Marcio Demetrio Bacci
2019-Aug-12 17:56 UTC
[Samba] Problems joining Samba 4 in the domain
Hi, I have downgraded samba 4.7 (van-belle repository) to 4.5.16 from the Debian 9 repository and was able to put it in the domain. root at samba4-new-dc:/etc/samba# samba -V Version 4.5.16-Debian samba-tool domain join empresa.com.br DC -k yes -d 3 --serversamba4-dc1.empresa.com.br root at samba4-new-dc:/etc/samba# samba-tool domain join empresa.com.br DC -k yes -d 3 --server=samba4-dc1.empresa.com.br GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered resolve_lmhosts: Attempting lmhosts lookup for name samba4-dc1.empresa.com.br<0x20> workgroup is EMPRESA realm is empresa.com.br Adding CN=SAMBA4-NEW-DC,OU=Domain Controllers,empresa.com.br Adding CN=SAMBA4-NEW-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration, empresa.com.br Adding CN=NTDS Settings,CN=SAMBA4-NEW-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration, empresa.com.br Using binding ncacn_ip_tcp:samba4-dc1.empresa.com.br[,seal] resolve_lmhosts: Attempting lmhosts lookup for name samba4-dc1.empresa.com.br<0x20> resolve_lmhosts: Attempting lmhosts lookup for name samba4-dc1.empresa.com.br<0x20> Adding SPNs to CN=SAMBA4-NEW-DC,OU=Domain Controllers,empresa.com.br Setting account password for SAMBA4-NEW-DC$ Enabling account Calling bare provision lpcfg_load: refreshing parameters from /etc/samba/smb.conf lpcfg_load: refreshing parameters from /etc/samba/smb.conf Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up share.ldb Setting up secrets.ldb Setting up the registry ldb_wrap open of hklm.ldb Key 'key=SOFTWARE,hive=NONE' not found key added: key=SOFTWARE,hive=NONE Key 'key=Microsoft,key=SOFTWARE,hive=NONE' not found key added: key=Microsoft,key=SOFTWARE,hive=NONE Key 'key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found key added: key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE Key 'key=CurrentVersion,key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found key added: key=CurrentVersion,key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE Key 'key=SYSTEM,hive=NONE' not found key added: key=SYSTEM,hive=NONE Key 'key=CurrentControlSet,key=SYSTEM,hive=NONE' not found key added: key=CurrentControlSet,key=SYSTEM,hive=NONE Key 'key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found key added: key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE Key 'key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found key added: key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE Key 'key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found key added: key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE Key 'key=Terminal Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found key added: key=Terminal Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE Key 'key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found key added: key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE Key 'key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found key added: key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE Key 'key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found key added: key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE Key 'key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found key added: key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE Key 'key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found key added: key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema partition_metadata: Migrating partition metadata: open of metadata.tdb gave: (null) A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf Provision OK for domain DN empresa.com.br Starting replication Using binding ncacn_ip_tcp:samba4-dc1.empresa.com.br[,seal] resolve_lmhosts: Attempting lmhosts lookup for name samba4-dc1.empresa.com.br<0x20> resolve_lmhosts: Attempting lmhosts lookup for name samba4-dc1.empresa.com.br<0x20> Schema-DN[CN=Schema,CN=Configuration,empresa.com.br] objects[402/1518] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,empresa.com.br] objects[804/1518] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,empresa.com.br] objects[1206/1518] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,empresa.com.br] objects[1518/1518] linked_values[0/0] Analyze and apply schema objects Replicated 1518 objects (0 linked attributes) for CN=Schema,CN=Configuration,empresa.com.br Partition[CN=Configuration,empresa.com.br] objects[402/1984] linked_values[0/0] Replicated 402 objects (0 linked attributes) for CN=Configuration, empresa.com.br Partition[CN=Configuration,empresa.com.br] objects[804/1984] linked_values[0/0] Replicated 402 objects (0 linked attributes) for CN=Configuration, empresa.com.br Partition[CN=Configuration,empresa.com.br] objects[1206/1984] linked_values[0/0] Replicated 402 objects (0 linked attributes) for CN=Configuration, empresa.com.br Partition[CN=Configuration,empresa.com.br] objects[1608/1984] linked_values[0/0] Replicated 402 objects (0 linked attributes) for CN=Configuration, empresa.com.br Partition[CN=Configuration,empresa.com.br] objects[1984/1984] linked_values[41/0] Replicated 376 objects (41 linked attributes) for CN=Configuration, empresa.com.br Replicating critical objects from the base DN of the domain Partition[empresa.com.br] objects[101/101] linked_values[35/0] Replicated 101 objects (35 linked attributes) for empresa.com.br Partition[empresa.com.br] objects[503/2180] linked_values[0/0] Replicated 402 objects (0 linked attributes) for empresa.com.br Partition[empresa.com.br] objects[905/2180] linked_values[0/0] Replicated 402 objects (0 linked attributes) for empresa.com.br Partition[empresa.com.br] objects[1307/2180] linked_values[0/0] Replicated 402 objects (0 linked attributes) for empresa.com.br Partition[empresa.com.br] objects[1709/2180] linked_values[0/0] Replicated 402 objects (0 linked attributes) for empresa.com.br Partition[empresa.com.br] objects[2111/2180] linked_values[0/0] Replicated 402 objects (0 linked attributes) for empresa.com.br Partition[empresa.com.br] objects[2281/2180] linked_values[1039/0] Replicated 170 objects (1039 linked attributes) for empresa.com.br Done with always replicated NC (base, config, schema) Replicating DC=DomainDnsZones,empresa.com.br Partition[DC=DomainDnsZones,empresa.com.br] objects[402/646] linked_values[0/0] Replicated 402 objects (0 linked attributes) for DC=DomainDnsZones, empresa.com.br Partition[DC=DomainDnsZones,empresa.com.br] objects[646/646] linked_values[0/0] Replicated 244 objects (0 linked attributes) for DC=DomainDnsZones, empresa.com.br Replicating DC=ForestDnsZones,empresa.com.br Partition[DC=ForestDnsZones,empresa.com.br] objects[37/37] linked_values[0/0] Replicated 37 objects (0 linked attributes) for DC=ForestDnsZones, empresa.com.br Committing SAM database Discarding older DRS linked attribute update to member on CN=IIS_IUSRS,CN=Builtin,empresa.com.br from 71c305c7-564f-44dc-bdc7-c03ee501bd52 Discarding older DRS linked attribute update to member on CN=Domain Admins,CN=Users,empresa.com.br from a20c8ed0-c72a-4e57-9e59-2236f127d0b8 Discarding older DRS linked attribute update to member on CN=Domain Admins,CN=Users,empresa.com.br from 71c305c7-564f-44dc-bdc7-c03ee501bd52 Discarding older DRS linked attribute update to member on CN=Domain Admins,CN=Users,empresa.com.br from ad07f0d5-237c-4611-80a5-3751a318329b Discarding older DRS linked attribute update to member on CN=Usu?rios da ?rea de trabalho remota,CN=Builtin,empresa.com.br from 71c305c7-564f-44dc-bdc7-c03ee501bd52 Discarding older DRS linked attribute update to member on CN=Administrators,CN=Builtin,empresa.com.br from a20c8ed0-c72a-4e57-9e59-2236f127d0b8 Discarding older DRS linked attribute update to member on CN=Administrators,CN=Builtin,empresa.com.br from a20c8ed0-c72a-4e57-9e59-2236f127d0b8 Discarding older DRS linked attribute update to member on CN=Administrators,CN=Builtin,empresa.com.br from 71c305c7-564f-44dc-bdc7-c03ee501bd52 Discarding older DRS linked attribute update to member on CN=Administrators,CN=Builtin,empresa.com.br from 71c305c7-564f-44dc-bdc7-c03ee501bd52 Discarding older DRS linked attribute update to member on CN=Administrators,CN=Builtin,empresa.com.br from 71c305c7-564f-44dc-bdc7-c03ee501bd52 Discarding older DRS linked attribute update to member on CN=Administrators,CN=Builtin,empresa.com.br from a20c8ed0-c72a-4e57-9e59-2236f127d0b8 Discarding older DRS linked attribute update to member on CN=Administrators,CN=Builtin,empresa.com.br from 71c305c7-564f-44dc-bdc7-c03ee501bd52 Discarding older DRS linked attribute update to member on CN=Grupo de acesso de autoriza??o Windows,CN=Builtin,empresa.com.br from 71c305c7-564f-44dc-bdc7-c03ee501bd52 Discarding older DRS linked attribute update to member on CN=Grupo de acesso de autoriza??o Windows,CN=Builtin,empresa.com.br from a20c8ed0-c72a-4e57-9e59-2236f127d0b8 Discarding older DRS linked attribute update to member on CN=Grupo de Replica??o de Senha RODC Nega,CN=Users,empresa.com.br from 71c305c7-564f-44dc-bdc7-c03ee501bd52 Discarding older DRS linked attribute update to member on CN=Grupo de Replica??o de Senha RODC Nega,CN=Users,empresa.com.br from 71c305c7-564f-44dc-bdc7-c03ee501bd52 Discarding older DRS linked attribute update to member on CN=Grupo de Replica??o de Senha RODC Nega,CN=Users,empresa.com.br from 71c305c7-564f-44dc-bdc7-c03ee501bd52 Discarding older DRS linked attribute update to member on CN=Grupo de Replica??o de Senha RODC Nega,CN=Users,empresa.com.br from 71c305c7-564f-44dc-bdc7-c03ee501bd52 Discarding older DRS linked attribute update to member on CN=Grupo de Replica??o de Senha RODC Nega,CN=Users,empresa.com.br from 71c305c7-564f-44dc-bdc7-c03ee501bd52 Discarding older DRS linked attribute update to member on CN=Grupo de Replica??o de Senha RODC Nega,CN=Users,empresa.com.br from 71c305c7-564f-44dc-bdc7-c03ee501bd52 Discarding older DRS linked attribute update to member on CN=Grupo de Replica??o de Senha RODC Nega,CN=Users,empresa.com.br from 71c305c7-564f-44dc-bdc7-c03ee501bd52 Discarding older DRS linked attribute update to member on CN=Grupo de Replica??o de Senha RODC Nega,CN=Users,empresa.com.br from 71c305c7-564f-44dc-bdc7-c03ee501bd52 Discarding older DRS linked attribute update to member on CN=Enterprise Admins,CN=Users,empresa.com.br from a20c8ed0-c72a-4e57-9e59-2236f127d0b8 Discarding older DRS linked attribute update to member on CN=Enterprise Admins,CN=Users,empresa.com.br from 71c305c7-564f-44dc-bdc7-c03ee501bd52 Discarding older DRS linked attribute update to member on CN=Enterprise Admins,CN=Users,empresa.com.br from 71c305c7-564f-44dc-bdc7-c03ee501bd52 Discarding older DRS linked attribute update to member on CN=Enterprise Admins,CN=Users,empresa.com.br from 71c305c7-564f-44dc-bdc7-c03ee501bd52 Discarding older DRS linked attribute update to member on CN=Replicator,CN=Builtin,empresa.com.br from 71c305c7-564f-44dc-bdc7-c03ee501bd52 Discarding older DRS linked attribute update to member on CN=Replicator,CN=Builtin,empresa.com.br from 71c305c7-564f-44dc-bdc7-c03ee501bd52 Discarding older DRS linked attribute update to member on CN=Group Policy Creator Owners,CN=Users,empresa.com.br from a20c8ed0-c72a-4e57-9e59-2236f127d0b8 Discarding older DRS linked attribute update to member on CN=Group Policy Creator Owners,CN=Users,empresa.com.br from 71c305c7-564f-44dc-bdc7-c03ee501bd52 