"I expect you don't have just copied your VMs disks without changing VMs hostname and FQDN. I expect you don't fully re-use smb.conf from another DC (you can do that but you must change hostname into smb.conf)." 1) These are new Ubuntu VMs, not cloned, built from scratch. I tried joining them with no smb.conf in /usr/local/samba/etc You have disabled SELinux too 2) AFAIK Ubuntu uses apparmor, not selinux. I have not disabled apparmor. 3) --show-deleted reveals a single instance of cbadc02: twerks at filer:~$ sudo /usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb --cross-ncs --show-deleted > ldbsearch_cross-ncs_deleted.txt itwerks at filer:~$ cat ldbsearch_cross-ncs_deleted.txt | grep cbadc dNSHostName: cbadc02.cb.cliffbells.com dNSHostName: cbadc01.cb.cliffbells.com dn: DC=cbadc01,DC=cb.cliffbells.com ,CN=MicrosoftDNS,DC=DomainDnsZones,DC=cb,DC=cliffbells,DC=com name: cbadc01 dc: cbadc01 distinguishedName: DC=cbadc01,DC=cb.cliffbells.com ,CN=MicrosoftDNS,DC=DomainDn dNSHostName: cbadc01.cb.cliffbells.com dNSHostName: cbadc01.cb.cliffbells.com servicePrincipalName: HOST/cbadc01.cb.cliffbells.com servicePrincipalName: GC/cbadc01.cb.cliffbells.com/cb.cliffbells.com servicePrincipalName: HOST/cbadc01.cb.cliffbells.com/CB servicePrincipalName: ldap/cbadc01.cb.cliffbells.com/CB servicePrincipalName: ldap/cbadc01.cb.cliffbells.com servicePrincipalName: HOST/cbadc01.cb.cliffbells.com/cb.cliffbells.com servicePrincipalName: ldap/cbadc01.cb.cliffbells.com/cb.cliffbells.com servicePrincipalName: RestrictedKrbHost/cbadc01.cb.cliffbells.com servicePrincipalName: ldap/ cbadc01.cb.cliffbells.com/DomainDnsZones.cb.cliffbe servicePrincipalName: ldap/ cbadc01.cb.cliffbells.com/ForestDnsZones.cb.cliffbe dNSHostName: <http://cbadc02.cb.cliffbells.com>cbadc02. <http://cbadc02.cb.cliffbells.com>cb.cliffbells.com <http://cbadc02.cb.cliffbells.com> itwerks at filer:~$ This article seems to explain how to resolve this issue from a Windows ADC: http://social.technet.microsoft.com/wiki/contents/articles/15435.active-directory-duplicate-object-name-resolution.aspx How could I replicate the approach in a Samba AD? Re: spinning up a new VM, I tried that with cbadc03... I'll try again with a radically different hostname this weekend. JS Hi JS, You said in your firt mail you have this very same behaviour with two new VMs you tried to join in your AD domain. I expect you don't have just copied your VMs disks without changing VMs hostname and FQDN. I expect you don't fully re-use smb.conf from another DC (you can do that but you must change hostname into smb.conf). You have disabled SELinux too. So you have 3 systems to be AD DC: cbaddc01 (working and running) cbaddc02 (one of the two new VMs which refuse to be joined to AD domain hosted on cbaddc01) cbaddc03 (the other one new VMs which also refuses to be joined) I found that few minutes ago speaking about LDB: http://somewoman.com/?p=261 Here two options were interesting me about your issue: --cross-ncs to search not only in main DIT --show-deleted to show deleted objects In addition --show-binary switch can be used to decode base64 encoded values when needed. As I have no real idea about your issue I would first try to set up a new VM with a different name, very different name, to test if your domain refuses to add all new DC (whatever is the name) or only DC with names already used. 2016-03-21 22:25 GMT+01:00 IT Admin <it at cliffbells.com>:> No dice. > > Logged in to a workstation with RSAT installed. Added computer to OU > Domain Controllers, closed ADUC, attempted join again. > > itwerks at cbadc03:~$ kinit > Administrator > Password for Administrator at CB.CLIFFBELLS.COM: > itwerks at cbadc03:~$ klist > -e > Ticket cache: FILE:/tmp/krb5cc_1000 > Default principal: Administrator at CB.CLIFFBELLS.COM > > Valid starting Expires Service principal > 03/21/2016 17:21:42 03/22/2016 03:21:42 krbtgt/ > CB.CLIFFBELLS.COM at CB.CLIFFBELLS.COM > renew until 03/22/2016 17:21:29, Etype (skey, tkt): > aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 > itwerks at cbadc03:~$ sudo /usr/local/samba/bin/samba-tool domain join > cb.cliffbells.com DC -Uadministrator --realm=CB.CLIFFBELLS.COM > --dns-backend=SAMBA_INTERNAL > [sudo] password for itwerks: > Finding a writeable DC for domain 'cb.cliffbells.com' > Found DC filer.cb.cliffbells.com > Password for [WORKGROUP\administrator]: > workgroup is CB > realm is cb.cliffbells.com > checking sAMAccountName > Deleted CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com > Adding CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com > Join failed - cleaning up > checking sAMAccountName > ERROR(ldb): uncaught exception - LDAP error 68 LDAP_ENTRY_ALREADY_EXISTS - > <00002071: ../lib/ldb/ldb_tdb/ldb_index.c:1216: Failed to re-index > objectSid in CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com - > ../lib/ldb/ldb_tdb/ldb_index.c:1148: unique index violation on objectSidin> CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com> <> > File > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", > line 175, in _run > return self.run(*args, **kwargs) > File > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",line> 621, in run > machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) > File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line > 1183, in join_DC > ctx.do_join() > File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line > 1086, in do_join > ctx.join_add_objects() > File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line > 536, in join_add_objects > ctx.samdb.add(rec) > itwerks at cbadc03:~ > > Please advise. > > JS > On Mar 21, 2016 3:54 PM, "Rowland penny" <rpenny at samba.org> wrote: > > > On 21/03/16 04:26, IT Admin wrote: > > > >> I cannot join two new VMs to my domain, I receive the following erroron> >> both machines: > >> > >> twerks at cbadc03:~$ kinit > >> Administrator > >> Password for Administrator at CB.CLIFFBELLS.COM: > >> itwerks at cbadc03:~$ klist -e > >> Ticket cache: FILE:/tmp/krb5cc_1000 > >> Default principal: Administrator at CB.CLIFFBELLS.COM > >> > >> Valid starting Expires Service principal > >> 03/21/2016 00:19:56 03/21/2016 10:19:56 krbtgt/ > >> CB.CLIFFBELLS.COM at CB.CLIFFBELLS.COM > >> renew until 03/22/2016 00:19:41, Etype (skey, tkt): > >> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 > >> itwerks at cbadc03:~$ sudo /usr/local/samba/bin/samba-tool domain join > >> cb.cliffbells.com DC -Uadministrator --realm=CB.CLIFFBELLS.COM > >> --dns-backend=SAMBA_INTERNAL > >> Finding a writeable DC for domain 'cb.cliffbells.com' > >> Found DC filer.cb.cliffbells.com > >> Password for [WORKGROUP\administrator]: > >> workgroup is CB > >> realm is cb.cliffbells.com > >> checking sAMAccountName > >> Adding CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com > >> Join failed - cleaning up > >> checking sAMAccountName > >> ERROR(ldb): uncaught exception - LDAP error 68 > LDAP_ENTRY_ALREADY_EXISTS - > >> <00002071: ../lib/ldb/ldb_tdb/ldb_index.c:1216: Failed to re-index > >> objectSid in CN=CBADC03,OU=Domain > Controllers,DC=cb,DC=cliffbells,DC=com - > >> ../lib/ldb/ldb_tdb/ldb_index.c:1148: unique index violation onobjectSid> >> in > >> CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com> <> > >> File > >>"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",> >> line 175, in _run > >> return self.run(*args, **kwargs) > >> File > >> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", > >> line > >> 621, in run > >> machinepass=machinepass, use_ntvfs=use_ntvfs, > >> dns_backend=dns_backend) > >> File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", > line > >> 1183, in join_DC > >> ctx.do_join() > >> File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", > line > >> 1086, in do_join > >> ctx.join_add_objects() > >> File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", > line > >> 536, in join_add_objects > >> ctx.samdb.add(rec) > >> itwerks at cbadc03:~$ > >> > >> Neither machine exists in ADUC on either of my current DCs. Neither > >> machine has any records in DNS. I ran ldbsearch and dumped it's output > to > >> a text file, there are no references to either machine name in thefile.> >> > >> Please advise. > >> > >> JS > >> > > > > The join seems to be failing because it seems to be trying to add an > > objectsid that already exists: > > > > unique index violation on objectSid in CN=CBADC03,OU=Domain > > Controllers,DC=cb,DC=cliffbells,DC=com > > > > Try pre-creating the computer in 'OU=Domain > > Controllers,DC=cb,DC=cliffbells,DC=com' and then try joining again. > > > > Rowland > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Good times...
Spent hours today rolling a fresh VM.
FAIL
itwerks at testes:~$ kinit administrator
Password for administrator at CB.CLIFFBELLS.COM:
itwerks at testes:~$ klist -e
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administrator at CB.CLIFFBELLS.COM
Valid starting Expires Service principal
03/27/2016 00:07:04 03/27/2016 10:07:04 krbtgt/
CB.CLIFFBELLS.COM at CB.CLIFFBELLS.COM
renew until 03/28/2016 00:06:59, Etype (skey, tkt):
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
itwerks at testes:~$ sudo /usr/local/samba/bin/samba-tool domain join
cb.cliffbells.com DC -Uadministrator --realm=CB.CLIFFBELLS.COM
--dns-backend=SAMBA_INTERNAL
Finding a writeable DC for domain 'cb.cliffbells.com'
Found DC filer.cb.cliffbells.com
Password for [WORKGROUP\administrator]:
workgroup is CB
realm is cb.cliffbells.com
checking sAMAccountName
Adding CN=TESTES,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com
Join failed - cleaning up
checking sAMAccountName
ERROR(ldb): uncaught exception - LDAP error 68 LDAP_ENTRY_ALREADY_EXISTS -
<00002071: ../lib/ldb/ldb_tdb/ldb_index.c:1216: Failed to re-index
objectSid in CN=TESTES,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com -
../lib/ldb/ldb_tdb/ldb_index.c:1148: unique index violation on objectSid in
CN=TESTES,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com> <>
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
line
621, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
line
1183, in join_DC
ctx.do_join()
File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
line
1086, in do_join
ctx.join_add_objects()
File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
line
536, in join_add_objects
ctx.samdb.add(rec)
sigh.
