,CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br> Deleted > CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br> ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL > - <0000202B: > RefErr: DSID-030A0AEB, data 0, 1 access points > ref 1: 'a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br' > > <ldap://a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br> > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > 176, in _run > return self.run(*args, **kwargs) > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, > in run > machinepass=machinepass, use_ntvfs=use_ntvfs, > dns_backend=dns_backend) > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in > join_DC > ctx.do_join() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in > do_join > ctx.join_add_objects() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 668, in > join_add_objects > ctx.samdb.modify(m) > > ############################################################## > ############################################### > > > root at samba4-dc2:~# samba-tool domain join empresa.com.br DC > -U"EMPRESA\administrator" -d 3 > lpcfg_load: refreshing parameters from /etc/samba/smb.conf > GENSEC backend 'gssapi_spnego' registered > GENSEC backend 'gssapi_krb5' registered > GENSEC backend 'gssapi_krb5_sasl' registered > GENSEC backend 'spnego' registered > GENSEC backend 'schannel' registered > GENSEC backend 'naclrpc_as_system' registered > GENSEC backend 'sasl-EXTERNAL' registered > GENSEC backend 'ntlmssp' registered > GENSEC backend 'ntlmssp_resume_ccache' registered > GENSEC backend 'http_basic' registered > GENSEC backend 'http_ntlm' registered > GENSEC backend 'krb5' registered > GENSEC backend 'fake_gssapi_krb5' registered > Finding a writeable DC for domain 'empresa.com.br' > resolve_lmhosts: Attempting lmhosts lookup for name _ldap._ > tcp.empresa.com.br<0x0> > Found DC win-dc2.empresa.com.br > resolve_lmhosts: Attempting lmhosts lookup for name > win-dc2.empresa.com.br > <0x20> > Password for [EMPRESA\administrador]: > Cannot reach a KDC we require to contact (null) : kinit for > administrador at EMPRESA failed (Cannot contact any KDC for > requested realm) > > SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for > ldap/win-dc2.empresa.com.br > failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS > Got challenge flags: > Got NTLMSSP neg_flags=0x62898235 > NTLMSSP: Set final flags: > Got NTLMSSP neg_flags=0x62088235 > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0x62088235 > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0x62088235 > workgroup is EMPRESA > realm is empresa.com.br > Adding CN=SAMBA4-DC2,OU=Domain Controllers,DC=empresa,DC=com,DC=br > Adding > CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br> Adding CN=NTDS > Settings,CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br> Using binding ncacn_ip_tcp:win-dc2.empresa.com.br[,seal] > resolve_lmhosts: Attempting lmhosts lookup for name > win-dc2.empresa.com.br > <0x20> > resolve_lmhosts: Attempting lmhosts lookup for name > win-dc2.empresa.com.br > <0x20> > Cannot reach a KDC we require to contact (null) : kinit for > administrador at EMPRESA failed (Cannot contact any KDC for > requested realm) > > SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for > ldap/WIN-DC2.EMPRESA.COM.BR > failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS > Got challenge flags: > Got NTLMSSP neg_flags=0x62898235 > NTLMSSP: Set final flags: > Got NTLMSSP neg_flags=0x62088235 > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0x62088235 > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0x62088235 > Join failed - cleaning up > ldb_wrap open of secrets.ldb > resolve_lmhosts: Attempting lmhosts lookup for name > win-dc2.empresa.com.br > <0x20> > Account locked out: kinit for SAMBA4-DC2$@EMPRESA.COM.BR > failed (Clients > credentials have been revoked) > > SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for > ldap/win-dc2.empresa.com.br > failed (next[ntlmssp]): NT_STATUS_ACCOUNT_LOCKED_OUT > Got challenge flags: > Got NTLMSSP neg_flags=0x62898235 > NTLMSSP: Set final flags: > Got NTLMSSP neg_flags=0x62088235 > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0x62088235 > Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: > LdapErr: DSID-0C09052B, comment: AcceptSecurityContext error, > data 52e, > v1773> <> > Failed to connect to 'ldap://win-dc2.empresa.com.br' with > backend 'ldap': > LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: > DSID-0C09052B, comment: AcceptSecurityContext error, data > 52e, v1773> <> > Deleted CN=SAMBA4-DC2,OU=Domain Controllers,DC=empresa,DC=com,DC=br > Deleted CN=NTDS > Settings,CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br> Deleted > CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br> ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL > - <0000202B: > RefErr: DSID-030A0AEB, data 0, 1 access points > ref 1: 