Alex Ferrara
2014-Sep-10 04:09 UTC
[Samba] Unable to join new domain controller to Samba4 domain
Hi folks,
Everything is working great and I am not having any issues with the three domain
controllers that I currently have set up. We are migrating from Puppet to
Ansible for configuration management, and I decided to create a playbook that
will do all the things necessary to set up a DC and join the domain. I have
found that in the domain joining process, an error stops replication from
happening, and therefore stops the join. Replication to the currently joined
servers is working fine, as reported by "samba-tool drs showrepl"
In the past, I extended the Samba4 schema to allow for our groupware SOGo server
to load calendar resources from AD (http://wiki.sogo.nu/ResourceConfiguration).
This did not cause me any grief at the time, but the object that is generating
the errors is one of the calendar resources that I have created.
Below is the output from the attempted domain join
# samba-tool domain join hq.domain.com.au DC -Uadministrator
--realm=hq.achievecorp.com.au --dns-backend=BIND9_DLZ
Finding a writeable DC for domain 'hq.domain.com.au'
Found DC zeus.hq.domain.com.au
Password for [DOMAIN\administrator]:
workgroup is DOMAIN
realm is hq.domain.com.au
checking sAMAccountName
Adding CN=SERVER,OU=Domain Controllers,DC=hq,DC=domain,DC=com,DC=au
Adding
CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hq,DC=domain,DC=com,DC=au
Adding CN=NTDS
Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hq,DC=domain,DC=com,DC=au
Adding SPNs to CN=SERVER,OU=Domain Controllers,DC=hq,DC=domain,DC=com,DC=au
Setting account password for SERVER$
Enabling account
Adding DNS account CN=dns-SERVER,CN=Users,DC=hq,DC=domain,DC=com,DC=au with dns/
SPN
Setting account password for dns-SERVER
Calling bare provision
No IPv6 address will be assigned
Provision OK for domain DN DC=hq,DC=domain,DC=com,DC=au
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=hq,DC=domain,DC=com,DC=au]
objects[402/2383] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=hq,DC=domain,DC=com,DC=au]
objects[804/2383] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=hq,DC=domain,DC=com,DC=au]
objects[1206/2383] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=hq,DC=domain,DC=com,DC=au]
objects[1608/2383] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=hq,DC=domain,DC=com,DC=au]
objects[2010/2383] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=hq,DC=domain,DC=com,DC=au]
objects[2383/2383] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=hq,DC=domain,DC=com,DC=au] objects[402/1634]
linked_values[0/0]
Partition[CN=Configuration,DC=hq,DC=domain,DC=com,DC=au] objects[804/1634]
linked_values[0/0]
Partition[CN=Configuration,DC=hq,DC=domain,DC=com,DC=au] objects[1206/1634]
linked_values[0/0]
Partition[CN=Configuration,DC=hq,DC=domain,DC=com,DC=au] objects[1608/1634]
linked_values[0/0]
Partition[CN=Configuration,DC=hq,DC=domain,DC=com,DC=au] objects[1634/1634]
linked_values[48/0]
Replicating critical objects from the base DN of the domain
Partition[DC=hq,DC=domain,DC=com,DC=au] objects[103/103] linked_values[34/0]
Partition[DC=hq,DC=domain,DC=com,DC=au] objects[505/543] linked_values[0/0]
Partition[DC=hq,DC=domain,DC=com,DC=au] objects[646/543] linked_values[389/0]
No objectClass found in replPropertyMetaData for CN=Wealth
Room,OU=Resources,OU=Users,OU=Site,DC=hq,DC=domain,DC=com,DC=au!
Failed to apply records: replmd_replicated_apply_add: error during DRS repl ADD:
No objectClass found in replPropertyMetaData for CN=Wealth
Room,OU=Resources,OU=Users,OU=Site,DC=hq,DC=domain,DC=com,DC=au!?: Object class
violation
Failed to commit objects: WERR_GENERAL_FAILURE
Join failed - cleaning up
checking sAMAccountName
Deleted CN=SERVER,OU=Domain Controllers,DC=hq,DC=domain,DC=com,DC=au
Deleted CN=dns-SERVER,CN=Users,DC=hq,DC=domain,DC=com,DC=au
Deleted CN=NTDS
Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hq,DC=domain,DC=com,DC=au
Deleted
CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hq,DC=domain,DC=com,DC=au
ERROR(<type 'exceptions.TypeError'>): uncaught exception - Failed
to process chunk: NT_STATUS_UNSUCCESSFUL
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
555, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1172, in
join_DC
ctx.do_join()
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1077, in
do_join
ctx.join_replicate()
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 817, in
join_replicate
replica_flags=ctx.domain_replica_flags)
File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line
256, in replicate
schema=schema, req_level=req_level, req=req)
Alex Ferrara
Director
Receptive IT Solutions
P 0403 604 604
F (02) 4822 7700
E alex at receptiveit.com.au
W www.receptiveit.com.au
Rowland Penny
2014-Sep-10 10:34 UTC
[Samba] Unable to join new domain controller to Samba4 domain
On 10/09/14 05:09, Alex Ferrara wrote:> Hi folks, > > Everything is working great and I am not having any issues with the three domain controllers that I currently have set up. We are migrating from Puppet to Ansible for configuration management, and I decided to create a playbook that will do all the things necessary to set up a DC and join the domain. I have found that in the domain joining process, an error stops replication from happening, and therefore stops the join. Replication to the currently joined servers is working fine, as reported by "samba-tool drs showrepl" > > In the past, I extended the Samba4 schema to allow for our groupware SOGo server to load calendar resources from AD (http://wiki.sogo.nu/ResourceConfiguration). This did not cause me any grief at the time, but the object that is generating the errors is one of the calendar resources that I have created. > > Below is the output from the attempted domain join > > # samba-tool domain join hq.domain.com.au DC -Uadministrator --realm=hq.achievecorp.com.au --dns-backend=BIND9_DLZ > Finding a writeable DC for domain 'hq.domain.com.au' > Found DC zeus.hq.domain.com.au > Password for [DOMAIN\administrator]: > workgroup is DOMAIN > realm is hq.domain.com.au > checking sAMAccountName > Adding CN=SERVER,OU=Domain Controllers,DC=hq,DC=domain,DC=com,DC=au > Adding CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hq,DC=domain,DC=com,DC=au > Adding CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hq,DC=domain,DC=com,DC=au > Adding SPNs to CN=SERVER,OU=Domain Controllers,DC=hq,DC=domain,DC=com,DC=au > Setting account password for SERVER$ > Enabling account > Adding DNS account CN=dns-SERVER,CN=Users,DC=hq,DC=domain,DC=com,DC=au with dns/ SPN > Setting account password for dns-SERVER > Calling bare provision > No IPv6 address will be assigned > Provision OK for domain DN DC=hq,DC=domain,DC=com,DC=au > Starting replication > Schema-DN[CN=Schema,CN=Configuration,DC=hq,DC=domain,DC=com,DC=au] objects[402/2383] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=hq,DC=domain,DC=com,DC=au] objects[804/2383] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=hq,DC=domain,DC=com,DC=au] objects[1206/2383] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=hq,DC=domain,DC=com,DC=au] objects[1608/2383] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=hq,DC=domain,DC=com,DC=au] objects[2010/2383] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=hq,DC=domain,DC=com,DC=au] objects[2383/2383] linked_values[0/0] > Analyze and apply schema objects > Partition[CN=Configuration,DC=hq,DC=domain,DC=com,DC=au] objects[402/1634] linked_values[0/0] > Partition[CN=Configuration,DC=hq,DC=domain,DC=com,DC=au] objects[804/1634] linked_values[0/0] > Partition[CN=Configuration,DC=hq,DC=domain,DC=com,DC=au] objects[1206/1634] linked_values[0/0] > Partition[CN=Configuration,DC=hq,DC=domain,DC=com,DC=au] objects[1608/1634] linked_values[0/0] > Partition[CN=Configuration,DC=hq,DC=domain,DC=com,DC=au] objects[1634/1634] linked_values[48/0] > Replicating critical objects from the base DN of the domain > Partition[DC=hq,DC=domain,DC=com,DC=au] objects[103/103] linked_values[34/0] > Partition[DC=hq,DC=domain,DC=com,DC=au] objects[505/543] linked_values[0/0] > Partition[DC=hq,DC=domain,DC=com,DC=au] objects[646/543] linked_values[389/0] > No objectClass found in replPropertyMetaData for CN=Wealth Room,OU=Resources,OU=Users,OU=Site,DC=hq,DC=domain,DC=com,DC=au! > > Failed to apply records: replmd_replicated_apply_add: error during DRS repl ADD: No objectClass found in replPropertyMetaData for CN=Wealth Room,OU=Resources,OU=Users,OU=Site,DC=hq,DC=domain,DC=com,DC=au!?: Object class violation > Failed to commit objects: WERR_GENERAL_FAILURE > Join failed - cleaning up > checking sAMAccountName > Deleted CN=SERVER,OU=Domain Controllers,DC=hq,DC=domain,DC=com,DC=au > Deleted CN=dns-SERVER,CN=Users,DC=hq,DC=domain,DC=com,DC=au > Deleted CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hq,DC=domain,DC=com,DC=au > Deleted CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hq,DC=domain,DC=com,DC=au > ERROR(<type 'exceptions.TypeError'>): uncaught exception - Failed to process chunk: NT_STATUS_UNSUCCESSFUL > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 555, in run > machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1172, in join_DC > ctx.do_join() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1077, in do_join > ctx.join_replicate() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 817, in join_replicate > replica_flags=ctx.domain_replica_flags) > File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 256, in replicate > schema=schema, req_level=req_level, req=req) > > > Alex Ferrara > Director > Receptive IT Solutions > > P 0403 604 604 > F (02) 4822 7700 > E alex at receptiveit.com.au > W www.receptiveit.com.au > > >Known problem, last raised in August, see here: https://lists.samba.org/archive/samba/2014-August/184571.html and here: https://lists.samba.org/archive/samba-technical/2014-February/098052.html and bug report here: https://bugzilla.samba.org/show_bug.cgi?id=10398 Rowland