samba - Apr 2020 - Join new DC to domain - advice to upgrade Samba 4.

Hi Rowland,

I'll consider the update. But I need to backup this host (adc02) before,
because it the only and the main DC on my network... =(

Find attached below the output of the script:

Config collected --- 2020-04-07-15:30 -----------

Hostname:   dcs01
DNS Domain: test.example.domain.br
Realm:      TEST.EXAMPLE.DOMAIN.BR
FQDN:       dcs01.test.example.domain.br
ipaddress:  177.X.X.3

-----------

Kerberos SRV _kerberos._tcp.test.example.domain.br record(s) verified ok,
sample output:
Server: 177.X.X.69
Address: 177.X.X.69#53

_kerberos._tcp.test.example.domain.br service = 0 100 88
adc02.test.example.domain.br.

-----------

'kinit Administrator' checked successfully.

-----------


This computer is running Debian 9.12 x86_64

-----------

running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
    link/ether 00:0c:29:aa:cc:e2 brd ff:ff:ff:ff:ff:ff
    inet 177.X.X.3/25 brd 177.X.X.127 scope global ens192
    inet6 fe80::20c:29ff:feaa:cce2/64 scope link

-----------

Checking file: /etc/hosts

127.0.0.1 localhost
177.X.X.3 dcs01.test.example.domain.br dcs01

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

-----------

Checking file: /etc/resolv.conf

search test.example.domain.br
nameserver 177.X.X.69

-----------

Checking file: /etc/krb5.conf

[libdefaults]
default_realm = TEST.EXAMPLE.DOMAIN.BR
dns_lookup_realm = false
dns_lookup_kdc = true

-----------

Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.

passwd:         compat
group:          compat
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

-----------

Warning,  does not exist

-----------


Time on the DC with PDC Emulator role is: 2020-04-07T15:31:10


Time on this computer is:                 2020-04-07T15:31:10


Time verified ok, within the allowed 300sec margin.
Time offset is currently : 0 seconds

-----------

Installed packages:
ii  attr                          1:2.4.47-2+b2                     amd64
     Utilities for manipulating filesystem extended attributes
ii  krb5-config                   2.6                               all
     Configuration files for Kerberos Version 5
ii  krb5-locales                  1.15-1+deb9u1                     all
     internationalization support for MIT Kerberos
ii  krb5-user                     1.15-1+deb9u1                     amd64
     basic programs to authenticate using MIT Kerberos
ii  libacl1:amd64                 2.2.52-3+b1                       amd64
     Access control list shared library
ii  libattr1:amd64                1:2.4.47-2+b2                     amd64
     Extended attribute shared library
ii  libgssapi-krb5-2:amd64        1.15-1+deb9u1                     amd64
     MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-3:amd64               1.15-1+deb9u1                     amd64
     MIT Kerberos runtime libraries
ii  libkrb5support0:amd64         1.15-1+deb9u1                     amd64
     MIT Kerberos runtime libraries - Support library
ii  libnss-winbind:amd64          2:4.5.16+dfsg-1+deb9u2            amd64
     Samba nameservice integration plugins
ii  libpam-winbind:amd64          2:4.5.16+dfsg-1+deb9u2            amd64
     Windows domain authentication integration plugin
ii  libwbclient0:amd64            2:4.5.16+dfsg-1+deb9u2            amd64
     Samba winbind client library
ii  python-samba                  2:4.5.16+dfsg-1+deb9u2            amd64
     Python bindings for Samba
ii  samba                         2:4.5.16+dfsg-1+deb9u2            amd64
     SMB/CIFS file, print, and login server for Unix
ii  samba-common                  2:4.5.16+dfsg-1+deb9u2            all
     common files used by both the Samba server and client
ii  samba-common-bin              2:4.5.16+dfsg-1+deb9u2            amd64
     Samba common files used by both the server and the client
ii  samba-dsdb-modules            2:4.5.16+dfsg-1+deb9u2            amd64
     Samba Directory Services Database
ii  samba-libs:amd64              2:4.5.16+dfsg-1+deb9u2            amd64
     Samba core libraries
ii  samba-vfs-modules             2:4.5.16+dfsg-1+deb9u2            amd64
     Samba Virtual FileSystem plugins
ii  winbind                       2:4.5.16+dfsg-1+deb9u2            amd64
     service to resolve user and group information from Windows NT servers

-----------

Thanks again.

On Tue, Apr 7, 2020 at 11:09 AM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 07/04/2020 14:51, Daniel Lopes de Carvalho wrote:
> > Hi Rowland, thanks for your email.
> >
> > The working DC was installed around 2 years ago. It is the reason to
> > stick in Stretch. But if I can upgrade the working DC to Buster and
> > Samba 4.9.5 without any problem, it is OK to me.
> I would upgrade Debian and once you get everything working correctly,
> you can use Louis's repo:  http://apt.van-belle.nl/
> >
> >
> > Find below the output of samba-tool join command:
> >
> >  samba-tool domain join test.example.domain.br
> > <http://test.example.domain.br> DC
-U"test/administrator" -d3
> >
> > Finding a writeable DC for domain 'test.example.domain.br
> > <http://test.example.domain.br>'
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > _ldap._tcp.test.example.domain.br
<http://tcp.test.example.domain.br
> ><0x0>
> > Found DC adc02.test.example.domain.br
> > <http://adc02.test.example.domain.br>
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > adc02.test.example.domain.br
<http://adc02.test.example.domain.br><0x20>
> > Password for [test\administrator]:
> > Cannot reach a KDC we require to contact
> > ldap/adc02.test.example.domain.br@ : kinit for administrator at test
> > failed (Cannot contact any KDC for requested realm)
>
> That looks like your problem, for some reason
'adc02.example.domain.br'
> cannot be found.
>
> Can you run the attached script on the machine you are trying to join as
> a DC and then post the output in a reply to the mailing list, do not
> attach it, this mailing list strips attachments.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 

Daniel Lopes de
Carvalhohttp://www.unisim.cepetro.unicamp.brdaniel at cepetro.unicamp.br
19 3521-1221

On 07/04/2020 15:59, Daniel Lopes de Carvalho wrote:
> Hi Rowland,
>
> I'll consider the update. But I need to backup this host (adc02) 
> before, because it the only and the main DC on my network... =(
>
> Find attached below the output of the script:
>
Nothing wrong there, is a firewall running on either machine ?

Rowland

No, there is no firewall... They are on the same network without any
blocking...

Let me tell you a little about my scenario...

When I installed Samba4 as my main AD (2018), I had ADC01 that was my
primary DC and after I joined the ADC02 without any problem. And in the
beginning of 2019, I joined a Windows Server 2008 R2 as my ADC03. All of
them worked well until (around a year) I had a hardware problem with ADC01
that I had to exec offline demote.

After this problem, ADC03 is unable to sync with ADC02. I have uninstalled
AD on ADC03 and tried to install it again but without sucess. Then I tried
this new DCS01 and here I'm...

On Tue, Apr 7, 2020 at 3:56 PM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 07/04/2020 15:59, Daniel Lopes de Carvalho wrote:
> > Hi Rowland,
> >
> > I'll consider the update. But I need to backup this host (adc02)
> > before, because it the only and the main DC on my network... =(
> >
> > Find attached below the output of the script:
> >
> Nothing wrong there, is a firewall running on either machine ?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 

Daniel Lopes de
Carvalhohttp://www.unisim.cepetro.unicamp.brdaniel at cepetro.unicamp.br
19 3521-1221

All i see a missing acl package. 
But that had nothing todo with not being able to join. 

But try this. 

Add in resolv.conf the ip of DCS02 and DCS03 in this order. 
Try to join a gain. 

As i see now, your trying to join a server and that uses itself as resolving
server, that does not work when you joining.


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: dinsdag 7 april 2020 20:56
> Aan: sambalist
> Onderwerp: Re: [Samba] Join new DC to domain - advice to 
> upgrade Samba 4.
> 
> On 07/04/2020 15:59, Daniel Lopes de Carvalho wrote:
> > Hi Rowland,
> >
> > I'll consider the update. But I need to backup this host (adc02) 
> > before, because it the only and the main DC on my network... =(
> >
> > Find attached below the output of the script:
> >
> Nothing wrong there, is a firewall running on either machine ?
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

Hi Louis,

I installed the acl and edited resolv.conf as you suggested, but the error
persist, unfortunately.

This weekend I'll take a snapshot of the working DC and try to update
Debian and Samba.

If there is some other thing to do before the update, let me know, please.

Thanks and best regards

On Wed, Apr 8, 2020 at 4:09 AM L.P.H. van Belle via samba <
samba at lists.samba.org> wrote:
> All i see a missing acl package.
> But that had nothing todo with not being able to join.
>
> But try this.
>
> Add in resolv.conf the ip of DCS02 and DCS03 in this order.
> Try to join a gain.
>
> As i see now, your trying to join a server and that uses itself as
> resolving server, that does not work when you joining.
>
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Rowland penny via samba
> > Verzonden: dinsdag 7 april 2020 20:56
> > Aan: sambalist
> > Onderwerp: Re: [Samba] Join new DC to domain - advice to
> > upgrade Samba 4.
> >
> > On 07/04/2020 15:59, Daniel Lopes de Carvalho wrote:
> > > Hi Rowland,
> > >
> > > I'll consider the update. But I need to backup this host
(adc02)
> > > before, because it the only and the main DC on my network... =(
> > >
> > > Find attached below the output of the script:
> > >
> > Nothing wrong there, is a firewall running on either machine ?
> >
> > Rowland
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 

Daniel Lopes de
Carvalhohttp://www.unisim.cepetro.unicamp.brdaniel at cepetro.unicamp.br
19 3521-1221