'a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br' > > <ldap://a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br> > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > 176, in _run > return self.run(*args, **kwargs) > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, > in run > machinepass=machinepass, use_ntvfs=use_ntvfs, > dns_backend=dns_backend) > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in > join_DC > ctx.do_join() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in > do_join > ctx.join_add_objects() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 668, in > join_add_objects > ctx.samdb.modify(m) > > ############################################################## > ############################### > > I did some tests in the new Samaba4 DC and it seems OK as below: > > root at samba4-dc2:~# kinit Administrator > Password for marcio at EMPRESA.COM.BR: > > > root at samba4-dc2:~# klist -l > Principal name Cache name > -------------- ---------- > Administrator at EMPRESA.COM.BR FILE:/tmp/krb5cc_0 > > root at samba4-dc2:~# host -t SRV _kerberos._udp.EMPRESA.COM.BR > _kerberos._udp.EMPRESA.COM.BR has SRV record 0 100 88 > samba4-dc1.empresa.com.br. > _kerberos._udp.EMPRESA.COM.BR has SRV record 0 100 88 > win-dc2.empresa.com.br > . > root at samba4-dc2:~# > root at samba4-dc2:~# > root at samba4-dc2:~# host -t SRV _ldap._tcp.EMPRESA.COM.BR > _ldap._tcp.EMPRESA.COM.BR has SRV record 0 100 389 > win-dc2.empresa.com.br. > _ldap._tcp.EMPRESA.COM.BR has SRV record 0 100 389 > samba4-dc1.empresa.com.br > . > root at samba4-dc2:~# > root at samba4-dc2:~# cat /etc/krb5.conf > [libdefaults] > dns_lookup_realm = false > dns_lookup_kdc = true > default_realm = EMPRESA.COM.BR > root at samba4-dc2:~# host -t EMPRESA.COM.BR > host: invalid type: EMPRESA.COM.BR > > root at samba4-dc2:~# host -t A EMPRESA.COM.BR > EMPRESA.COM.BR has address 10.133.84.135 # Wind-DC2 > EMPRESA.COM.BR has address 192.168.1.20 # Samba4-DC1 > EMPRESA.COM.BR has address 192.168.1.19 # Samba4-DC2 . I did not > understand why. He hasn't joined in the domain yet. > > > My kerberos configurations: > > cat /etc/krb5.conf > > [libdefaults] > dns_lookup_realm = false > dns_lookup_kdc = true > default_realm = EMPRESA.COM.BR > > > Another configurations: > > cat /etc/hosts > 192.168.1.19 samba4-dc2.empresa.com.br samba4-dc2 > 192.168.1.20 samba4-dc1.empresa.com.br. samba4-dc1 > 10.133.84.135 win-dc2.empresa.com.br. wind-dc2 > > > cat /etc/resolv.conf > domain empresa.com.br > search empresa.com.br > nameserver 192.168.1.20 > nameserver 10.133.84.135 > > Could anybody help me? > > Regards, > > M?rcio Bacci > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Marcio Demetrio Bacci
2019-Aug-12 14:52 UTC
[Samba] Problems joining Samba 4 in the domain
Hi, I created a new Samba 4 with a different name from the previous one. I followed your configuration guidelines for the /etc/ hosts and /etc/resolv.conf files. I also removed the smb.conf file of the new DC I did maintenance on Samba 4 DC1: samba-tool dbcheck --cross-ncs --fix --yes Checking 6340 objects Checked 6340 objects (0 errors) I cleaned up DNS records. However, the following error occurred: root at samba4-new-dc:/etc/samba# samba-tool domain join empresa.com.br DC -k yes -d 3 GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Finding a writeable DC for domain 'empresa.com.br' resolve_lmhosts: Attempting lmhosts lookup for name _ldap._ tcp.empresa.com.br<0x0> Found DC win-dc2.empresa.com.br resolve_lmhosts: Attempting lmhosts lookup for name win-dc2.empresa.com.br <0x20> workgroup is EMPRESA realm is empresa.com.br Adding CN=SAMBA4-NEW-DC,OU=Domain Controllers,DC=empresa,DC=com,DC=br Adding CN=SAMBA4-NEW-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br Adding CN=NTDS Settings,CN=SAMBA4-NEW-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br Using binding ncacn_ip_tcp:win-dc2.empresa.com.br[,seal] resolve_lmhosts: Attempting lmhosts lookup for name win-dc2.empresa.com.br <0x20> resolve_lmhosts: Attempting lmhosts lookup for name win-dc2.empresa.com.br <0x20> Join failed - cleaning up ldb_wrap open of secrets.ldb Could not find machine account in secrets database: Failed to fetch machine account password for EMPRESA from both secrets.ldb (Could not find entry to match filter: '(&(flatname=EMPRESA)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4691) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO Deleted CN=SAMBA4-NEW-DC,OU=Domain Controllers,DC=empresa,DC=com,DC=br Deleted CN=NTDS Settings,CN=SAMBA4-NEW-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br Deleted CN=SAMBA4-NEW-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL - <0000202B: RefErr: DSID-030A0AEB, data 0, 1 access points ref 1: 'a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br'> <ldap://a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br>File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in join_DC ctx.do_join() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in do_join ctx.join_add_objects() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 668, in join_add_objects ctx.samdb.modify(m) Do I need to manually enter information (ldap and kerberos) about the new DC in the DNS entries in the msdcs.empresa.com.br e empresa.com.br trees? Regards, M?rcio Bacci Em qui, 8 de ago de 2019 ?s 11:48, L.P.H. van Belle via samba < samba at lists.samba.org> escreveu:> Hai marcio, > > As far i can see, most look ok to me. > > A few very small points. > > First change this : > > cat /etc/hosts > > 192.168.1.19 samba4-dc2.empresa.com.br samba4-dc2 > > 192.168.1.20 samba4-dc1.empresa.com.br. samba4-dc1 > > 10.133.84.135 win-dc2.empresa.com.br. wind-dc2 > > > > > > cat /etc/resolv.conf > > domain empresa.com.br > > search empresa.com.br > > nameserver 192.168.1.20 > > To > > /etc/hosts > 192.168.1.19 samba4-dc2.empresa.com.br samba4-dc2 > 192.168.1.20 samba4-dc1.empresa.com.br samba4-dc1 > 10.133.84.135 win-dc2.empresa.com.br wind-dc2 > > > /etc/resolv.conf > search empresa.com.br > nameserver 10.133.84.135 > nameserver 192.168.1.20 > nameserver 192.168.1.19 > > Now, question. > If this the first attempt to join this server? Of not, what guess based on > the output below. > > - Then verify in the dns and AD if the old server is completely removed. > And take you time for this. > - cleanup /var/lib/samba ( remove all files there and in subfolders, keep > the folders ) > - cleanup /var/cache/samba ( remove all files there and in subfolders, > keep the folders ) > - remove /etc/samba/smb.conf > > > Failed to get kerberos credentials (kerberos required): kinit for > > SAMBA4-DC2$@EMPRESA.COM.BR failed (Clients credentials have > > been revoked) > So this really looks like leftovers from previous attempt, so there must > be something in the AD domain with that hostname. > That that one is revoked. > > > Then, after a good cleanup, you can try to join again. > > After the join, reboot Then change : > > /etc/resolv.conf > search empresa.com.br > nameserver 192.168.1.19 > nameserver 192.168.1.20 > nameserver 10.133.84.135 > > Greetz, > > Louis > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > Marcio Demetrio Bacci via samba > > Verzonden: donderdag 8 augustus 2019 16:26 > > Aan: sambalist > > Onderwerp: [Samba] Problems joining Samba 4 in the domain > > > > Hi, > > > > I have 2 DC in my network. > > > > DC master is a Samba 4 and the secondary is Windows Server 2008. > > > > I want to put another Samba 4 as DC to replace Windows > > Server, however the > > following errors are emerging: > > > > root at samba4-dc2:~# samba-tool domain join empresa.com.br DC > > -k yes -d 3 > > lpcfg_load: refreshing parameters from /etc/samba/smb.conf > > GENSEC backend 'gssapi_spnego' registered > > GENSEC backend 'gssapi_krb5' registered > > GENSEC backend 'gssapi_krb5_sasl' registered > > GENSEC backend 'spnego' registered > > GENSEC backend 'schannel' registered > > GENSEC backend 'naclrpc_as_system' registered > > GENSEC backend 'sasl-EXTERNAL' registered > > GENSEC backend 'ntlmssp' registered > > GENSEC backend 'ntlmssp_resume_ccache' registered > > GENSEC backend 'http_basic' registered > > GENSEC backend 'http_ntlm' registered > > GENSEC backend 'krb5' registered > > GENSEC backend 'fake_gssapi_krb5' registered > > Finding a writeable DC for domain 'empresa.com.br' > > resolve_lmhosts: Attempting lmhosts lookup for name _ldap._ > > tcp.empresa.com.br<0x0> > > Found DC win-dc2.empresa.com.br > > resolve_lmhosts: Attempting lmhosts lookup for name > > win-dc2.empresa.com.br > > <0x20> > > workgroup is EMPRESA > > realm is empresa.com.br > > Adding CN=SAMBA4-DC2,OU=Domain Controllers,DC=empresa,DC=com,DC=br > > Adding > > CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C > N=Configuration,DC=empresa,DC=com,DC=br > > Adding CN=NTDS > > Settings,CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,C > N=Sites,CN=Configuration,DC=empresa,DC=com,DC=br > > Using binding ncacn_ip_tcp:win-dc2.empresa.com.br[,seal] > > resolve_lmhosts: Attempting lmhosts lookup for name > > win-dc2.empresa.com.br > > <0x20> > > resolve_lmhosts: Attempting lmhosts lookup for name > > win-dc2.empresa.com.br > > <0x20> > > Join failed - cleaning up > > ldb_wrap open of secrets.ldb > > resolve_lmhosts: Attempting lmhosts lookup for name > > win-dc2.empresa.com.br > > <0x20> > > Failed to get kerberos credentials (kerberos required): kinit for > > SAMBA4-DC2$@EMPRESA.COM.BR failed (Clients credentials have > > been revoked) > > > > Account locked out: kinit for SAMBA4-DC2$@EMPRESA.COM.BR > > failed (Clients > > credentials have been revoked) > > > > SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for > > ldap/win-dc2.empresa.com.br > > failed (next[(null)]): NT_STATUS_ACCOUNT_LOCKED_OUT > > Failed to bind - LDAP client internal error: > > NT_STATUS_ACCOUNT_LOCKED_OUT > > Failed to connect to 'ldap://win-dc2.empresa.com.br' with > > backend 'ldap': > > LDAP