*&@$^@&$(@*$&@^$@!)($#)(^)%@*%_
Please advise.
JS
On Fri, Mar 25, 2016 at 1:19 PM, IT Admin <it at cliffbells.com> wrote:
> "I expect you don't have just copied your VMs disks without
changing VMs
> hostname and FQDN. I expect you don't fully re-use smb.conf from
another DC
> (you can do that but you must change hostname into smb.conf)."
>
> 1) These are new Ubuntu VMs, not cloned, built from scratch. I tried
> joining them with no smb.conf in /usr/local/samba/etc
>
> You have disabled SELinux too
>
> 2) AFAIK Ubuntu uses apparmor, not selinux. I have not disabled apparmor.
>
> 3) --show-deleted reveals a single instance of cbadc02:
>
> twerks at filer:~$ sudo /usr/local/samba/bin/ldbsearch -H
> /usr/local/samba/private/sam.ldb --cross-ncs --show-deleted >
> ldbsearch_cross-ncs_deleted.txt
> itwerks at filer:~$ cat ldbsearch_cross-ncs_deleted.txt | grep
> cbadc
> dNSHostName: cbadc02.cb.cliffbells.com
> dNSHostName: cbadc01.cb.cliffbells.com
> dn: DC=cbadc01,DC=cb.cliffbells.com
> ,CN=MicrosoftDNS,DC=DomainDnsZones,DC=cb,DC=cliffbells,DC=com
> name: cbadc01
> dc: cbadc01
> distinguishedName: DC=cbadc01,DC=cb.cliffbells.com
> ,CN=MicrosoftDNS,DC=DomainDn
> dNSHostName: cbadc01.cb.cliffbells.com
> dNSHostName: cbadc01.cb.cliffbells.com
> servicePrincipalName: HOST/cbadc01.cb.cliffbells.com
> servicePrincipalName: GC/cbadc01.cb.cliffbells.com/cb.cliffbells.com
> servicePrincipalName: HOST/cbadc01.cb.cliffbells.com/CB
> servicePrincipalName: ldap/cbadc01.cb.cliffbells.com/CB
> servicePrincipalName: ldap/cbadc01.cb.cliffbells.com
> servicePrincipalName: HOST/cbadc01.cb.cliffbells.com/cb.cliffbells.com
> servicePrincipalName: ldap/cbadc01.cb.cliffbells.com/cb.cliffbells.com
> servicePrincipalName: RestrictedKrbHost/cbadc01.cb.cliffbells.com
> servicePrincipalName: ldap/
> cbadc01.cb.cliffbells.com/DomainDnsZones.cb.cliffbe
> servicePrincipalName: ldap/
> cbadc01.cb.cliffbells.com/ForestDnsZones.cb.cliffbe
> dNSHostName: <http://cbadc02.cb.cliffbells.com>cbadc02.
> <http://cbadc02.cb.cliffbells.com>cb.cliffbells.com
> <http://cbadc02.cb.cliffbells.com>
> itwerks at filer:~$
>
> This article seems to explain how to resolve this issue from a Windows ADC:
>
>
http://social.technet.microsoft.com/wiki/contents/articles/15435.active-directory-duplicate-object-name-resolution.aspx
>
> How could I replicate the approach in a Samba AD?
>
> Re: spinning up a new VM, I tried that with cbadc03... I'll try again
with
> a radically different hostname this weekend.
>
> JS
>
>
> Hi JS,
>
> You said in your firt mail you have this very same behaviour with two new
> VMs you tried to join in your AD domain.
>
> I expect you don't have just copied your VMs disks without changing VMs
> hostname and FQDN. I expect you don't fully re-use smb.conf from
another DC
> (you can do that but you must change hostname into smb.conf).
>
> You have disabled SELinux too.
>
> So you have 3 systems to be AD DC:
> cbaddc01 (working and running)
> cbaddc02 (one of the two new VMs which refuse to be joined to AD domain
> hosted on cbaddc01)
> cbaddc03 (the other one new VMs which also refuses to be joined)
>
> I found that few minutes ago speaking about LDB:
> http://somewoman.com/?p=261
> Here two options were interesting me about your issue:
> --cross-ncs to search not only in main DIT
> --show-deleted to show deleted objects
>
> In addition --show-binary switch can be used to decode base64 encoded
> values when needed.
>
> As I have no real idea about your issue I would first try to set up a new
> VM with a different name, very different name, to test if your domain
> refuses to add all new DC (whatever is the name) or only DC with names
> already used.
>
> 2016-03-21 22:25 GMT+01:00 IT Admin <it at cliffbells.com>:
>
> > No dice.
> >
> > Logged in to a workstation with RSAT installed. Added computer to OU
> > Domain Controllers, closed ADUC, attempted join again.
> >
> > itwerks at cbadc03:~$ kinit
> > Administrator
> > Password for Administrator at CB.CLIFFBELLS.COM:
> > itwerks at cbadc03:~$ klist
> > -e
> > Ticket cache: FILE:/tmp/krb5cc_1000
> > Default principal: Administrator at CB.CLIFFBELLS.COM
> >
> > Valid starting Expires Service principal
> > 03/21/2016 17:21:42 03/22/2016 03:21:42 krbtgt/
> > CB.CLIFFBELLS.COM at CB.CLIFFBELLS.COM
> > renew until 03/22/2016 17:21:29, Etype (skey, tkt):
> > aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
> > itwerks at cbadc03:~$ sudo /usr/local/samba/bin/samba-tool domain join
> > cb.cliffbells.com DC -Uadministrator --realm=CB.CLIFFBELLS.COM
> > --dns-backend=SAMBA_INTERNAL
> > [sudo] password for itwerks:
> > Finding a writeable DC for domain 'cb.cliffbells.com'
> > Found DC filer.cb.cliffbells.com
> > Password for [WORKGROUP\administrator]:
> > workgroup is CB
> > realm is cb.cliffbells.com
> > checking sAMAccountName
> > Deleted CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com
> > Adding CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com
> > Join failed - cleaning up
> > checking sAMAccountName
> > ERROR(ldb): uncaught exception - LDAP error 68
LDAP_ENTRY_ALREADY_EXISTS
> -
> > <00002071: ../lib/ldb/ldb_tdb/ldb_index.c:1216: Failed to re-index
> > objectSid in CN=CBADC03,OU=Domain
Controllers,DC=cb,DC=cliffbells,DC=com
> -
> > ../lib/ldb/ldb_tdb/ldb_index.c:1148: unique index violation on
objectSid
> in
> > CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com>
<>
> > File
> >
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> > line 175, in _run
> > return self.run(*args, **kwargs)
> > File
> >
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
> line
> > 621, in run
> > machinepass=machinepass, use_ntvfs=use_ntvfs,
> dns_backend=dns_backend)
> > File
"/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
> > 1183, in join_DC
> > ctx.do_join()
> > File
"/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
> > 1086, in do_join
> > ctx.join_add_objects()
> > File
"/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
> > 536, in join_add_objects
> > ctx.samdb.add(rec)
> > itwerks at cbadc03:~
> >
> > Please advise.
> >
> > JS
> > On Mar 21, 2016 3:54 PM, "Rowland penny" <rpenny at
samba.org> wrote:
> >
> > > On 21/03/16 04:26, IT Admin wrote:
> > >
> > >> I cannot join two new VMs to my domain, I receive the
following error
> on
> > >> both machines:
> > >>
> > >> twerks at cbadc03:~$ kinit
> > >> Administrator
> > >> Password for Administrator at CB.CLIFFBELLS.COM:
> > >> itwerks at cbadc03:~$ klist -e
> > >> Ticket cache: FILE:/tmp/krb5cc_1000
> > >> Default principal: Administrator at CB.CLIFFBELLS.COM
> > >>
> > >> Valid starting Expires Service principal
> > >> 03/21/2016 00:19:56 03/21/2016 10:19:56 krbtgt/
> > >> CB.CLIFFBELLS.COM at CB.CLIFFBELLS.COM
> > >> renew until 03/22/2016 00:19:41, Etype (skey, tkt):
> > >> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
> > >> itwerks at cbadc03:~$ sudo /usr/local/samba/bin/samba-tool
domain join
> > >> cb.cliffbells.com DC -Uadministrator
--realm=CB.CLIFFBELLS.COM
> > >> --dns-backend=SAMBA_INTERNAL
> > >> Finding a writeable DC for domain 'cb.cliffbells.com'
> > >> Found DC filer.cb.cliffbells.com
> > >> Password for [WORKGROUP\administrator]:
> > >> workgroup is CB
> > >> realm is cb.cliffbells.com
> > >> checking sAMAccountName
> > >> Adding CN=CBADC03,OU=Domain
Controllers,DC=cb,DC=cliffbells,DC=com
> > >> Join failed - cleaning up
> > >> checking sAMAccountName
> > >> ERROR(ldb): uncaught exception - LDAP error 68
> > LDAP_ENTRY_ALREADY_EXISTS -
> > >> <00002071: ../lib/ldb/ldb_tdb/ldb_index.c:1216: Failed to
re-index
> > >> objectSid in CN=CBADC03,OU=Domain
> > Controllers,DC=cb,DC=cliffbells,DC=com -
> > >> ../lib/ldb/ldb_tdb/ldb_index.c:1148: unique index violation
on
> objectSid
> > >> in
> > >> CN=CBADC03,OU=Domain
Controllers,DC=cb,DC=cliffbells,DC=com> <>
> > >> File
> > >>
>
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> > >> line 175, in _run
> > >> return self.run(*args, **kwargs)
> > >> File
> > >>
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
> > >> line
> > >> 621, in run
> > >> machinepass=machinepass, use_ntvfs=use_ntvfs,
> > >> dns_backend=dns_backend)
> > >> File
"/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
> > line
> > >> 1183, in join_DC
> > >> ctx.do_join()
> > >> File
"/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
> > line
> > >> 1086, in do_join
> > >> ctx.join_add_objects()
> > >> File
"/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
> > line
> > >> 536, in join_add_objects
> > >> ctx.samdb.add(rec)
> > >> itwerks at cbadc03:~$
> > >>
> > >> Neither machine exists in ADUC on either of my current DCs.
Neither
> > >> machine has any records in DNS. I ran ldbsearch and dumped
it's
> output
> > to
> > >> a text file, there are no references to either machine name
in the
> file.
> > >>
> > >> Please advise.
> > >>
> > >> JS
> > >>
> > >
> > > The join seems to be failing because it seems to be trying to add
an
> > > objectsid that already exists:
> > >
> > > unique index violation on objectSid in CN=CBADC03,OU=Domain
> > > Controllers,DC=cb,DC=cliffbells,DC=com
> > >
> > > Try pre-creating the computer in 'OU=Domain
> > > Controllers,DC=cb,DC=cliffbells,DC=com' and then try joining
again.
> > >
> > > Rowland
> > >
> > >
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read
the
> > > instructions: https://lists.samba.org/mailman/options/samba
> > >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
I ran ldbsearch on my sam.ldb I searched for CBADC02, CBADC03, and TESTES (all VMs that fail to join domain), results are below: CBADC02 shows up a few times: # record 1906 dn: CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configu$ objectClass: top objectClass: server instanceType: 4 whenCreated: 20160310044543.0Z uSNCreated: 4215 objectGUID: de85228c-f92b-4d5d-9d6a-01c3f915dec9 systemFlags: 1375731712 dNSHostName: cbadc02.cb.cliffbells.com cn:: Q0JBREMwMgpERUw6ZGU4NTIyOGMtZjkyYi00ZDVkLTlkNmEtMDFjM2Y5MTVkZWM5 isDeleted: TRUE name:: Q0JBREMwMgpERUw6ZGU4NTIyOGMtZjkyYi00ZDVkLTlkNmEtMDFjM2Y5MTVkZWM5 lastKnownParent: CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configurati on,DC=cb,DC=cliffbells,DC=com isRecycled: TRUE whenChanged: 20160319092438.0Z uSNChanged: 4261 distinguishedName: CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec9,CN=Se rvers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cb,DC=cliffbell s,DC=com # record 2372 dn: CN=NTDS Settings\0ADEL:a5d3b626-e936-4a65-97bc-cade176d1b10,CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec$ objectClass: top objectClass: applicationSettings objectClass: nTDSDSA instanceType: 4 whenCreated: 20160310044546.0Z uSNCreated: 4214 objectGUID: a5d3b626-e936-4a65-97bc-cade176d1b10 systemFlags: 33554432 cn:: TlREUyBTZXR0aW5ncwpERUw6YTVkM2I2MjYtZTkzNi00YTY1LTk3YmMtY2FkZTE3NmQxYjEw isDeleted: TRUE name:: TlREUyBTZXR0aW5ncwpERUw6YTVkM2I2MjYtZTkzNi00YTY1LTk3YmMtY2FkZTE3NmQxYjE w isRecycled: TRUE whenChanged: 20160319092438.0Z uSNChanged: 4259 distinguishedName: CN=NTDS Settings\0ADEL:a5d3b626-e936-4a65-97bc-cade176d1b10 ,CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec9,CN=Servers,CN=Default- First-Site-Name,CN=Sites,CN=Configuration,DC=cb,DC=cliffbells,DC=com # record 3275 dn: CN=CBADC02\0ADEL:b34ccfd9-0f88-4f7b-8c00-3296ed92507d,CN=Deleted Objects,DC=cb,DC=cliffbells,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer instanceType: 4 whenCreated: 20160321212014.0Z uSNCreated: 4287 objectGUID: b34ccfd9-0f88-4f7b-8c00-3296ed92507d userAccountControl: 4128 objectSid: S-1-5-21-2555112579-3841919511-698463993-1602 sAMAccountName: CBADC02$ isDeleted: TRUE lastKnownParent: OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com isRecycled: TRUE cn:: Q0JBREMwMgpERUw6YjM0Y2NmZDktMGY4OC00ZjdiLThjMDAtMzI5NmVkOTI1MDdk name:: Q0JBREMwMgpERUw6YjM0Y2NmZDktMGY4OC00ZjdiLThjMDAtMzI5NmVkOTI1MDdk whenChanged: 20160327050242.0Z uSNChanged: 4293 distinguishedName: CN=CBADC02\0ADEL:b34ccfd9-0f88-4f7b-8c00-3296ed92507d,CN=De leted Objects,DC=cb,DC=cliffbells,DC=com # record 3481 dn: CN=CBADC02\0ADEL:ec36364c-6f01-4c82-be95-8def84528d9a,CN=Deleted Objects,DC=cb,DC=cliffbells,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer instanceType: 4 whenCreated: 20160310044542.0Z uSNCreated: 4212 objectGUID: ec36364c-6f01-4c82-be95-8def84528d9a userAccountControl: 532480 objectSid: S-1-5-21-2555112579-3841919511-698463993-1122 sAMAccountName: CBADC02$ dNSHostName: cbadc02.cb.cliffbells.com cn:: Q0JBREMwMgpERUw6ZWMzNjM2NGMtNmYwMS00YzgyLWJlOTUtOGRlZjg0NTI4ZDlh whenChanged: 20160318045619.0Z isDeleted: TRUE uSNChanged: 4253 name:: Q0JBREMwMgpERUw6ZWMzNjM2NGMtNmYwMS00YzgyLWJlOTUtOGRlZjg0NTI4ZDlh lastKnownParent: OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com isRecycled: TRUE distinguishedName: CN=CBADC02\0ADEL:ec36364c-6f01-4c82-be95-8def84528d9a,CN=De leted Objects,DC=cb,DC=cliffbells,DC=com CBADC03 is there once: # record 3431 dn: CN=CBADC03\0ADEL:0d3362c2-c153-415e-b077-0772a61b96b5\0ADEL:0d3362c2-c153-415e-b077-0772a61b96b5,CN=Deleted Obje$ objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer instanceType: 4 whenCreated: 20160321211933.0Z uSNCreated: 4286 objectGUID: 0d3362c2-c153-415e-b077-0772a61b96b5 userAccountControl: 4128 objectSid: S-1-5-21-2555112579-3841919511-698463993-1601 sAMAccountName: CBADC03$ isDeleted: TRUE lastKnownParent: CN=LostAndFound,DC=cb,DC=cliffbells,DC=com isRecycled: TRUE cn:: Q0JBREMwMwpERUw6MGQzMzYyYzItYzE1My00MTVlLWIwNzctMDc3MmE2MWI5NmI1CkRFTDowZ DMzNjJjMi1jMTUzLTQxNWUtYjA3Ny0wNzcyYTYxYjk2YjUname:: Q0JBREMwMwpERUw6MGQzMzYyYzItYzE1My00MTVlLWIwNzctMDc3MmE2MWI5NmI1CkRFTDo wZDMzNjJjMi1jMTUzLTQxNWUtYjA3Ny0wNzcyYTYxYjk2YjUwhenChanged: 20160327050527.0Z uSNChanged: 4294 distinguishedName: CN=CBADC03\0ADEL:0d3362c2-c153-415e-b077-0772a61b96b5\0ADEL :0d3362c2-c153-415e-b077-0772a61b96b5,CN=Deleted Objects,DC=cb,DC=cliffbells, DC=com TESTES is nowhere to be found and still fails due to ObjectSID. I don't understand how that is even possible. I also manually inspected ADUC, ADSS, ADSIEdit and DNS in RSAT for both of my live DCs (FILER & CBADC01) and removed all references to CBADC02 & CBADC03. Replication between FILER and CBADC01 is successful. RSync replication of sysvol from FILER to CBADC01 is running via cron. I am spun. I've been banging my head against Samba since 12/17/2015. Please advise, I need to get these VMs joined to the domain so I can sieze FSMO roles off of FILER so I don't have to keep restoring this ^&*(@^#()*&^ database every 36 hours. JS On Sun, Mar 27, 2016 at 12:15 AM, IT Admin <it at cliffbells.com> wrote:> Good times... > > Spent hours today rolling a fresh VM. > > FAIL > > itwerks at testes:~$ kinit administrator > Password for administrator at CB.CLIFFBELLS.COM: > itwerks at testes:~$ klist -e > Ticket cache: FILE:/tmp/krb5cc_1000 > Default principal: administrator at CB.CLIFFBELLS.COM > > Valid starting Expires Service principal > 03/27/2016 00:07:04 03/27/2016 10:07:04 krbtgt/ > CB.CLIFFBELLS.COM at CB.CLIFFBELLS.COM > renew until 03/28/2016 00:06:59, Etype (skey, tkt): > aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 > itwerks at testes:~$ sudo /usr/local/samba/bin/samba-tool domain join > cb.cliffbells.com DC -Uadministrator --realm=CB.CLIFFBELLS.COM > --dns-backend=SAMBA_INTERNAL > Finding a writeable DC for domain 'cb.cliffbells.com' > Found DC filer.cb.cliffbells.com > Password for [WORKGROUP\administrator]: > workgroup is CB > realm is cb.cliffbells.com > checking sAMAccountName > Adding CN=TESTES,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com > Join failed - cleaning up > checking sAMAccountName > ERROR(ldb): uncaught exception - LDAP error 68 LDAP_ENTRY_ALREADY_EXISTS - > <00002071: ../lib/ldb/ldb_tdb/ldb_index.c:1216: Failed to re-index > objectSid in CN=TESTES,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com - > ../lib/ldb/ldb_tdb/ldb_index.c:1148: unique index violation on objectSid in > CN=TESTES,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com> <> > File > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", > line 175, in _run > return self.run(*args, **kwargs) > File > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line > 621, in run > machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) > File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line > 1183, in join_DC > ctx.do_join() > File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line > 1086, in do_join > ctx.join_add_objects() > File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line > 536, in join_add_objects > ctx.samdb.add(rec) > > > sigh. > > *&@$^@&$(@*$&@^$@!)($#)(^)%@*%_ > > Please advise. > > JS > > On Fri, Mar 25, 2016 at 1:19 PM, IT Admin <it at cliffbells.com> wrote: > >> "I expect you don't have just copied your VMs disks without changing VMs >> hostname and FQDN. I expect you don't fully re-use smb.conf from another >> DC >> (you can do that but you must change hostname into smb.conf)." >> >> 1) These are new Ubuntu VMs, not cloned, built from scratch. I tried >> joining them with no smb.conf in /usr/local/samba/etc >> >> You have disabled SELinux too >> >> 2) AFAIK Ubuntu uses apparmor, not selinux. I have not disabled apparmor. >> >> 3) --show-deleted reveals a single instance of cbadc02: >> >> twerks at filer:~$ sudo /usr/local/samba/bin/ldbsearch -H >> /usr/local/samba/private/sam.ldb --cross-ncs --show-deleted > >> ldbsearch_cross-ncs_deleted.txt >> itwerks at filer:~$ cat ldbsearch_cross-ncs_deleted.txt | grep >> cbadc >> dNSHostName: cbadc02.cb.cliffbells.com >> dNSHostName: cbadc01.cb.cliffbells.com >> dn: DC=cbadc01,DC=cb.cliffbells.com >> ,CN=MicrosoftDNS,DC=DomainDnsZones,DC=cb,DC=cliffbells,DC=com >> name: cbadc01 >> dc: cbadc01 >> distinguishedName: DC=cbadc01,DC=cb.cliffbells.com >> ,CN=MicrosoftDNS,DC=DomainDn >> dNSHostName: cbadc01.cb.cliffbells.com >> dNSHostName: cbadc01.cb.cliffbells.com >> servicePrincipalName: HOST/cbadc01.cb.cliffbells.com >> servicePrincipalName: GC/cbadc01.cb.cliffbells.com/cb.cliffbells.com >> servicePrincipalName: HOST/cbadc01.cb.cliffbells.com/CB >> servicePrincipalName: ldap/cbadc01.cb.cliffbells.com/CB >> servicePrincipalName: ldap/cbadc01.cb.cliffbells.com >> servicePrincipalName: HOST/cbadc01.cb.cliffbells.com/cb.cliffbells.com >> servicePrincipalName: ldap/cbadc01.cb.cliffbells.com/cb.cliffbells.com >> servicePrincipalName: RestrictedKrbHost/cbadc01.cb.cliffbells.com >> servicePrincipalName: ldap/ >> cbadc01.cb.cliffbells.com/DomainDnsZones.cb.cliffbe >> servicePrincipalName: ldap/ >> cbadc01.cb.cliffbells.com/ForestDnsZones.cb.cliffbe >> dNSHostName: <http://cbadc02.cb.cliffbells.com>cbadc02. >> <http://cbadc02.cb.cliffbells.com>cb.cliffbells.com >> <http://cbadc02.cb.cliffbells.com> >> itwerks at filer:~$ >> >> This article seems to explain how to resolve this issue from a Windows >> ADC: >> >> http://social.technet.microsoft.com/wiki/contents/articles/15435.active-directory-duplicate-object-name-resolution.aspx >> >> How could I replicate the approach in a Samba AD? >> >> Re: spinning up a new VM, I tried that with cbadc03... I'll try again >> with a radically different hostname this weekend. >> >> JS >> >> >> Hi JS, >> >> You said in your firt mail you have this very same behaviour with two new >> VMs you tried to join in your AD domain. >> >> I expect you don't have just copied your VMs disks without changing VMs >> hostname and FQDN. I expect you don't fully re-use smb.conf from another >> DC >> (you can do that but you must change hostname into smb.conf). >> >> You have disabled SELinux too. >> >> So you have 3 systems to be AD DC: >> cbaddc01 (working and running) >> cbaddc02 (one of the two new VMs which refuse to be joined to AD domain >> hosted on cbaddc01) >> cbaddc03 (the other one new VMs which also refuses to be joined) >> >> I found that few minutes ago speaking about LDB: >> http://somewoman.com/?p=261 >> Here two options were interesting me about your issue: >> --cross-ncs to search not only in main DIT >> --show-deleted to show deleted objects >> >> In addition --show-binary switch can be used to decode base64 encoded >> values when needed. >> >> As I have no real idea about your issue I would first try to set up a new >> VM with a different name, very different name, to test if your domain >> refuses to add all new DC (whatever is the name) or only DC with names >> already used. >> >> 2016-03-21 22:25 GMT+01:00 IT Admin <it at cliffbells.com>: >> >> > No dice. >> > >> > Logged in to a workstation with RSAT installed. Added computer to OU >> > Domain Controllers, closed ADUC, attempted join again. >> > >> > itwerks at cbadc03:~$ kinit >> > Administrator >> > Password for Administrator at CB.CLIFFBELLS.COM: >> > itwerks at cbadc03:~$ klist >> > -e >> > Ticket cache: FILE:/tmp/krb5cc_1000 >> > Default principal: Administrator at CB.CLIFFBELLS.COM >> > >> > Valid starting Expires Service principal >> > 03/21/2016 17:21:42 03/22/2016 03:21:42 krbtgt/ >> > CB.CLIFFBELLS.COM at CB.CLIFFBELLS.COM >> > renew until 03/22/2016 17:21:29, Etype (skey, tkt): >> > aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 >> > itwerks at cbadc03:~$ sudo /usr/local/samba/bin/samba-tool domain join >> > cb.cliffbells.com DC -Uadministrator --realm=CB.CLIFFBELLS.COM >> > --dns-backend=SAMBA_INTERNAL >> > [sudo] password for itwerks: >> > Finding a writeable DC for domain 'cb.cliffbells.com' >> > Found DC filer.cb.cliffbells.com >> > Password for [WORKGROUP\administrator]: >> > workgroup is CB >> > realm is cb.cliffbells.com >> > checking sAMAccountName >> > Deleted CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com >> > Adding CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com >> > Join failed - cleaning up >> > checking sAMAccountName >> > ERROR(ldb): uncaught exception - LDAP error 68 >> LDAP_ENTRY_ALREADY_EXISTS - >> > <00002071: ../lib/ldb/ldb_tdb/ldb_index.c:1216: Failed to re-index >> > objectSid in CN=CBADC03,OU=Domain >> Controllers,DC=cb,DC=cliffbells,DC=com - >> > ../lib/ldb/ldb_tdb/ldb_index.c:1148: unique index violation on >> objectSid in >> > CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com> <> >> > File >> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", >> > line 175, in _run >> > return self.run(*args, **kwargs) >> > File >> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", >> line >> > 621, in run >> > machinepass=machinepass, use_ntvfs=use_ntvfs, >> dns_backend=dns_backend) >> > File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", >> line >> > 1183, in join_DC >> > ctx.do_join() >> > File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", >> line >> > 1086, in do_join >> > ctx.join_add_objects() >> > File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", >> line >> > 536, in join_add_objects >> > ctx.samdb.add(rec) >> > itwerks at cbadc03:~ >> > >> > Please advise. >> > >> > JS >> > On Mar 21, 2016 3:54 PM, "Rowland penny" <rpenny at samba.org> wrote: >> > >> > > On 21/03/16 04:26, IT Admin wrote: >> > > >> > >> I cannot join two new VMs to my domain, I receive the following >> error on >> > >> both machines: >> > >> >> > >> twerks at cbadc03:~$ kinit >> > >> Administrator >> > >> Password for Administrator at CB.CLIFFBELLS.COM: >> > >> itwerks at cbadc03:~$ klist -e >> > >> Ticket cache: FILE:/tmp/krb5cc_1000 >> > >> Default principal: Administrator at CB.CLIFFBELLS.COM >> > >> >> > >> Valid starting Expires Service principal >> > >> 03/21/2016 00:19:56 03/21/2016 10:19:56 krbtgt/ >> > >> CB.CLIFFBELLS.COM at CB.CLIFFBELLS.COM >> > >> renew until 03/22/2016 00:19:41, Etype (skey, tkt): >> > >> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 >> > >> itwerks at cbadc03:~$ sudo /usr/local/samba/bin/samba-tool domain join >> > >> cb.cliffbells.com DC -Uadministrator --realm=CB.CLIFFBELLS.COM >> > >> --dns-backend=SAMBA_INTERNAL >> > >> Finding a writeable DC for domain 'cb.cliffbells.com' >> > >> Found DC filer.cb.cliffbells.com >> > >> Password for [WORKGROUP\administrator]: >> > >> workgroup is CB >> > >> realm is cb.cliffbells.com >> > >> checking sAMAccountName >> > >> Adding CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com >> > >> Join failed - cleaning up >> > >> checking sAMAccountName >> > >> ERROR(ldb): uncaught exception - LDAP error 68 >> > LDAP_ENTRY_ALREADY_EXISTS - >> > >> <00002071: ../lib/ldb/ldb_tdb/ldb_index.c:1216: Failed to re-index >> > >> objectSid in CN=CBADC03,OU=Domain >> > Controllers,DC=cb,DC=cliffbells,DC=com - >> > >> ../lib/ldb/ldb_tdb/ldb_index.c:1148: unique index violation on >> objectSid >> > >> in >> > >> CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com> <> >> > >> File >> > >> >> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", >> > >> line 175, in _run >> > >> return self.run(*args, **kwargs) >> > >> File >> > >> >> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", >> > >> line >> > >> 621, in run >> > >> machinepass=machinepass, use_ntvfs=use_ntvfs, >> > >> dns_backend=dns_backend) >> > >> File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", >> > line >> > >> 1183, in join_DC >> > >> ctx.do_join() >> > >> File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", >> > line >> > >> 1086, in do_join >> > >> ctx.join_add_objects() >> > >> File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", >> > line >> > >> 536, in join_add_objects >> > >> ctx.samdb.add(rec) >> > >> itwerks at cbadc03:~$ >> > >> >> > >> Neither machine exists in ADUC on either of my current DCs. Neither >> > >> machine has any records in DNS. I ran ldbsearch and dumped it's >> output >> > to >> > >> a text file, there are no references to either machine name in the >> file. >> > >> >> > >> Please advise. >> > >> >> > >> JS >> > >> >> > > >> > > The join seems to be failing because it seems to be trying to add an >> > > objectsid that already exists: >> > > >> > > unique index violation on objectSid in CN=CBADC03,OU=Domain >> > > Controllers,DC=cb,DC=cliffbells,DC=com >> > > >> > > Try pre-creating the computer in 'OU=Domain >> > > Controllers,DC=cb,DC=cliffbells,DC=com' and then try joining again. >> > > >> > > Rowland >> > > >> > > >> > > >> > > -- >> > > To unsubscribe from this list go to the following URL and read the >> > > instructions: https://lists.samba.org/mailman/options/samba >> > > >> > -- >> > To unsubscribe from this list go to the following URL and read the >> > instructions: https://lists.samba.org/mailman/options/samba >> > >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >