samba - Aug 2024 - Problems on joining samba DC to a Windows Domain while adding DNS record for new DC

On Fri, 9 Aug 2024 13:38:35 +0200
Mitja Tav?ar via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> I'm trying to join a debian bookworm running samba (Version
> 4.17.12-Debian) as an additional DC to a Active Directory Domain. The
> domain is already running on 2 windows 2019 DC's (hostnames
> vmw2srvdc1 and vmw2srvdc2) and the functional level of the AD domain
> is 2008 R2.
> 
> I followed the samba wiki instructions at:
>
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
> 
> I also made another Site in AD to which i want the new samba domain
> controller to join to. So in the command i also used the --site
> option.
> 
> This is command i used for my last attempt:
> samba-tool domain join intra.comune.trento.it DC --site PSN --server
> vmw2srvdc2.intra.comune.trento.it --use-kerberos=desired -d 3
> 
> Join always fails after adding the DNS records for
> LVSRVDC.intra.comune.trento.it (my new domain controller)
> 
> I tried varying some options (authentication via Username/password
> instead of kerberos and also switching between BIND9_DLZ to
> SAMBA_INTERNAL dns backend) but the join process always fail
> apparently in the same point. From the logs the error would appear in
> adding the DNS record for the new domain controller, but i also
> noticed the "Could not find machine account in secrets database:
> Failed to fetch machine account password for INTRA from both
> secrets.ldb" error which could be the problem.
> 
> The samba server is a new debian bookworm setup that was not used for
> other purpose, and between the various attempts i also deleted all
> .ldb and .tdb databases from /var/lib/samba/ /var/cache/samba and
> /run/samba and subfolders and the /etc/samba/smb.conf. as suggested
> in the wiki above for a cleaner start.
> 
> 
Can you please try again with Samba from Bookworm backports, that will
get you 4.20.2 , there has been better support for Windows domains 
added.

As you are using kerberos for the join, I take it you are running
samba-tool as root, so have you also run 'kinit Administrator' as root ?

Rowland

Il giorno ven, 09/08/2024 alle 15.09 +0100, Rowland Penny via samba ha
scritto:
> On Fri, 9 Aug 2024 13:38:35 +0200
> Mitja Tav?ar via samba <samba at lists.samba.org> wrote:
> 
> > Hi,
> > 
> > I'm trying to join a debian bookworm running samba (Version
> > 4.17.12-Debian) as an additional DC to a Active Directory Domain. The
> > domain is already running on 2 windows 2019 DC's (hostnames
> > vmw2srvdc1 and vmw2srvdc2) and the functional level of the AD domain
> > is 2008 R2.
> > 
> > I followed the samba wiki instructions at:
> >
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
> > 
> > I also made another Site in AD to which i want the new samba domain
> > controller to join to. So in the command i also used the --site
> > option.
> > 
> > This is command i used for my last attempt:
> > samba-tool domain join intra.comune.trento.it DC --site PSN --server
> > vmw2srvdc2.intra.comune.trento.it --use-kerberos=desired -d 3
> > 
> > Join always fails after adding the DNS records for
> > LVSRVDC.intra.comune.trento.it (my new domain controller)
> > 
> > I tried varying some options (authentication via Username/password
> > instead of kerberos and also switching between BIND9_DLZ to
> > SAMBA_INTERNAL dns backend) but the join process always fail
> > apparently in the same point. From the logs the error would appear in
> > adding the DNS record for the new domain controller, but i also
> > noticed the "Could not find machine account in secrets database:
> > Failed to fetch machine account password for INTRA from both
> > secrets.ldb" error which could be the problem.
> > 
> > The samba server is a new debian bookworm setup that was not used for
> > other purpose, and between the various attempts i also deleted all
> > .ldb and .tdb databases from /var/lib/samba/ /var/cache/samba and
> > /run/samba and subfolders and the /etc/samba/smb.conf. as suggested
> > in the wiki above for a cleaner start.
> > 
> > 
> 
> Can you please try again with Samba from Bookworm backports, that will
> get you 4.20.2 , there has been better support for Windows domains 
> added.
Ok, I installed samba from bookworm-backports.

