Vincent Sherwood
2019-Sep-11 20:29 UTC
[Samba] Joining Windows 2008 Domain as DC fails 4.10 (and 4.11rc3)
Hi,
I am trying to add a samba DC to an existing Domain that has 2 Win2016
Domain Controllers but is still running at Domain Functional and Forest
levels 2008R2.
When I run the join command it goes most of the way through before
eventually erring out, and backing out everything it had done.
The command I used is
samba-tool domain join MYDOMAIN DC -U"administrator at mydomain.ext"
-d 5
--server=ExistingDC.mydomain.ext
The error I get is below. Note that the line numbers are slightly out of
line with the real code as I have added some debug messages to try to
identify the issue .
Join failed - cleaning up
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch machine
account password for MYDOMAIN from both secrets.ldb (Could not find entry
to match filter: '(&(flatname=MYDOMAIN)(objectclass=primaryDomain))'
base:
'cn=Primary Domains': No such object: dsdb_search at
../../source4/dsdb/common/util.c:4715) and from
/usr/local/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Deleted .... (removed actual backout lines)
ERROR(runtime): uncaught exception - (9003,
'WERR_DNS_ERROR_RCODE_NAME_ERROR')
File
"/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/__init__.py",
line 186, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/domain.py",
line 708, in run
backend_store_size=backend_store_size)
File "/usr/local/samba/lib64/python3.6/site-packages/samba/join.py",
line
1579, in join_DC
ctx.do_join()
File "/usr/local/samba/lib64/python3.6/site-packages/samba/join.py",
line
1473, in do_join
ctx.join_add_dns_records()
File "/usr/local/samba/lib64/python3.6/site-packages/samba/join.py",
line
1209, in join_add_dns_records
dns_partition=domaindns_zone_dn)
File
"/usr/local/samba/lib64/python3.6/site-packages/samba/samdb.py",
line 1186, in dns_lookup
dns_partition=dns_partition)
To debug, in the function dns_lookup in samdb.py I added some debug
messages as follows
def dns_lookup(self, dns_name, dns_partition=None):
print("DNS Lookup 3-1 self %s",self );
print("DNS Lookup 3-1 dns_name %s",dns_name );
print("DNS Lookup 3-1 dns_partition %s",dns_partition );
'''Do a DNS lookup in the database, returns the NDR database
structures'''
print("DNS Lookup 3-2 - no partition would return -
%s",dsdb_dns.lookup(self, dns_name));
if dns_partition is None:
print("DNS Lookup 3-2 dns_partition None" );
return dsdb_dns.lookup(self, dns_name)
else:
print("DNS Lookup 3-2 dns_partition Other" );
return dsdb_dns.lookup(self, dns_name,
dns_partition=dns_partition)
Below is the output
DNS Lookup 3-1 self %s <ldb connection>
DNS Lookup 3-1 dns_name %s DCSAMBA4A.mydomain.ext
DNS Lookup 3-1 dns_partition %s DC=DomainDnsZones,DC=mydomain,DC=ext
DNS Lookup 3-2 - no partition would return - %s
(Dn('DC=DCSAMBA4A,DC=mydomain.ext,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=ext'),
[<dnsp.DnssrvRpcRecord talloc based object at 0x3bd38e0>])
DNS Lookup 3-2 dns_partition Other
Join failed - cleaning up
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database:.......
This domain was originally created under Windows 2000 and has been upgraded
over the years.
The most obvious thing I see is that the search is looking for a record in
DomainDnsZones which is not found. But the output of running the search
which would have been used if dns_partition=None finds that there is a
record in MicrosoftDNS. Not sure if that might be a clue to where things
started to go wrong at some earlier point in the process.
Anybody got any suggestions?
Thanks,
Vincent
Rowland penny
2019-Sep-11 20:47 UTC
[Samba] Joining Windows 2008 Domain as DC fails 4.10 (and 4.11rc3)
On 11/09/2019 21:29, Vincent Sherwood via samba wrote:> Hi, > > I am trying to add a samba DC to an existing Domain that has 2 Win2016 > Domain Controllers but is still running at Domain Functional and Forest > levels 2008R2. > > When I run the join command it goes most of the way through before > eventually erring out, and backing out everything it had done. > > The command I used is > samba-tool domain join MYDOMAIN DC -U"administrator at mydomain.ext" -d 5 > --server=ExistingDC.mydomain.ext > > The error I get is below. Note that the line numbers are slightly out of > line with the real code as I have added some debug messages to try to > identify the issue . > > Join failed - cleaning upCan we see the ouput BEFORE where the join failed, anything after the failure is an artefact of the failure and can be ignored. The problem is likely to be the schema version on the Windows 2016 DC. Rowland
Rowland penny
2019-Sep-11 21:14 UTC
[Samba] Joining Windows 2008 Domain as DC fails 4.10 (and 4.11rc3)
On 11/09/2019 21:59, Vincent Sherwood wrote:> Here is the full output > > [user at DCSAMBA4A ~]# ?samba-tool domain join MYDOMAIN ?DC > -U"administrator at mydomain.ext" ?--server=DC2016A.mydomain.ext > Password for [administrator at mydomain.ext]: > INFO 2019-09-11 21:55:09,790 pid:20279 > /usr/local/samba/lib64/python3.6/site-packages/samba/join.py #1563: > workgroup is MYDOMAIN > INFO 2019-09-11 21:55:09,791 pid:20279 > /usr/local/samba/lib64/python3.6/site-packages/samba/join.py #1566: > realm is mydomain.ext > Adding CN=DCSAMBA4A,OU=Domain Controllers,DC=mydomain,DC=ext > Adding > CN=DCSAMBA4A,CN=Servers,CN=IT-Solutions,CN=Sites,CN=Configuration,DC=mydomain,DC=ext > Adding CN=NTDS > Settings,CN=DCSAMBA4A,CN=Servers,CN=IT-Solutions,CN=Sites,CN=Configuration,DC=mydomain,DC=ext > Adding SPNs to CN=DCSAMBA4A,OU=Domain Controllers,DC=mydomain,DC=ext > Setting account password for DCSAMBA4A$ > Enabling account > Calling bare provision > INFO 2019-09-11 21:55:10,594 pid:20279 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py > #2128: Looking up IPv4 addresses > INFO 2019-09-11 21:55:10,595 pid:20279 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py > #2145: Looking up IPv6 addresses > WARNING 2019-09-11 21:55:10,596 pid:20279 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py > #2152: No IPv6 address will be assigned > INFO 2019-09-11 21:55:11,097 pid:20279 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py > #2323: Setting up secrets.ldb > INFO 2019-09-11 21:55:11,829 pid:20279 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py > #2329: Setting up the registry > INFO 2019-09-11 21:55:12,144 pid:20279 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py > #2332: Setting up the privileges database > INFO 2019-09-11 21:55:13,010 pid:20279 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py > #2335: Setting up idmap db > INFO 2019-09-11 21:55:13,626 pid:20279 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py > #2342: Setting up SAM db > INFO 2019-09-11 21:55:13,852 pid:20279 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py > #898: Setting up sam.ldb partitions and settings > INFO 2019-09-11 21:55:13,853 pid:20279 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py > #910: Setting up sam.ldb rootDSE > INFO 2019-09-11 21:55:14,036 pid:20279 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py > #1339: Pre-loading the Samba 4 and AD schema > Unable to determine the DomainSID, can not enforce uniqueness > constraint on local domainSIDs > > INFO 2019-09-11 21:55:14,502 pid:20279 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py > #2395: A Kerberos configuration suitable for Samba AD has been > generated at /usr/local/samba/private/krb5.conf > INFO 2019-09-11 21:55:14,503 pid:20279 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py > #2396: Merge the contents of this file with your system krb5.conf or > replace it with this one. Do not create a symlink! > Provision OK for domain DN DC=mydomain,DC=ext > Starting replication > Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=ext] > objects[402/1473] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=ext] > objects[804/1473] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=ext] > objects[1206/1473] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=ext] > objects[1608/1473] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=ext] > objects[1816/1473] linked_values[0/0] > Analyze and apply schema objects > Partition[CN=Configuration,DC=mydomain,DC=ext] objects[402/2926] > linked_values[0/84] > Partition[CN=Configuration,DC=mydomain,DC=ext] objects[804/2926] > linked_values[0/84] > Partition[CN=Configuration,DC=mydomain,DC=ext] objects[1206/2926] > linked_values[0/84] > Partition[CN=Configuration,DC=mydomain,DC=ext] objects[1608/2926] > linked_values[0/84] > Partition[CN=Configuration,DC=mydomain,DC=ext] objects[1905/2926] > linked_values[72/84] > dsdb_replicated_objects_convert: Ignoring object outside partition > 5a8bd8f9-8944-4361-980b-75f6d05a6d27 > CN=Schema,CN=Configuration,DC=mydomain,DC=ext: > WERR_DS_ADD_REPLICA_INHIBITED > Partition[CN=Configuration,DC=mydomain,DC=ext] objects[2215/2926] > linked_values[84/84] > Replicating critical objects from the base DN of the domain > Partition[DC=mydomain,DC=ext] objects[113/174] linked_values[9/65] > Partition[DC=mydomain,DC=ext] objects[368/6057] linked_values[0/65] > Partition[DC=mydomain,DC=ext] objects[770/6057] linked_values[0/65] > Partition[DC=mydomain,DC=ext] objects[1014/6057] linked_values[51/65] > dsdb_replicated_objects_convert: Ignoring object outside partition > 142e2e12-1e0b-4d96-acdd-a90523eaaea2 > CN=Configuration,DC=mydomain,DC=ext: WERR_DS_ADD_REPLICA_INHIBITED > dsdb_replicated_objects_convert: Ignoring object outside partition > 2831226b-bd83-4e23-931f-9907170dff39 > DC=DomainDnsZones,DC=mydomain,DC=ext: WERR_DS_ADD_REPLICA_INHIBITED > dsdb_replicated_objects_convert: Ignoring object outside partition > 820b5cf3-4b83-408f-aa65-7ffded9c0379 > DC=ForestDnsZones,DC=mydomain,DC=ext: WERR_DS_ADD_REPLICA_INHIBITED > Partition[DC=mydomain,DC=ext] objects[1259/6057] linked_values[65/65] > Done with always replicated NC (base, config, schema) > Replicating DC=DomainDnsZones,DC=mydomain,DC=ext > Partition[DC=DomainDnsZones,DC=mydomain,DC=ext] objects[9/9] > linked_values[0/0] > Replicating DC=ForestDnsZones,DC=mydomain,DC=ext > Partition[DC=ForestDnsZones,DC=mydomain,DC=ext] objects[21/21] > linked_values[0/0] > Exop on[CN=RID Manager$,CN=System,DC=mydomain,DC=ext] objects[3] > linked_values[0] > Committing SAM database > Repacking database from v1 to v2 format (first record > CN=msSFU-30-Member-Of-Nis-Netgroup,CN=Schema,CN=Configuration,DC=mydomain,DC=ext) > Repack: re-packed 10000 records so far > Repacking database from v1 to v2 format (first record > CN=site-Display,CN=401,CN=DisplaySpecifiers,CN=Configuration,DC=mydomain,DC=ext) > Repack: re-packed 10000 records so far > Repacking database from v1 to v2 format (first record > DC=@,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=mydomain,DC=ext) > Repacking database from v1 to v2 format (first record > DC=@,DC=..TrustAnchors,CN=MicrosoftDNS,DC=ForestDnsZones,DC=mydomain,DC=ext) > Repacking database from v1 to v2 format (first record CN=RID > Set\0ADEL:943f4350-d597-46f3-a3fb-7be0d67d15fa,CN=Deleted > Objects,DC=mydomain,DC=ext) > Join test 2 > INFO 2019-09-11 21:55:31,259 pid:20279 > /usr/local/samba/lib64/python3.6/site-packages/samba/join.py #1116: > Adding 1 remote DNS records for DCSAMBA4A.mydomain.ext > Join test 2-1 > Join test 2-1 > Join test 2-2 > Join test 2-3 > Join test 2-4 > INFO 2019-09-11 21:55:31,435 pid:20279 > /usr/local/samba/lib64/python3.6/site-packages/samba/join.py #1184: > Adding DNS A record DCSAMBA4A.mydomain.ext for IPv4 IP: 192.168.200.252 > Join test 2-5 > Join test 2-6 > Join test 2-7 > Join test 2-8 > Join test 2-8 DomainDNSzone %s DC=DomainDnsZones,DC=mydomain,DC=ext > Join test 2-8 name %s DCSAMBA4A > Join test 2-8 zone %s mydomain.ext > DNS Lookup 3-1 self %s <ldb connection> > DNS Lookup 3-1 dns_name %s DCSAMBA4A.mydomain.ext > DNS Lookup 3-1 dns_partition %s DC=DomainDnsZones,DC=mydomain,DC=ext > DNS Lookup 3-2 - no partition - %s > (Dn('DC=DCSAMBA4A,DC=mydomain.ext,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=ext'), > [<dnsp.DnssrvRpcRecord talloc based object at 0x490bc20>]) > DNS Lookup 3-2 dns_partition Other > DNS Lookup 3-2 dns_partition Other - %s > (Dn('DC=DCSAMBA4A,DC=mydomain.ext,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=ext'), > [<dnsp.DnssrvRpcRecord talloc based object at 0x490bc20>]) > Join failed - cleaning upI think you need to upgrade your DNS in AD, 'DC=mydomain.ext,CN=MicrosoftDNS,CN=System' should be 'DC=mydomain.ext,CN=MicrosoftDNS,DC=DomainDnsZones' Rowland
Vincent Sherwood
2019-Sep-12 00:29 UTC
[Samba] Joining Windows 2008 Domain as DC fails 4.10 (and 4.11rc3)
Rowland,
Thanks for the suggestion.
To help anyone else who might run into this same issue and find this
thread, I will detail what I found.
After much searching I finally found an article on the web that talked
about how the Replication options for the Microsoft DNS server changed in
Windows 2003. Since our DNS is around since Windows 2000, the data was
still stored in AD in the old Windows 2000 compatible location. The
samba-tool clearly does not handle this situation. It expects to find the
DNS data in the new Windows 2003 and later storage location.
The recommendation in the article was to have the
_msdcs.mydomain.ext zone replicated to all DNS servers in this FOREST.
mydomain.ext zone replicated to all DNS servers in this DOMAIN.
To change the storage location of the DNS storage to the location
samba-tool expects to find the data in, I did the following
Open the Microsoft DNS manager
Expand the existing master Domain Controller
Expand the Forward Lookup Zones folder
Right-click on the domain, mydomain.ext, and select Properties
On the General tab the DNS showed as
Type: Active Directory-Integrated
Replication: All domain controllers in this domain (for Windows 2000
compatibility)
I clicked on the Change... button beside Replication and selected the
option
( ) To all DNS servers running on domain controllers in this domain:
mydomain.ext
I clicked OK, and then clicked Apply on the Properties dialog to save the
change.
I waited for the change to be replicated to the DNS server on the second
Windows DC, and then re-ran the samba-tool join command.
This time the samba-tool join succeeded.
Thanks for your help
Vincent
On Wed, 11 Sep 2019 at 22:15, Rowland penny via samba <samba at
lists.samba.org>
wrote:
> > Join failed - cleaning up
>
> I think you need to upgrade your DNS in AD,
> 'DC=mydomain.ext,CN=MicrosoftDNS,CN=System' should be
> 'DC=mydomain.ext,CN=MicrosoftDNS,DC=DomainDnsZones'
>
> Rowland
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>