client internal error: NT_STATUS_ACCOUNT_LOCKED_OUT > > Deleted CN=SAMBA4-DC2,OU=Domain Controllers,DC=empresa,DC=com,DC=br > > Deleted CN=NTDS > > Settings,CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,C > N=Sites,CN=Configuration,DC=empresa,DC=com,DC=br > > Deleted > > CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C > N=Configuration,DC=empresa,DC=com,DC=br > > ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL > > - <0000202B: > > RefErr: DSID-030A0AEB, data 0, 1 access points > > ref 1: 'a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br' > > > <ldap://a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br> > > File > > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > > 176, in _run > > return self.run(*args, **kwargs) > > File > > "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, > > in run > > machinepass=machinepass, use_ntvfs=use_ntvfs, > > dns_backend=dns_backend) > > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in > > join_DC > > ctx.do_join() > > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in > > do_join > > ctx.join_add_objects() > > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 668, in > > join_add_objects > > ctx.samdb.modify(m) > > > > ############################################################## > > ############################################### > > > > > > root at samba4-dc2:~# samba-tool domain join empresa.com.br DC > > -U"EMPRESA\administrator" -d 3 > > lpcfg_load: refreshing parameters from /etc/samba/smb.conf > > GENSEC backend 'gssapi_spnego' registered > > GENSEC backend 'gssapi_krb5' registered > > GENSEC backend 'gssapi_krb5_sasl' registered > > GENSEC backend 'spnego' registered > > GENSEC backend 'schannel' registered > > GENSEC backend 'naclrpc_as_system' registered > > GENSEC backend 'sasl-EXTERNAL' registered > > GENSEC backend 'ntlmssp' registered > > GENSEC backend 'ntlmssp_resume_ccache' registered > > GENSEC backend 'http_basic' registered > > GENSEC backend 'http_ntlm' registered > > GENSEC backend 'krb5' registered > > GENSEC backend 'fake_gssapi_krb5' registered > > Finding a writeable DC for domain 'empresa.com.br' > > resolve_lmhosts: Attempting lmhosts lookup for name _ldap._ > > tcp.empresa.com.br<0x0> > > Found DC win-dc2.empresa.com.br > > resolve_lmhosts: Attempting lmhosts lookup for name > > win-dc2.empresa.com.br > > <0x20> > > Password for [EMPRESA\administrador]: > > Cannot reach a KDC we require to contact (null) : kinit for > > administrador at EMPRESA failed (Cannot contact any KDC for > > requested realm) > > > > SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for > > ldap/win-dc2.empresa.com.br > > failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS > > Got challenge flags: > > Got NTLMSSP neg_flags=0x62898235 > > NTLMSSP: Set final flags: > > Got NTLMSSP neg_flags=0x62088235 > > NTLMSSP Sign/Seal - Initialising with flags: > > Got NTLMSSP neg_flags=0x62088235 > > NTLMSSP Sign/Seal - Initialising with flags: > > Got NTLMSSP neg_flags=0x62088235 > > workgroup is EMPRESA > > realm is empresa.com.br > > Adding CN=SAMBA4-DC2,OU=Domain Controllers,DC=empresa,DC=com,DC=br > > Adding > > CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C > N=Configuration,DC=empresa,DC=com,DC=br > > Adding CN=NTDS > > Settings,CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,C > N=Sites,CN=Configuration,DC=empresa,DC=com,DC=br > > Using binding ncacn_ip_tcp:win-dc2.empresa.com.br[,seal] > > resolve_lmhosts: Attempting lmhosts lookup for name > > win-dc2.empresa.com.br > > <0x20> > > resolve_lmhosts: Attempting lmhosts lookup for name > > win-dc2.empresa.com.br > > <0x20> > > Cannot reach a KDC we require to contact (null) : kinit for > > administrador at EMPRESA failed (Cannot contact any KDC for > > requested realm) > > > > SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for > > ldap/WIN-DC2.EMPRESA.COM.BR > > failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS > > Got challenge flags: > > Got NTLMSSP neg_flags=0x62898235 > > NTLMSSP: Set final flags: > > Got NTLMSSP neg_flags=0x62088235 > > NTLMSSP Sign/Seal - Initialising with flags: > > Got NTLMSSP neg_flags=0x62088235 > > NTLMSSP Sign/Seal - Initialising with flags: > > Got NTLMSSP neg_flags=0x62088235 > > Join failed - cleaning up > > ldb_wrap open of secrets.ldb > > resolve_lmhosts: Attempting lmhosts lookup for name > > win-dc2.empresa.com.br > > <0x20> > > Account locked out: kinit for SAMBA4-DC2$@EMPRESA.COM.BR > > failed (Clients > > credentials have been revoked) > > > > SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for > > ldap/win-dc2.empresa.com.br > > failed (next[ntlmssp]): NT_STATUS_ACCOUNT_LOCKED_OUT > > Got challenge flags: > > Got NTLMSSP neg_flags=0x62898235 > > NTLMSSP: Set final flags: > > Got NTLMSSP neg_flags=0x62088235 > > NTLMSSP Sign/Seal - Initialising with flags: > > Got NTLMSSP neg_flags=0x62088235 > > Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: > > LdapErr: DSID-0C09052B, comment: AcceptSecurityContext error, > > data 52e, > > v1773> <> > > Failed to connect to 'ldap://win-dc2.empresa.com.br' with > > backend 'ldap': > > LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: > > DSID-0C09052B, comment: AcceptSecurityContext error, data > > 52e, v1773> <> > > Deleted CN=SAMBA4-DC2,OU=Domain Controllers,DC=empresa,DC=com,DC=br > > Deleted CN=NTDS > > Settings,CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,C > N=Sites,CN=Configuration,DC=empresa,DC=com,DC=br > > Deleted > > CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C > N=Configuration,DC=empresa,DC=com,DC=br > > ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL > > - <0000202B: > > RefErr: DSID-030A0AEB, data 0, 1 access points > > ref 1: 'a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br' > > > <ldap://a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br> > > File > > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > > 176, in _run > > return self.run(*args, **kwargs) > > File > > "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, > > in run > > machinepass=machinepass, use_ntvfs=use_ntvfs, > > dns_backend=dns_backend) > > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in > > join_DC > > ctx.do_join() > > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in > > do_join > > ctx.join_add_objects() > > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 668, in > > join_add_objects > > ctx.samdb.modify(m) > > > > ############################################################## > > ############################### > > > > I did some tests in the new Samaba4 DC and it seems OK as below: > > > > root at samba4-dc2:~# kinit Administrator > > Password for marcio at EMPRESA.COM.BR: > > > > > > root at samba4-dc2:~# klist -l > > Principal name Cache name > > -------------- ---------- > > Administrator at EMPRESA.COM.BR FILE:/tmp/krb5cc_0 > > > > root at samba4-dc2:~# host -t SRV _kerberos._udp.EMPRESA.COM.BR > > _kerberos._udp.EMPRESA.COM.BR has SRV record 0 100 88 > > samba4-dc1.empresa.com.br. > > _kerberos._udp.EMPRESA.COM.BR has SRV record 0 100 88 > > win-dc2.empresa.com.br > > . > > root at samba4-dc2:~# > > root at samba4-dc2:~# > > root at samba4-dc2:~# host -t SRV _ldap._tcp.EMPRESA.COM.BR > > _ldap._tcp.EMPRESA.COM.BR has SRV record 0 100 389 > > win-dc2.empresa.com.br. > > _ldap._tcp.EMPRESA.COM.BR has SRV record 0 100 389 > > samba4-dc1.empresa.com.br > > . > > root at samba4-dc2:~# > > root at samba4-dc2:~# cat /etc/krb5.conf > > [libdefaults] > > dns_lookup_realm = false > > dns_lookup_kdc = true > > default_realm = EMPRESA.COM.BR > > root at samba4-dc2:~# host -t EMPRESA.COM.BR > > host: invalid type: EMPRESA.COM.BR > > > > root at samba4-dc2:~# host -t A EMPRESA.COM.BR > > EMPRESA.COM.BR has address 10.133.84.135 # Wind-DC2 > > EMPRESA.COM.BR has address 192.168.1.20 # Samba4-DC1 > > EMPRESA.COM.BR has address 192.168.1.19 # Samba4-DC2 . I did not > > understand why. He hasn't joined in the domain yet. > > > > > > My kerberos configurations: > > > > cat /etc/krb5.conf > > > > [libdefaults] > > dns_lookup_realm = false > > dns_lookup_kdc = true > > default_realm = EMPRESA.COM.BR > > > > > > Another configurations: > > > > cat /etc/hosts > > 192.168.1.19 samba4-dc2.empresa.com.br samba4-dc2 > > 192.168.1.20 samba4-dc1.empresa.com.br. samba4-dc1 > > 10.133.84.135 win-dc2.empresa.com.br. wind-dc2 > > > > > > cat /etc/resolv.conf > > domain empresa.com.br > > search empresa.com.br > > nameserver 192.168.1.20 > > nameserver 10.133.84.135 > > > > Could anybody help me? > > > > Regards, > > > > M?rcio Bacci > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Ah, so the error changed.. ? Can you try ? samba-tool domain join empresa.com.br DC -k yes -d 3 --server=samba4-dc01.empresa.com.br? so we try to join through samba4-dc1 and not the windows DC. ? Looking at below again. (objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4691) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO This looks familuar..? i have to look this up.. ( tomorrow, office is closing here.. sorry ) ?> Do I need to manually enter information (ldap and kerberos) about the new DC in the DNS entries in the msdcs.empresa.com.br e empresa.com.br trees?No, these records should and need to be created by the server. ? So far, ? Louis ? ? Van: Marcio Demetrio Bacci [mailto:marciobacci at gmail.com] Verzonden: maandag 12 augustus 2019 16:52 Aan: L.P.H. van Belle CC: samba at lists.samba.org Onderwerp: Re: [Samba] Problems joining Samba 4 in the domain Hi, I created a new Samba 4 with a different name from the previous one. I followed your configuration guidelines for the /etc/ hosts and /etc/resolv.conf files. I also removed the smb.conf file of the new DC I did maintenance on Samba 4 DC1: samba-tool dbcheck --cross-ncs ?--fix --yes Checking 6340 objects Checked 6340 objects (0 errors) I cleaned up DNS records. However, the following error occurred: root at samba4-new-dc:/etc/samba# samba-tool domain join empresa.com.br DC -k yes -d 3 GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Finding a writeable DC for domain 'empresa.com.br' resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.empresa.com.br<0x0> Found DC win-dc2.empresa.com.br resolve_lmhosts: Attempting lmhosts lookup for name win-dc2.empresa.com.br<0x20> workgroup is EMPRESA realm is empresa.com.br Adding CN=SAMBA4-NEW-DC,OU=Domain Controllers,DC=empresa,DC=com,DC=br Adding CN=SAMBA4-NEW-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br Adding CN=NTDS Settings,CN=SAMBA4-NEW-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br Using binding ncacn_ip_tcp:win-dc2.empresa.com.br[,seal] resolve_lmhosts: Attempting lmhosts lookup for name win-dc2.empresa.com.br<0x20> resolve_lmhosts: Attempting lmhosts lookup for name win-dc2.empresa.com.br<0x20> Join failed - cleaning up ldb_wrap open of secrets.ldb Could not find machine account in secrets database: Failed to fetch machine account password for EMPRESA from both secrets.ldb (Could not find entry to match filter: '(&(flatname=EMPRESA)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4691) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO Deleted CN=SAMBA4-NEW-DC,OU=Domain Controllers,DC=empresa,DC=com,DC=br Deleted CN=NTDS Settings,CN=SAMBA4-NEW-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br Deleted CN=SAMBA4-NEW-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL - ?<0000202B: RefErr: DSID-030A0AEB, data 0, 1 access points ref 1: 'a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br'> <ldap://a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br>? File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run ? ? return self.run(*args, **kwargs) ? File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, in run ? ? machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) ? File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in join_DC ? ? ctx.do_join() ? File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in do_join ? ? ctx.join_add_objects() ? File "/usr/lib/python2.7/dist-packages/samba/join.py", line 668, in join_add_objects ? ? ctx.samdb.modify(m) Do I need to manually enter information (ldap and kerberos) about the new DC in the DNS entries in the msdcs.empresa.com.br e empresa.com.br trees? Regards, M?rcio Bacci Em qui, 8 de ago de 2019 ?s 11:48, L.P.H. van Belle via samba <samba at lists.samba.org> escreveu: Hai marcio, As far i can see, most look ok to me. A few very small points. First change this :> cat /etc/hosts > 192.168.1.19? ?samba4-dc2.empresa.com.br? samba4-dc2 > 192.168.1.20? ?samba4-dc1.empresa.com.br. samba4-dc1 > 10.133.84.135? win-dc2.empresa.com.br.? ? wind-dc2 > > > cat /etc/resolv.conf > domain empresa.com.br > search empresa.com.br > nameserver 192.168.1.20To /etc/hosts 192.168.1.19? ?samba4-dc2.empresa.com.br? samba4-dc2 192.168.1.20? ?samba4-dc1.empresa.com.br samba4-dc1 10.133.84.135? win-dc2.empresa.com.br? ?wind-dc2 /etc/resolv.conf search empresa.com.br nameserver 10.133.84.135 nameserver 192.168.1.20 nameserver 192.168.1.19 Now, question. If this the first attempt to join this server? Of not, what guess based on the output below. - Then verify in the dns and AD if the old server is completely removed. ? ? ? ? And take you time for this. - cleanup /var/lib/samba ( remove all files there and in subfolders, keep the folders ) - cleanup /var/cache/samba ( remove all files there and in subfolders, keep the folders ) - remove /etc/samba/smb.conf> Failed to get kerberos credentials (kerberos required): kinit for > SAMBA4-DC2$@EMPRESA.COM.BR failed (Clients credentials have > been revoked)So this really looks like leftovers from previous attempt, so there must be something in the AD domain with that hostname. That that one is revoked. Then, after a good cleanup, you can try to join again. After the join, reboot Then change : /etc/resolv.conf search empresa.com.br nameserver 192.168.1.19 nameserver 192.168.1.20 nameserver 10.133.84.135 Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marcio Demetrio Bacci via samba > Verzonden: donderdag 8 augustus 2019 16:26 > Aan: sambalist > Onderwerp: [Samba] Problems joining Samba 4 in the domain > > Hi, > > I have 2 DC in my network. > > DC master is a Samba 4 and the secondary is Windows Server 2008. > > I want to put another Samba 4 as DC to replace Windows > Server, however the > following errors are emerging: > > root at samba4-dc2:~# samba-tool domain join empresa.com.br DC > -k yes -d 3 > lpcfg_load: refreshing parameters from /etc/samba/smb.conf > GENSEC backend 'gssapi_spnego' registered > GENSEC backend 'gssapi_krb5' registered > GENSEC backend 'gssapi_krb5_sasl' registered > GENSEC backend 'spnego' registered > GENSEC backend 'schannel' registered > GENSEC backend 'naclrpc_as_system' registered > GENSEC backend 'sasl-EXTERNAL' registered > GENSEC backend 'ntlmssp' registered > GENSEC backend 'ntlmssp_resume_ccache' registered > GENSEC backend 'http_basic' registered > GENSEC backend 'http_ntlm' registered > GENSEC backend 'krb5' registered > GENSEC backend 'fake_gssapi_krb5' registered > Finding a writeable DC for domain 'empresa.com.br' > resolve_lmhosts: Attempting lmhosts lookup for name _ldap._ > tcp.empresa.com.br<0x0> > Found DC win-dc2.empresa.com.br > resolve_lmhosts: Attempting lmhosts lookup for name > win-dc2.empresa.com.br > <0x20> > workgroup is EMPRESA > realm is empresa.com.br > Adding CN=SAMBA4-DC2,OU=Domain Controllers,DC=empresa,DC=com,DC=br > Adding > CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br> Adding CN=NTDS > Settings,CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br> Using binding ncacn_ip_tcp:win-dc2.empresa.com.br[,seal] > resolve_lmhosts: Attempting lmhosts lookup for name > win-dc2.empresa.com.br > <0x20> > resolve_lmhosts: Attempting lmhosts lookup for name > win-dc2.empresa.com.br > <0x20> > Join failed - cleaning up > ldb_wrap open of secrets.ldb > resolve_lmhosts: Attempting lmhosts lookup for name > win-dc2.empresa.com.br > <0x20> > Failed to get kerberos credentials (kerberos required): kinit for > SAMBA4-DC2$@EMPRESA.COM.BR failed (Clients credentials have > been revoked) > > Account locked out: kinit for SAMBA4-DC2$@EMPRESA.COM.BR > failed (Clients > credentials have been revoked) > > SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for > ldap/win-dc2.empresa.com.br > failed (next[(null)]): NT_STATUS_ACCOUNT_LOCKED_OUT > Failed to bind - LDAP client internal error: > NT_STATUS_ACCOUNT_LOCKED_OUT > Failed to connect to 'ldap://win-dc2.empresa.com.br' with > backend 'ldap': > LDAP client internal error: NT_STATUS_ACCOUNT_LOCKED_OUT > Deleted CN=SAMBA4-DC2,OU=Domain Controllers,DC=empresa,DC=com,DC=br > Deleted CN=NTDS > Settings,CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br> Deleted > CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br> ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL > -? <0000202B: > RefErr: DSID-030A0AEB, data 0, 1 access points > ref 1: 'a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br' > > <ldap://a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br> >? ?File > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > 176, in _run >? ? ?return self.run(*args, **kwargs) >? ?File > "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, > in run >? ? ?machinepass=machinepass, use_ntvfs=use_ntvfs, > dns_backend=dns_backend) >? ?File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in > join_DC >? ? ?ctx.do_join() >? ?File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in > do_join >? ? ?ctx.join_add_objects() >? ?File "/usr/lib/python2.7/dist-packages/samba/join.py", line 668, in > join_add_objects >? ? ?ctx.samdb.modify(m) > > ############################################################## > ############################################### > > > root at samba4-dc2:~# samba-tool domain join empresa.com.br DC > -U"EMPRESA\administrator" -d 3 > lpcfg_load: refreshing parameters from /etc/samba/smb.conf > GENSEC backend 'gssapi_spnego' registered > GENSEC backend 'gssapi_krb5' registered > GENSEC backend 'gssapi_krb5_sasl' registered > GENSEC backend 'spnego' registered > GENSEC backend 'schannel' registered > GENSEC backend 'naclrpc_as_system' registered > GENSEC backend 'sasl-EXTERNAL' registered > GENSEC backend 'ntlmssp' registered > GENSEC backend 'ntlmssp_resume_ccache' registered > GENSEC backend 'http_basic' registered > GENSEC backend 'http_ntlm' registered > GENSEC backend 'krb5' registered > GENSEC backend 'fake_gssapi_krb5' registered > Finding a writeable DC for domain 'empresa.com.br' > resolve_lmhosts: Attempting lmhosts lookup for name _ldap._ > tcp.empresa.com.br<0x0> > Found DC win-dc2.empresa.com.br > resolve_lmhosts: Attempting lmhosts lookup for name > win-dc2.empresa.com.br > <0x20> > Password for [EMPRESA\administrador]: > Cannot reach a KDC we require to contact (null) : kinit for > administrador at EMPRESA failed (Cannot contact any KDC for > requested realm) > > SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for > ldap/win-dc2.empresa.com.br > failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS > Got challenge flags: > Got NTLMSSP neg_flags=0x62898235 > NTLMSSP: Set final flags: > Got NTLMSSP neg_flags=0x62088235 > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0x62088235 > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0x62088235 > workgroup is EMPRESA > realm is empresa.com.br > Adding CN=SAMBA4-DC2,OU=Domain Controllers,DC=empresa,DC=com,DC=br > Adding > CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br> Adding CN=NTDS > Settings,CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br> Using binding ncacn_ip_tcp:win-dc2.empresa.com.br[,seal] > resolve_lmhosts: Attempting lmhosts lookup for name > win-dc2.empresa.com.br > <0x20> > resolve_lmhosts: Attempting lmhosts lookup for name > win-dc2.empresa.com.br > <0x20> > Cannot reach a KDC we require to contact (null) : kinit for > administrador at EMPRESA failed (Cannot contact any KDC for > requested realm) > > SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for > ldap/WIN-DC2.EMPRESA.COM.BR > failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS > Got challenge flags: > Got NTLMSSP neg_flags=0x62898235 > NTLMSSP: Set final flags: > Got NTLMSSP neg_flags=0x62088235 > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0x62088235 > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0x62088235 > Join failed - cleaning up > ldb_wrap open of secrets.ldb > resolve_lmhosts: Attempting lmhosts lookup for name > win-dc2.empresa.com.br > <0x20> > Account locked out: kinit for SAMBA4-DC2$@EMPRESA.COM.BR > failed (Clients > credentials have been revoked) > > SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for > ldap/win-dc2.empresa.com.br > failed (next[ntlmssp]): NT_STATUS_ACCOUNT_LOCKED_OUT > Got challenge flags: > Got NTLMSSP neg_flags=0x62898235 > NTLMSSP: Set final flags: > Got NTLMSSP neg_flags=0x62088235 > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0x62088235 > Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -? <8009030C: > LdapErr: DSID-0C09052B, comment: AcceptSecurityContext error, > data 52e, > v1773> <> > Failed to connect to 'ldap://win-dc2.empresa.com.br' with > backend 'ldap': > LDAP error 49 LDAP_INVALID_CREDENTIALS -? <8009030C: LdapErr: > DSID-0C09052B, comment: AcceptSecurityContext error, data > 52e, v1773> <> > Deleted CN=SAMBA4-DC2,OU=Domain Controllers,DC=empresa,DC=com,DC=br > Deleted CN=NTDS > Settings,CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br> Deleted > CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br> ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL > -? <0000202B: > RefErr: DSID-030A0AEB, data 0, 1 access points > ref 1: 'a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br' > > <ldap://a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br> >? ?File > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > 176, in _run >? ? ?return self.run(*args, **kwargs) >? ?File > "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, > in run >? ? ?machinepass=machinepass, use_ntvfs=use_ntvfs, > dns_backend=dns_backend) >? ?File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in > join_DC >? ? ?ctx.do_join() >? ?File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in > do_join >? ? ?ctx.join_add_objects() >? ?File "/usr/lib/python2.7/dist-packages/samba/join.py", line 668, in > join_add_objects >? ? ?ctx.samdb.modify(m) > > ############################################################## > ############################### > > I did some tests in the new Samaba4 DC and it seems OK as below: > > root at samba4-dc2:~# kinit Administrator > Password for marcio at EMPRESA.COM.BR: > > > root at samba4-dc2:~# klist -l > Principal name? ? ? ? ? ? ? ? ?Cache name > --------------? ? ? ? ? ? ? ? ?---------- > Administrator at EMPRESA.COM.BR? ? ? FILE:/tmp/krb5cc_0 > > root at samba4-dc2:~# host -t SRV _kerberos._udp.EMPRESA.COM.BR > _kerberos._udp.EMPRESA.COM.BR has SRV record 0 100 88 > samba4-dc1.empresa.com.br. > _kerberos._udp.EMPRESA.COM.BR has SRV record 0 100 88 > win-dc2.empresa.com.br > . > root at samba4-dc2:~# > root at samba4-dc2:~# > root at samba4-dc2:~# host -t SRV _ldap._tcp.EMPRESA.COM.BR > _ldap._tcp.EMPRESA.COM.BR has SRV record 0 100 389 > win-dc2.empresa.com.br. > _ldap._tcp.EMPRESA.COM.BR has SRV record 0 100 389 > samba4-dc1.empresa.com.br > . > root at samba4-dc2:~# > root at samba4-dc2:~# cat /etc/krb5.conf > [libdefaults] >? ? ?dns_lookup_realm = false >? ? ?dns_lookup_kdc = true >? ? ?default_realm = EMPRESA.COM.BR > root at samba4-dc2:~# host -t EMPRESA.COM.BR > host: invalid type: EMPRESA.COM.BR > > root at samba4-dc2:~# host -t A EMPRESA.COM.BR > EMPRESA.COM.BR has address 10.133.84.135 # Wind-DC2 > EMPRESA.COM.BR has address 192.168.1.20 # Samba4-DC1 > EMPRESA.COM.BR has address 192.168.1.19 #? Samba4-DC2 . I did not > understand why. He hasn't joined in the domain yet. > > > My kerberos configurations: > > cat /etc/krb5.conf > > [libdefaults] >? ? ?dns_lookup_realm = false >? ? ?dns_lookup_kdc = true >? ? ?default_realm = EMPRESA.COM.BR > > > Another configurations: > > cat /etc/hosts > 192.168.1.19? ?samba4-dc2.empresa.com.br? samba4-dc2 > 192.168.1.20? ?samba4-dc1.empresa.com.br. samba4-dc1 > 10.133.84.135? win-dc2.empresa.com.br.? ? wind-dc2 > > > cat /etc/resolv.conf > domain empresa.com.br > search empresa.com.br > nameserver 192.168.1.20 > nameserver 10.133.84.135 > > Could anybody help me? > > Regards, > > M?rcio Bacci > -- > To unsubscribe from this list go to the following URL and read the > instructions:? https://lists.samba.org/mailman/options/samba > >-- To unsubscribe from this list go to the following URL and read the instructions:? https://lists.samba.org/mailman/options/samba