root at lvsrvdc:~# samba -V
Version 4.20.2-Debian-4.20.2+dfsg-6~bpo12+1

> As you are using kerberos for the join, I take it you are running
> samba-tool as root, so have you also run 'kinit Administrator' as
root ?
Yes, I issued all commands as root:

root at lvsrvdc:~# kinit administrator at INTRA.COMUNE.TRENTO.IT
Password for administrator at INTRA.COMUNE.TRENTO.IT: 
root at lvsrvdc:~# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at INTRA.COMUNE.TRENTO.IT

Valid starting       Expires              Service principal
08/09/2024 17:22:51  08/10/2024 03:22:51  krbtgt/INTRA.COMUNE.TRENTO.IT at
INTRA.COMUNE.TRENTO.IT
	renew until 08/10/2024 17:22:45


and 

root at lvsrvdc:~# samba-tool domain join intra.comune.trento.it DC --site PSN
--use-kerberos=desired --server vmw2srvdc2.intra.comune.trento.it


But even with the 4.20.2 version the error seems always at the same point.

I was thinking if I forgot to check some permission in my domain. For example on
DNS. Something that would prevent the new controller's DNS Records?

The original domain was not deployed as 2008R2 but as Windows2000 and then
upgraded to 2003 and subsequently to 2008R2 level. But we have not
encountered any problems so far.


So here is the final part of the log from the last run with 4.20.2 version
I see no other errors along the log just some warning.


(....)

Repacking database from v1 to v2 format (first record
CN=Infrastructure,DC=ForestDnsZones,DC=intra,DC=comune,DC=trento,DC=it)
Repacking database from v1 to v2 format (first record
DC=108,DC=12.168.192.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=intra,DC=comune,DC=trento,DC=it)
Repack: re-packed 10000 records so far
Repack: re-packed 20000 records so far
Repack: re-packed 30000 records so far
Repack: re-packed 40000 records so far
Repack: re-packed 50000 records so far
Repack: re-packed 60000 records so far
Repack: re-packed 70000 records so far
Repack: re-packed 80000 records so far
Repack: re-packed 90000 records so far
Repack: re-packed 100000 records so far
Repack: re-packed 110000 records so far
Repack: re-packed 120000 records so far
Repack: re-packed 130000 records so far
Repack: re-packed 140000 records so far
Repack: re-packed 150000 records so far
Repack: re-packed 160000 records so far
Repack: re-packed 170000 records so far
INFO 2024-08-09 17:25:03,269 pid:4149
/usr/lib/python3/dist-packages/samba/join.py #1104: Committed SAM database
INFO 2024-08-09 17:25:03,290 pid:4149
/usr/lib/python3/dist-packages/samba/join.py #1180: Adding 1 remote DNS records
for
LVSRVDC.intra.comune.trento.it
Join failed - cleaning up
Deleted CN=RID Set,CN=LVSRVDC,OU=Domain
Controllers,DC=intra,DC=comune,DC=trento,DC=it
Deleted CN=LVSRVDC,OU=Domain Controllers,DC=intra,DC=comune,DC=trento,DC=it
Deleted CN=NTDS
Settings,CN=LVSRVDC,CN=Servers,CN=PSN,CN=Sites,CN=Configuration,DC=intra,DC=comune,DC=trento,DC=it
Deleted
CN=LVSRVDC,CN=Servers,CN=PSN,CN=Sites,CN=Configuration,DC=intra,DC=comune,DC=trento,DC=it
ERROR(<class 'UnboundLocalError'>): uncaught exception - cannot
access local variable 'res' where it is not associated with a value
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
285, in _run
    return self.run(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/samba/netcmd/domain/join.py",
line 128, in run
    join_DC(logger=logger, server=server, creds=creds, lp=lp, domain=domain,
  File "/usr/lib/python3/dist-packages/samba/join.py", line 1621, in
join_DC
    ctx.do_join()
  File "/usr/lib/python3/dist-packages/samba/join.py", line 1518, in
do_join
    ctx.join_add_dns_records()
  File "/usr/lib/python3/dist-packages/samba/join.py", line 1215, in
join_add_dns_records
    for rec in res.rec:
               ^^^


Mitja Tav?ar