Olaf Frączyk
2017-Mar-11 15:20 UTC
[Samba] samba 4.6.0 dc provisioning fails with exception
Hello,
I have a problem with samba provisioning as DC. CentOS 7, built from
tarball using samba howto.
Below is the output. I would have filled bug report, but the "New
Account" in bugzilla is not working also :(
[root at dc samba-4.6.0]# samba-tool domain provision --use-rfc2307 --realm
navidom.office.navi.pl --domain NAVIDOM --server-role dc --adminpass
DuDu778$$# --dns-backend SAMBA_INTERNAL
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=navidom,DC=office,DC=navi,DC=pl
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
ERROR(ldb): uncaught exception - operations error at
../source4/dsdb/samdb/ldb_modules/password_hash.c:2820
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py",
line 471, in run
nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 2175, in provision
skip_sysvolacl=skip_sysvolacl)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1787, in provision_fill
next_rid=next_rid, dc_rid=dc_rid)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py",
line 1447, in fill_samdb
"KRBTGTPASS_B64":
b64encode(krbtgtpass.encode('utf-16-le'))
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/provision/common.py",
line 55, in setup_add_ldif
ldb.add_ldif(data, controls)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/__init__.py",
line
225, in add_ldif
self.add(msg, controls)
Best regards,
Olaf Frączyk
Rowland Penny
2017-Mar-11 15:55 UTC
[Samba] samba 4.6.0 dc provisioning fails with exception
On Sat, 11 Mar 2017 16:20:14 +0100 Olaf Frączyk via samba <samba at lists.samba.org> wrote:> Hello, > > I have a problem with samba provisioning as DC. CentOS 7, built from > tarball using samba howto. > > Below is the output. I would have filled bug report, but the "New > Account" in bugzilla is not working also :( > > [root at dc samba-4.6.0]# samba-tool domain provision --use-rfc2307 > --realm navidom.office.navi.pl --domain NAVIDOM --server-role dc > --adminpass DuDu778$$# --dns-backend SAMBA_INTERNALTry again, but with a different password, one without '$$' in it, this has a special meaning on Linux, so this could be your problem. Rowland
Olaf Frączyk
2017-Mar-11 16:04 UTC
[Samba] samba 4.6.0 dc provisioning fails with exception
Hello, I found the cause. It was the default kerberos config on CentOS: /etc/krb5.conf Please add to the wiki page: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller that before provisioning we should remove this file. It wasn't confusing only for me, as the resolution I found was in bugzilla: https://bugzilla.samba.org/show_bug.cgi?id=11573 Maybe you could add some error description for this exception during provisioning, so the installing person is not totally in the dark? Best regards, Olaf On 3/11/2017 4:20 PM, Olaf Frączyk wrote:> Hello, > > I have a problem with samba provisioning as DC. CentOS 7, built from > tarball using samba howto. > > Below is the output. I would have filled bug report, but the "New > Account" in bugzilla is not working also :( > > [root at dc samba-4.6.0]# samba-tool domain provision --use-rfc2307 > --realm navidom.office.navi.pl --domain NAVIDOM --server-role dc > --adminpass DuDu778$$# --dns-backend SAMBA_INTERNAL > Looking up IPv4 addresses > Looking up IPv6 addresses > No IPv6 address will be assigned > Setting up share.ldb > Setting up secrets.ldb > Setting up the registry > Setting up the privileges database > Setting up idmap db > Setting up SAM db > Setting up sam.ldb partitions and settings > Setting up sam.ldb rootDSE > Pre-loading the Samba 4 and AD schema > Adding DomainDN: DC=navidom,DC=office,DC=navi,DC=pl > Adding configuration container > Setting up sam.ldb schema > Setting up sam.ldb configuration data > Setting up display specifiers > Modifying display specifiers > Adding users container > Modifying users container > Adding computers container > Modifying computers container > Setting up sam.ldb data > Setting up well known security principals > Setting up sam.ldb users and groups > ERROR(ldb): uncaught exception - operations error at > ../source4/dsdb/samdb/ldb_modules/password_hash.c:2820 > File > "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File > "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py", > line 471, in run > nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode) > File > "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", > line 2175, in provision > skip_sysvolacl=skip_sysvolacl) > File > "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", > line 1787, in provision_fill > next_rid=next_rid, dc_rid=dc_rid) > File > "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", > line 1447, in fill_samdb > "KRBTGTPASS_B64": b64encode(krbtgtpass.encode('utf-16-le')) > File > "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/common.py", > line 55, in setup_add_ldif > ldb.add_ldif(data, controls) > File > "/usr/local/samba/lib64/python2.7/site-packages/samba/__init__.py", > line 225, in add_ldif > self.add(msg, controls) > > Best regards, > > Olaf Frączyk >
Rowland Penny
2017-Mar-11 16:20 UTC
[Samba] samba 4.6.0 dc provisioning fails with exception
On Sat, 11 Mar 2017 17:04:55 +0100 Olaf Frączyk via samba <samba at lists.samba.org> wrote:> Hello, > > I found the cause. It was the default kerberos config on CentOS: > /etc/krb5.confGlad you found the problem ;-)> > Please add to the wiki page: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller > > that before provisioning we should remove this file.To be honest, the wiki page does tell you to remove /etc/krb5.conf, just not in the correct place. I think the problem has been brought to the fore since they started to add a couple of lines to the top of the file on red-hat distros. Rowland
Andrew Bartlett
2017-Mar-11 18:48 UTC
[Samba] samba 4.6.0 dc provisioning fails with exception
On Sat, 2017-03-11 at 17:04 +0100, Olaf Frączyk via samba wrote:> Hello, > > I found the cause. It was the default kerberos config on CentOS: > /etc/krb5.confThankfully upstream Heimdal just merged a patch for includedir. I'll see if we can backport it.> Please add to the wiki page: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Direct > ory_Domain_Controller > > that before provisioning we should remove this file. > > It wasn't confusing only for me, as the resolution I found was in > bugzilla: > > https://bugzilla.samba.org/show_bug.cgi?id=11573 > > Maybe you could add some error description for this exception during > provisioning, so the installing person is not totally in the dark?I've updated the bug. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba