samba - Jun 2021 - Unable to join DC to domain.

I'm looking at a new hosting provider for a new project, and one of the 
things we need setup, is a Samba ReadOnly DC at the hosting places, 
talking to our DC at the office over vpn. I've tried 4 different 
hostingproviders, and joining a Samba DC from 3 of these providers works 
flawlessly. I have a script that sets up everything, so the setup is 
identical everywhere. I use Debian 10 with the newest samba packages 
from Louis.

At one place this just does not work. The weird thing is that klist 
works, ldapsearch works, I can even join as a normal member, just not as 
a RODC, or normal DC for that matter. There is no firewall stopping 
anything. I just wonder if anyone has seen something like this? Or if 
they have an idea what might be stopping this?

This is that I get every time, but only at 1 of the 4 different hosting 
places I've tried:
samba-tool domain join s.d-s.no RODC -U"AD\\Administrator" 
--dns-backend=SAMBA_INTERNAL  --option='idmap_ldb:use rfc2307 = yes' 
--server=dc01.s.d-s.no --option="interfaces=lo tun9" 
--option="bind
interfaces only=yes"
ERROR(<class 'samba.join.DCJoinException'>): uncaught exception -
Can't
join, error: 00002020: Operation unavailable without authentication
   File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
line
186, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line 
681, in run
     backend_store_size=backend_store_size)
   File "/usr/lib/python3/dist-packages/samba/join.py", line 1483, in 
join_RODC
     backend_store_size=backend_store_size)
   File "/usr/lib/python3/dist-packages/samba/join.py", line 120, in 
__init__
     raise DCJoinException(estr)


I have dumps for wireshark, and output from running samba in interactive 
mode with debug at level 9, if we need to dig further into this
-- 
Klaus Ade Johnstad
67E61D18B2C44F8A3DA35C6D849F9F5F 26FA477D

On Wed, 2021-06-30 at 20:42 +0200, Klaus Ade Johnstad via samba
wrote:
> I'm looking at a new hosting provider for a new project, and one of
> the 
> things we need setup, is a Samba ReadOnly DC at the hosting places, 
> talking to our DC at the office over vpn. I've tried 4 different 
> hostingproviders, and joining a Samba DC from 3 of these providers
> works 
> flawlessly. I have a script that sets up everything, so the setup is 
> identical everywhere. I use Debian 10 with the newest samba packages 
> from Louis.
> 
> At one place this just does not work. The weird thing is that klist 
> works, ldapsearch works, I can even join as a normal member, just not
> as 
> a RODC, or normal DC for that matter. There is no firewall stopping 
> anything. I just wonder if anyone has seen something like this? Or
> if 
> they have an idea what might be stopping this?
> 
> This is that I get every time, but only at 1 of the 4 different
> hosting 
> places I've tried:
> samba-tool domain join s.d-s.no RODC -U"AD\\Administrator" 
> --dns-backend=SAMBA_INTERNAL  --option='idmap_ldb:use rfc2307 =
yes'
> --server=dc01.s.d-s.no --option="interfaces=lo tun9" 
--option="bind
> interfaces only=yes"
> 
Try it like this:

samba-tool domain join s.d-s.no RODC -U Administrator --
password=ADMINISTRATOR_PASSWORD --option='idmap_ldb:use rfc2307 = yes'
--option="interfaces = lo tun9" --option="bind interfaces only =
yes"

I take it that everything else is identical, /etc/resolv.conf for
instance.

Rowland