thr3ads.net - samba - [Samba] cannot join an existing AD as either a RODC or DC w/ samba4 [Jan 2013]

If this information is useful, please help other people find it:
Share via:

Mike Edwards

2013-Jan-10 21:53 UTC

[Samba] cannot join an existing AD as either a RODC or DC w/ samba4

I'm unable to have samba4 join an existing AD domain as either an RODC
(preferrable) or merely a DC.

AD domain is Win2k3, but we recently added a pair of Win2k8 DCs to it.
Domain functional level is Win2k3.


### Adding samba4 as an RODC ###

# samba-tool domain join -d5 my.domain RODC -U'adminuser at MY.DOMAIN'
--server=nysv-vmdc3.my.domain
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'sasl-DIGEST-MD5' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
added interface eth0 ip=fe80::20c:29ff:fef7:cd62%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=fe80::20c:29ff:fef7:cd6c%eth1
bcast=fe80::ffff:ffff:ffff:ffff%eth1 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=192.168.42.1 bcast=192.168.42.255
netmask=255.255.255.0
added interface eth0 ip=10.2.40.194 bcast=10.2.40.255
netmask=255.255.255.0
added interface eth0 ip=fe80::20c:29ff:fef7:cd62%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=fe80::20c:29ff:fef7:cd6c%eth1
bcast=fe80::ffff:ffff:ffff:ffff%eth1 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=192.168.42.1 bcast=192.168.42.255
netmask=255.255.255.0
added interface eth0 ip=10.2.40.194 bcast=10.2.40.255
netmask=255.255.255.0
added interface eth0 ip=fe80::20c:29ff:fef7:cd62%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=fe80::20c:29ff:fef7:cd6c%eth1
bcast=fe80::ffff:ffff:ffff:ffff%eth1 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=192.168.42.1 bcast=192.168.42.255
netmask=255.255.255.0
added interface eth0 ip=10.2.40.194 bcast=10.2.40.255
netmask=255.255.255.0
added interface eth0 ip=fe80::20c:29ff:fef7:cd62%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=fe80::20c:29ff:fef7:cd6c%eth1
bcast=fe80::ffff:ffff:ffff:ffff%eth1 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=192.168.42.1 bcast=192.168.42.255
netmask=255.255.255.0
added interface eth0 ip=10.2.40.194 bcast=10.2.40.255
netmask=255.255.255.0
added interface eth0 ip=fe80::20c:29ff:fef7:cd62%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=fe80::20c:29ff:fef7:cd6c%eth1
bcast=fe80::ffff:ffff:ffff:ffff%eth1 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=192.168.42.1 bcast=192.168.42.255
netmask=255.255.255.0
added interface eth0 ip=10.2.40.194 bcast=10.2.40.255
netmask=255.255.255.0
added interface eth0 ip=fe80::20c:29ff:fef7:cd62%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=fe80::20c:29ff:fef7:cd6c%eth1
bcast=fe80::ffff:ffff:ffff:ffff%eth1 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=192.168.42.1 bcast=192.168.42.255
netmask=255.255.255.0
added interface eth0 ip=10.2.40.194 bcast=10.2.40.255
netmask=255.255.255.0
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Password for [adminuser at MY.DOMAIN]:
Timed out smb_krb5 packet
Received smb_krb5 packet of length 148
Timed out smb_krb5 packet
Received smb_krb5 packet of length 1450
gensec_gssapi: credentials were delegated
GSSAPI Connection will be cryptographically sealed
workgroup is MY
realm is my.domain
checking sAMAccountName
Adding CN=NYSV-NIS1,OU=Domain Controllers,DC=my,DC=domain
Join failed - cleaning up
checking sAMAccountName
ERROR(ldb): uncaught exception - LDAP error 19
LDAP_CONSTRAINT_VIOLATION -  <000020B5: AtrErr: DSID-03152804, #2:
  0: 000020B5: DSID-03152804, problem 1005 (CONSTRAINT_ATT_TYPE), data
0, Att 90786 (msDS-NeverRevealGroup)
  1: 000020B5: DSID-03152804, problem 1005 (CONSTRAINT_ATT_TYPE), data
0, Att 90788 (msDS-RevealOnDemandGroup)> <>  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
line 558, in run
    dns_backend=dns_backend)
  File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
line 1071, in join_RODC
    ctx.do_join()
  File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
line 1007, in do_join
    ctx.join_add_objects()
  File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
line 499, in join_add_objects
    ctx.samdb.add(rec)
 

### Adding samba4 as a DC ###

# samba-tool domain join -d5 my.domain DC -U'adminuser at MY.DOMAIN'
--server=nysv-vmdc3.my.domain
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'sasl-DIGEST-MD5' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
added interface eth0 ip=fe80::20c:29ff:fef7:cd62%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=fe80::20c:29ff:fef7:cd6c%eth1
bcast=fe80::ffff:ffff:ffff:ffff%eth1 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=192.168.42.1 bcast=192.168.42.255
netmask=255.255.255.0
added interface eth0 ip=10.2.40.194 bcast=10.2.40.255
netmask=255.255.255.0
added interface eth0 ip=fe80::20c:29ff:fef7:cd62%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=fe80::20c:29ff:fef7:cd6c%eth1
bcast=fe80::ffff:ffff:ffff:ffff%eth1 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=192.168.42.1 bcast=192.168.42.255
netmask=255.255.255.0
added interface eth0 ip=10.2.40.194 bcast=10.2.40.255
netmask=255.255.255.0
added interface eth0 ip=fe80::20c:29ff:fef7:cd62%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=fe80::20c:29ff:fef7:cd6c%eth1
bcast=fe80::ffff:ffff:ffff:ffff%eth1 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=192.168.42.1 bcast=192.168.42.255
netmask=255.255.255.0
added interface eth0 ip=10.2.40.194 bcast=10.2.40.255
netmask=255.255.255.0
added interface eth0 ip=fe80::20c:29ff:fef7:cd62%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=fe80::20c:29ff:fef7:cd6c%eth1
bcast=fe80::ffff:ffff:ffff:ffff%eth1 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=192.168.42.1 bcast=192.168.42.255
netmask=255.255.255.0
added interface eth0 ip=10.2.40.194 bcast=10.2.40.255
netmask=255.255.255.0
added interface eth0 ip=fe80::20c:29ff:fef7:cd62%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=fe80::20c:29ff:fef7:cd6c%eth1
bcast=fe80::ffff:ffff:ffff:ffff%eth1 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=192.168.42.1 bcast=192.168.42.255
netmask=255.255.255.0
added interface eth0 ip=10.2.40.194 bcast=10.2.40.255
netmask=255.255.255.0
added interface eth0 ip=fe80::20c:29ff:fef7:cd62%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=fe80::20c:29ff:fef7:cd6c%eth1
bcast=fe80::ffff:ffff:ffff:ffff%eth1 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=192.168.42.1 bcast=192.168.42.255
netmask=255.255.255.0
added interface eth0 ip=10.2.40.194 bcast=10.2.40.255
netmask=255.255.255.0
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Password for [adminuser at MY.DOMAIN]:
Timed out smb_krb5 packet
Received smb_krb5 packet of length 148
Timed out smb_krb5 packet
Received smb_krb5 packet of length 1450
gensec_gssapi: credentials were delegated
GSSAPI Connection will be cryptographically sealed
workgroup is MY
realm is my.domain
checking sAMAccountName
Adding CN=NYSV-NIS1,OU=Domain Controllers,DC=my,DC=domain
Adding
CN=NYSV-NIS1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=my,DC=domain
Join failed - cleaning up
checking sAMAccountName
Deleted CN=NYSV-NIS1,OU=Domain Controllers,DC=my,DC=domain
ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT -
CN=Sites,CN=Configuration,DC=my,DC=domain <0000208D: NameErr:
DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
  'CN=Sites,CN=Configuration,DC=my,DC=domain'> <>  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
line 552, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs,
dns_backend=dns_backend)
  File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
line 1104, in join_DC
    ctx.do_join()
  File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
line 1007, in do_join
    ctx.join_add_objects()
  File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
line 518, in join_add_objects
    ctx.samdb.add(rec)


Any ideas?


-- 
                                                                      
Mike Edwards                    |   If this email address disappears,   
Unsolicited advertisments to    |   assume it was spammed to death.  To
this address are not welcome.   |   reach me in that case, s/-.*@/@/

"Our progress as a nation can be no swifter than our progress in education.
The human mind is our fundamental resource."
  -- John F. Kennedy

Mike Edwards

2013-Jan-11 17:19 UTC

head link

[Samba] cannot join an existing AD as either a RODC or DC w/ samba4

I'm stuck trying to figure out what the next step should be.  Any hints
on what I could try?


On Thu, Jan 10, 2013 at 04:53:59PM -0500, Mike Edwards babbled
thus:> I'm unable to have samba4 join an existing AD domain as either an RODC
> (preferrable) or merely a DC.
> 
> AD domain is Win2k3, but we recently added a pair of Win2k8 DCs to it.
> Domain functional level is Win2k3.
> 
> 
> ### Adding samba4 as an RODC ###
> 
*chomp*> 
> ### Adding samba4 as a DC ###
> *chomp*

-- 
                                                                      
Mike Edwards                    |   If this email address disappears,   
Unsolicited advertisments to    |   assume it was spammed to death.  To
this address are not welcome.   |   reach me in that case, s/-.*@/@/

"Our progress as a nation can be no swifter than our progress in education.
The human mind is our fundamental resource."
  -- John F. Kennedy

Possibly Parallel Threads

Search for more apparently analagous threads

samba - Jan 2013 - cannot join an existing AD as either a RODC or DC w/ samba4

[Samba] cannot join an existing AD as either a RODC or DC w/ samba4

[Samba] cannot join an existing AD as either a RODC or DC w/ samba4

Possibly Parallel Threads