Discarding older DRS linked attribute update to member on CN=Group Policy Creator Owners,CN=Users,empresa.com.br from 71c305c7-564f-44dc-bdc7-c03ee501bd52 Discarding older DRS linked attribute update to member on CN=Group Policy Creator Owners,CN=Users,empresa.com.br from 71c305c7-564f-44dc-bdc7-c03ee501bd52 Discarding older DRS linked attribute update to member on CN=Schema Admins,CN=Users,empresa.com.br from a20c8ed0-c72a-4e57-9e59-2236f127d0b8 Discarding older DRS linked attribute update to member on CN=Schema Admins,CN=Users,empresa.com.br from 71c305c7-564f-44dc-bdc7-c03ee501bd52 Discarding older DRS linked attribute update to member on CN=Schema Admins,CN=Users,empresa.com.br from 71c305c7-564f-44dc-bdc7-c03ee501bd52 Sending DsReplicaUpdateRefs for all the replicated partitions Setting isSynchronized and dsServiceName Setting up secrets database Joined domain EMPRESA (SID S-1-5-21-1712526294-259020848-313593124) as a DC #################################################################################### However, I verified that the DNS records msdcs.empresa.com.br and empresa.com.br (ldap, kerberos, gc, tcp, udp) were not updated with the information of the new DC. The following errors are verified: samba-tool drs showrepl Default-First-Site-Name\SAMBA4-DC1 DSA Options: 0x00000001 DSA object GUID: a1ab021c-0ef7-4fd3-a69d-28afc7c1260a DSA invocationId: a20c8ed0-c72a-4e57-9e59-2236f127d0b8 ==== INBOUND NEIGHBORS === DC=ForestDnsZones,DC=empresa,DC=com,DC=br Default-First-Site-Name\WIN-DC2 via RPC DSA object GUID: d580939f-a8b9-43ea-84e9-be0f9bd29468 Last attempt @ Mon Aug 12 14:30:49 2019 -03 was successful 0 consecutive failure(s). Last success @ Mon Aug 12 14:30:49 2019 -03 DC=ForestDnsZones,DC=empresa,DC=com,DC=br Default-First-Site-Name\SAMBA4-NEW-DC via RPC DSA object GUID: 10292cde-6888-43a7-a067-26b95873f5a7 Last attempt @ Mon Aug 12 14:30:49 2019 -03 failed, result 2 (WERR_BADFILE) 5 consecutive failure(s). Last success @ NTTIME(0) CN=Configuration,DC=empresa,DC=com,DC=br Default-First-Site-Name\WIN-DC2 via RPC DSA object GUID: d580939f-a8b9-43ea-84e9-be0f9bd29468 Last attempt @ Mon Aug 12 14:30:49 2019 -03 was successful 0 consecutive failure(s). Last success @ Mon Aug 12 14:30:49 2019 -03 CN=Configuration,DC=empresa,DC=com,DC=br Default-First-Site-Name\SAMBA4-NEW-DC via RPC DSA object GUID: 10292cde-6888-43a7-a067-26b95873f5a7 Last attempt @ Mon Aug 12 14:30:49 2019 -03 failed, result 2 (WERR_BADFILE) 5 consecutive failure(s). Last success @ NTTIME(0) DC=DomainDnsZones,DC=empresa,DC=com,DC=br Default-First-Site-Name\WIN-DC2 via RPC DSA object GUID: d580939f-a8b9-43ea-84e9-be0f9bd29468 Last attempt @ Mon Aug 12 14:33:04 2019 -03 was successful 0 consecutive failure(s). Last success @ Mon Aug 12 14:33:04 2019 -03 DC=DomainDnsZones,DC=empresa,DC=com,DC=br Default-First-Site-Name\SAMBA4-NEW-DC via RPC DSA object GUID: 10292cde-6888-43a7-a067-26b95873f5a7 Last attempt @ Mon Aug 12 14:30:49 2019 -03 failed, result 2 (WERR_BADFILE) 5 consecutive failure(s). Last success @ NTTIME(0) CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br Default-First-Site-Name\WIN-DC2 via RPC DSA object GUID: d580939f-a8b9-43ea-84e9-be0f9bd29468 Last attempt @ Mon Aug 12 14:30:49 2019 -03 was successful 0 consecutive failure(s). Last success @ Mon Aug 12 14:30:49 2019 -03 CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br Default-First-Site-Name\SAMBA4-NEW-DC via RPC DSA object GUID: 10292cde-6888-43a7-a067-26b95873f5a7 Last attempt @ Mon Aug 12 14:30:49 2019 -03 failed, result 2 (WERR_BADFILE) 5 consecutive failure(s). Last success @ NTTIME(0) DC=empresa,DC=com,DC=br Default-First-Site-Name\WIN-DC2 via RPC DSA object GUID: d580939f-a8b9-43ea-84e9-be0f9bd29468 Last attempt @ Mon Aug 12 14:33:26 2019 -03 was successful 0 consecutive