samba - Jun 2021 - Unable to join DC to domain.

On Wed, 2021-06-30 at 20:42 +0200, Klaus Ade Johnstad via samba
wrote:
> I'm looking at a new hosting provider for a new project, and one of
> the 
> things we need setup, is a Samba ReadOnly DC at the hosting places, 
> talking to our DC at the office over vpn. I've tried 4 different 
> hostingproviders, and joining a Samba DC from 3 of these providers
> works 
> flawlessly. I have a script that sets up everything, so the setup is 
> identical everywhere. I use Debian 10 with the newest samba packages 
> from Louis.
> 
> At one place this just does not work. The weird thing is that klist 
> works, ldapsearch works, I can even join as a normal member, just not
> as 
> a RODC, or normal DC for that matter. There is no firewall stopping 
> anything. I just wonder if anyone has seen something like this? Or
> if 
> they have an idea what might be stopping this?
> 
> This is that I get every time, but only at 1 of the 4 different
> hosting 
> places I've tried:
> samba-tool domain join s.d-s.no RODC -U"AD\\Administrator" 
> --dns-backend=SAMBA_INTERNAL  --option='idmap_ldb:use rfc2307 =
yes'
> --server=dc01.s.d-s.no --option="interfaces=lo tun9" 
--option="bind
> interfaces only=yes"
> 
Try it like this:

samba-tool domain join s.d-s.no RODC -U Administrator --
password=ADMINISTRATOR_PASSWORD --option='idmap_ldb:use rfc2307 = yes'
--option="interfaces = lo tun9" --option="bind interfaces only =
yes"

I take it that everything else is identical, /etc/resolv.conf for
instance.

Rowland

On 30.06.2021 21:32, Rowland Penny via samba wrote:
> On Wed, 2021-06-30 at 20:42 +0200, Klaus Ade Johnstad via samba wrote:
>> I'm looking at a new hosting provider for a new project, and one of
>> the
>> things we need setup, is a Samba ReadOnly DC at the hosting places,
>> talking to our DC at the office over vpn. I've tried 4 different
>> hostingproviders, and joining a Samba DC from 3 of these providers
>> works
>> flawlessly. I have a script that sets up everything, so the setup is
>> identical everywhere. I use Debian 10 with the newest samba packages
>> from Louis.
>>
>> At one place this just does not work. The weird thing is that klist
>> works, ldapsearch works, I can even join as a normal member, just not
>> as
>> a RODC, or normal DC for that matter. There is no firewall stopping
>> anything. I just wonder if anyone has seen something like this? Or
>> if
>> they have an idea what might be stopping this?
>>
>> This is that I get every time, but only at 1 of the 4 different
>> hosting
>> places I've tried:
>> samba-tool domain join s.d-s.no RODC -U"AD\\Administrator"
>> --dns-backend=SAMBA_INTERNAL  --option='idmap_ldb:use rfc2307 =
yes'
>> --server=dc01.s.d-s.no --option="interfaces=lo tun9" 
--option="bind
>> interfaces only=yes"
>>
> 
> Try it like this:
> 
> samba-tool domain join s.d-s.no RODC -U Administrator --
> password=ADMINISTRATOR_PASSWORD --option='idmap_ldb:use rfc2307 =
yes'
> --option="interfaces = lo tun9" --option="bind interfaces
only = yes"
> 
> I take it that everything else is identical, /etc/resolv.conf for
> instance.
> 
> Rowland
> 
> 
> 
Thanks for the answer, should have mentioned in my first mail that I 
have tried that, but I did it again like you suggest. Everything is 
identical across this 4 providers, the same /etc/hosts and 
/etc/resolv.conf (with small local necessary changes)

samba-tool domain join s.d-s.no RODC -U Administrator --password=secret 
--option='idmap_ldb:use rfc2307 = yes' --option="interfaces=lo
tun9"
--option="bind interfaces only=yes"
WARNING: Using password on command line is insecure. Please install the 
setproctitle python module.
INFO 2021-06-30 22:06:15,586 pid:764 
/usr/lib/python3/dist-packages/samba/join.py #106: Finding a writeable 
DC for domain 's.d-s.no'
INFO 2021-06-30 22:06:16,188 pid:764 
/usr/lib/python3/dist-packages/samba/join.py #108: Found DC dc01.s.d-s.no
ERROR(<class 'samba.join.DCJoinException'>): uncaught exception -
Can't
join, error: 00002020: Operation unavailable without authentication
   File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
line
186, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line 
681, in run
     backend_store_size=backend_store_size)
   File "/usr/lib/python3/dist-packages/samba/join.py", line 1483, in 
join_RODC
     backend_store_size=backend_store_size)
   File "/usr/lib/python3/dist-packages/samba/join.py", line 120, in 
__init__
     raise DCJoinException(estr)


-- 
Klaus Ade Johnstad