failure(s). Last success @ Mon Aug 12 14:33:26 2019 -03 DC=empresa,DC=com,DC=br Default-First-Site-Name\SAMBA4-NEW-DC via RPC DSA object GUID: 10292cde-6888-43a7-a067-26b95873f5a7 Last attempt @ Mon Aug 12 14:30:49 2019 -03 failed, result 2 (WERR_BADFILE) 5 consecutive failure(s). Last success @ NTTIME(0) ==== OUTBOUND NEIGHBORS === DC=ForestDnsZones,DC=empresa,DC=com,DC=br Default-First-Site-Name\WIN-DC2 via RPC DSA object GUID: d580939f-a8b9-43ea-84e9-be0f9bd29468 Last attempt @ Mon Aug 12 14:00:39 2019 -03 was successful 0 consecutive failure(s). Last success @ Mon Aug 12 14:00:39 2019 -03 DC=ForestDnsZones,DC=empresa,DC=com,DC=br Default-First-Site-Name\SAMBA4-NEW-DC via RPC DSA object GUID: 10292cde-6888-43a7-a067-26b95873f5a7 Last attempt @ Mon Aug 12 14:34:32 2019 -03 failed, result 2 (WERR_BADFILE) 9 consecutive failure(s). Last success @ NTTIME(0) CN=Configuration,DC=empresa,DC=com,DC=br Default-First-Site-Name\WIN-DC2 via RPC DSA object GUID: d580939f-a8b9-43ea-84e9-be0f9bd29468 Last attempt @ Mon Aug 12 14:15:55 2019 -03 was successful 0 consecutive failure(s). Last success @ Mon Aug 12 14:15:55 2019 -03 CN=Configuration,DC=empresa,DC=com,DC=br Default-First-Site-Name\SAMBA4-NEW-DC via RPC DSA object GUID: 10292cde-6888-43a7-a067-26b95873f5a7 Last attempt @ Mon Aug 12 14:34:32 2019 -03 failed, result 2 (WERR_BADFILE) 9 consecutive failure(s). Last success @ NTTIME(0) DC=DomainDnsZones,DC=empresa,DC=com,DC=br Default-First-Site-Name\WIN-DC2 via RPC DSA object GUID: d580939f-a8b9-43ea-84e9-be0f9bd29468 Last attempt @ Mon Aug 12 14:32:47 2019 -03 was successful 0 consecutive failure(s). Last success @ Mon Aug 12 14:32:47 2019 -03 DC=DomainDnsZones,DC=empresa,DC=com,DC=br Default-First-Site-Name\SAMBA4-NEW-DC via RPC DSA object GUID: 10292cde-6888-43a7-a067-26b95873f5a7 Last attempt @ Mon Aug 12 14:34:32 2019 -03 failed, result 2 (WERR_BADFILE) 9 consecutive failure(s). Last success @ NTTIME(0) CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br Default-First-Site-Name\WIN-DC2 via RPC DSA object GUID: d580939f-a8b9-43ea-84e9-be0f9bd29468 Last attempt @ Mon Aug 12 14:00:39 2019 -03 was successful 0 consecutive failure(s). Last success @ Mon Aug 12 14:00:39 2019 -03 CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br Default-First-Site-Name\SAMBA4-NEW-DC via RPC DSA object GUID: 10292cde-6888-43a7-a067-26b95873f5a7 Last attempt @ Mon Aug 12 14:34:32 2019 -03 failed, result 2 (WERR_BADFILE) 9 consecutive failure(s). Last success @ NTTIME(0) DC=empresa,DC=com,DC=br Default-First-Site-Name\WIN-DC2 via RPC DSA object GUID: d580939f-a8b9-43ea-84e9-be0f9bd29468 Last attempt @ Mon Aug 12 14:14:45 2019 -03 was successful 0 consecutive failure(s). Last success @ Mon Aug 12 14:14:45 2019 -03 DC=empresa,DC=com,DC=br Default-First-Site-Name\SAMBA4-NEW-DC via RPC DSA object GUID: 10292cde-6888-43a7-a067-26b95873f5a7 Last attempt @ Mon Aug 12 14:34:32 2019 -03 failed, result 2 (WERR_BADFILE) 9 consecutive failure(s). Last success @ NTTIME(0) ==== KCC CONNECTION OBJECTS === Connection -- Connection name: c6393fbd-461c-4fd7-ac62-4801a3de43d2 Enabled : TRUE Server DNS name : win-dc2.empresa.com.br Server DN name : CN=NTDS Settings,CN=WIN-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br TransportType: RPC options: 0x00000001 Warning: No NC replicated for Connection! Connection -- Connection name: 3d74773c-19d4-4220-84b1-edc605f74633 Enabled : TRUE Server DNS name : samba4-new-dc.empresa.com.br Server DN name : CN=NTDS Settings,CN=SAMBA4-NEW-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br TransportType: RPC options: 0x00000001 Warning: No NC replicated for Connection! samba-tool ldapcmp ldap://SAMBA4-DC1 ldap://SAMBA4-NEW-DC -UAdministrator ... Comparing: 'CN=SAMBA4-NEW-DC,OU=Domain Controllers,DC=empresa,DC=com,DC=br' [ldap://SAMBA4-DC1] 'CN=SAMBA4-NEW-DC,OU=Domain Controllers,DC=empresa,DC=com,DC=br' [ldap://SAMBA4-NEW-DC] Difference in attribute values: servicePrincipalName => ['E3514235-4B06-11D1-AB04-00C04FC2DCD2/10292cde-6888-43a7-a067-26b95873f5a7/ empresa.com.br', 'GC/samba4-new-dc.empresa.com.br/empresa.com.br', 'HOST/SAMBA4-NEW-DC', 'HOST/samba4-new-dc.empresa.com.br'] ['E3514235-4B06-11D1-AB04-00C04FC2DCD2/10292cde-6888-43a7-a067-26b95873f5a7/ empresa.com.br', 'GC/samba4-new-dc.empresa.com.br/empresa.com.br', 'HOST/SAMBA4-NEW-DC', 'HOST/samba4-new-dc.empresa.com.br', 'HOST/ samba4-new-dc.empresa.com.br/EMPRESA', 'HOST/ samba4-new-dc.empresa.com.br/empresa.com.br', 'RestrictedKrbHost/SAMBA4-NEW-DC', 'RestrictedKrbHost/ samba4-new-dc.empresa.com.br', 'ldap/10292cde-6888-43a7-a067-26b95873f5a7._ msdcs.empresa.com.br', 'ldap/SAMBA4-NEW-DC', 'ldap/ samba4-new-dc.empresa.com.br', 'ldap/ samba4-new-dc.empresa.com.br/DomainDnsZones.empresa.com.br', 'ldap/ samba4-new-dc.empresa.com.br/ForestDnsZones.empresa.com.br', 'ldap/ samba4-new-dc.empresa.com.br/EMPRESA', 'ldap/ samba4-new-dc.empresa.com.br/empresa.com.br'] FAILED ... * DN lists have different size: 1644 != 1646 CN=52063d3d-86a8-4066-9fbb-7e62b245716a,CN=NTDS Settings,CN=SAMBA4-NEW-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br CN=a1d84f32-fe3a-4b54-8ff7-db309a4cf735,CN=NTDS Settings,CN=SAMBA4-NEW-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br ... To solve these problems, can I add the records manually in DNS? Example: _ldap Local de servi?o (SRV) [0][100][389] samba4-dc1.empresa.com.br. static _ldap Local de servi?o (SRV) [0][100][389] win-dc2.empresa.com.br. static _ldap Local de servi?o (SRV) [0][100][389] samba4-new-dc.empresa.com.br. Regards, M?rcio Bacci Em seg, 12 de ago de 2019 ?s 12:41, Rowland penny via samba < samba at lists.samba.org> escreveu:> On 12/08/2019 16:01, L.P.H. van Belle via samba wrote: > > Ah, so the error changed.. > > > > Can you try > > > > samba-tool domain join empresa.com.br DC -k yes -d 3 --server> samba4-dc01.empresa.com.br > > so we try to join through samba4-dc1 and not the windows DC. > You beat me to it Louis > > > > Looking at below again. > > (objectclass=primaryDomain))' base: 'cn=Primary Domains': No such > object: dsdb_search at ../source4/dsdb/common/util.c:4691) and from > /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO > > This looks familuar.. i have to look this up.. ( tomorrow, office is > closing here.. sorry ) > > Yes, it is familiar, but misleading ;-) > > You can ignore anything after: 'Join failed - cleaning up' > > The error occurred before this point. > > Rowland > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 12/08/2019 18:56, Marcio Demetrio Bacci wrote:> Hi, > > I have downgraded samba 4.7 (van-belle repository) to 4.5.16 from the > Debian 9 repository and was able to put it in the domain. > > root at samba4-new-dc:/etc/samba# samba -V > Version 4.5.16-Debian > > samba-tool domain join empresa.com.br <http://empresa.com.br> DC -k > yes -d 3 --server=samba4-dc1.empresa.com.br > <http://samba4-dc1.empresa.com.br> > > #################################################################################### > > > However, I verified that the DNS records msdcs.empresa.com.br > <http://msdcs.empresa.com.br> and empresa.com.br > <http://empresa.com.br> (ldap, kerberos, gc, tcp, udp) were not > updated with the information of the new DC.Try restarting Samba, this should force samba_dnsupdate to run and hopefully fill in the gaps, if all else fails, reboot. Rowland
Marcio Demetrio Bacci
2019-Aug-12 18:42 UTC
[Samba] Problems joining Samba 4 in the domain
Hi, I have restarted, but it didn't solve the problem. /etc/init.d/samba-ad-dc status samba-ad-dc.service - Samba AD Daemon Loaded: loaded (/lib/systemd/system/samba-ad-dc.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2019-08-12 15:32:18 -03; 9s ago Docs: man:samba(8) man:samba(7) man:smb.conf(5) Main PID: 575 (samba) Status: "smbd: ready to serve connections..." Tasks: 22 (limit: 4915) CGroup: /system.slice/samba-ad-dc.service ??575 /usr/sbin/samba ??634 /usr/sbin/samba ??635 /usr/sbin/samba ??636 /usr/sbin/samba ??637 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground ??638 /usr/sbin/samba ??639 /usr/sbin/samba ??640 /usr/sbin/samba ??641 /usr/sbin/samba ??642 /usr/sbin/samba ??643 /usr/sbin/samba ??644 /usr/sbin/samba ??645 /usr/sbin/samba ??646 /usr/sbin/samba ??647 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground ??648 /usr/sbin/samba ??653 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground ??654 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground ??655 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground ??658 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground ??659 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground ??660 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground ago 12 15:32:21 samba4-new-dc samba[646]: [2019/08/12 15:32:21.359025, 0] ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler) ago 12 15:32:21 samba4-new-dc samba[646]: /usr/sbin/samba_dnsupdate: NTLMSSP Sign/Seal - Initialising with flags: ago 12 15:32:21 samba4-new-dc samba[646]: [2019/08/12 15:32:21.359054, 0] ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler) ago 12 15:32:21 samba4-new-dc samba[646]: /usr/sbin/samba_dnsupdate: Got NTLMSSP neg_flags=0x62088215 ago 12 15:32:21 samba4-new-dc samba[646]: [2019/08/12 15:32:21.362538, 0] ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler) ago 12 15:32:21 samba4-new-dc samba[646]: /usr/sbin/samba_dnsupdate: NTLMSSP Sign/Seal - Initialising with flags: ago 12 15:32:21 samba4-new-dc samba[646]: [2019/08/12 15:32:21.362590, 0] ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler) ago 12 15:32:21 samba4-new-dc samba[646]: /usr/sbin/samba_dnsupdate: Got NTLMSSP neg_flags=0x62088215 ago 12 15:32:21 samba4-new-dc samba[646]: [2019/08/12 15:32:21.390860, 0] ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler) ago 12 15:32:21 samba4-new-dc samba[646]: /usr/sbin/samba_dnsupdate: ERROR: Record already exists Follows my smb.conf: cat /etc/samba/smb.conf # Global parameters [global] netbios name = SAMBA4-NEW-DC realm = EMPRESA.COM.BR workgroup = EMPRESA log level = 3 server role = active directory domain controller dns forwarder = 192.168.1.1 192.168.1.2 dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool [netlogon] path = /var/lib/samba/sysvol/empresa.com.br/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No Regards, M?rcio Bacci Em seg, 12 de ago de 2019 ?s 15:11, Rowland penny via samba < samba at lists.samba.org> escreveu:> On 12/08/2019 18:56, Marcio Demetrio Bacci wrote: > > Hi, > > > > I have downgraded samba 4.7 (van-belle repository) to 4.5.16 from the > > Debian 9 repository and was able to put it in the domain. > > > > root at samba4-new-dc:/etc/samba# samba -V > > Version 4.5.16-Debian > > > > samba-tool domain join empresa.com.br <http://empresa.com.br> DC -k > > yes -d 3 --server=samba4-dc1.empresa.com.br > > <http://samba4-dc1.empresa.com.br> > > > > > #################################################################################### > > > > > > > However, I verified that the DNS records msdcs.empresa.com.br > > <http://msdcs.empresa.com.br> and empresa.com.br > > <http://empresa.com.br> (ldap, kerberos, gc, tcp, udp) were not > > updated with the information of the new DC. > > Try restarting Samba, this should force samba_dnsupdate to run and > hopefully fill in the gaps, if all else fails, reboot. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >