Hello,
I try to test joining new RODC (samba-tool domain join unn.global RODC
-U Administrator -d5) and it's fail with message:
Could not find machine account in secrets database: Failed to fetch
machine account password for UNN from both secrets.ldb (Could not find
entry to match filter:
'(&(flatname=UNN)(objectclass=primaryDomain))'
base: 'cn=Primary Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4576) and from
/root/rodc/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
ERROR(runtime): uncaught exception - (8453, 'WERR_DS_DRA_ACCESS_DENIED')
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py",
line 667, in run
dns_backend=dns_backend)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
line 1239, in join_RODC
ctx.do_join()
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
line 1177, in do_join
ctx.join_replicate()
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
line 903, in join_replicate
replica_flags=ctx.domain_replica_flags)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py",
line 254, in replicate
(level, ctr) = self.drs.DsGetNCChanges(self.drs_handle, req_level,
req)
Adding CN=DCG3RO-TEST,OU=Domain Controllers,DC=unn,DC=global
Adding CN=krbtgt_DCG3RO-TEST,CN=Users,DC=unn,DC=global
Got krbtgt_name=krbtgt_24698
Renaming CN=krbtgt_DCG3RO-TEST,CN=Users,DC=unn,DC=global to
CN=krbtgt_24698,CN=Users,DC=unn,DC=global
Adding
CN=DCG3RO-TEST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=unn,DC=global
Adding CN=NTDS
Settings,CN=DCG3RO-TEST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=unn,DC=global
Adding CN=RODC Connection (FRS),CN=NTDS
Settings,CN=DCG3RO-TEST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=unn,DC=global
Adding SPNs to CN=DCG3RO-TEST,OU=Domain Controllers,DC=unn,DC=global
Setting account password for DCG3RO-TEST$
Enabling account
Calling bare provision
Provision OK for domain DN DC=unn,DC=global
Starting replication
Replicating critical objects from the base DN of the domain
Join failed - cleaning up
Deleted CN=DCG3RO-TEST,OU=Domain Controllers,DC=unn,DC=global
Deleted CN=RODC Connection (FRS),CN=NTDS
Settings,CN=DCG3RO-TEST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=unn,DC=global
Deleted CN=NTDS
Settings,CN=DCG3RO-TEST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=unn,DC=global
Deleted
CN=DCG3RO-TEST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=unn,DC=global
My test environment:
dcg1.unn.global 192.168.59.23 DC (CentOS 7.3.1611, 3.10.0-514.6.1 x64,
firewall stoped, selinux disabled, Samba 4.6.4, DNS=SAMBA_INTERNAL)
dcg2.unn.global 192.168.59.29 DC FSMO (CentOS 7.3.1611, 3.10.0-514.6.1
x64, firewall stoped, selinux disabled, Samba 4.6.4, DNS=SAMBA_INTERNAL)
dcg3ro-test.unn.global 192.168.59.233 It does not want to become RODC
(CentOS 7.3.1611, 3.10.0-514.21.1 x64, firewall stoped, selinux
disabled, Samba 4.6.4)
Samba configure options: --exec-prefix=/usr --sysconfdir=/etc
--libdir=/usr/lib64 --localstatedir=/var --enable-fhs
--with-lockdir=/var/cache/samba --with-modulesdir=/usr/lib64/samba
There are ~54000 objects in domain.
Can you give me some advice?
--
Best Wishes,
Evgeniy Semenov
*Resend to the list*
Hi,
i had the same problem.
The Solution was to check the permissions on NC for Enterprise Read-only domain
controllers group.
Here some additional information:
https://support.microsoft.com/en-us/help/2022387/troubleshooting-ad-replication-error-8453-replication-access-was-denied.
Look at "Fix Invalid Default Security Descriptors"
Andrej
-----Ursprüngliche Nachricht-----
Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Evgeniy
Semenov via samba
Gesendet: Mittwoch, 7. Juni 2017 19:24
An: samba at lists.samba.org
Betreff: [Samba] domain join RODC failed
Hello,
I try to test joining new RODC (samba-tool domain join unn.global RODC -U
Administrator -d5) and it's fail with message:
Could not find machine account in secrets database: Failed to fetch machine
account password for UNN from both secrets.ldb (Could not find entry to match
filter: '(&(flatname=UNN)(objectclass=primaryDomain))'
base: 'cn=Primary Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4576) and from
/root/rodc/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
ERROR(runtime): uncaught exception - (8453, 'WERR_DS_DRA_ACCESS_DENIED')
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py",
line 667, in run
dns_backend=dns_backend)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
line 1239, in join_RODC
ctx.do_join()
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
line 1177, in do_join
ctx.join_replicate()
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
line 903, in join_replicate
replica_flags=ctx.domain_replica_flags)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py",
line 254, in replicate
(level, ctr) = self.drs.DsGetNCChanges(self.drs_handle, req_level,
req)
Adding CN=DCG3RO-TEST,OU=Domain Controllers,DC=unn,DC=global Adding
CN=krbtgt_DCG3RO-TEST,CN=Users,DC=unn,DC=global
Got krbtgt_name=krbtgt_24698
Renaming CN=krbtgt_DCG3RO-TEST,CN=Users,DC=unn,DC=global to
CN=krbtgt_24698,CN=Users,DC=unn,DC=global
Adding
CN=DCG3RO-TEST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=unn,DC=global
Adding CN=NTDS
Settings,CN=DCG3RO-TEST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=unn,DC=global
Adding CN=RODC Connection (FRS),CN=NTDS
Settings,CN=DCG3RO-TEST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=unn,DC=global
Adding SPNs to CN=DCG3RO-TEST,OU=Domain Controllers,DC=unn,DC=global Setting
account password for DCG3RO-TEST$ Enabling account Calling bare provision
Provision OK for domain DN DC=unn,DC=global Starting replication Replicating
critical objects from the base DN of the domain Join failed - cleaning up
Deleted CN=DCG3RO-TEST,OU=Domain Controllers,DC=unn,DC=global Deleted CN=RODC
Connection (FRS),CN=NTDS
Settings,CN=DCG3RO-TEST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=unn,DC=global
Deleted CN=NTDS
Settings,CN=DCG3RO-TEST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=unn,DC=global
Deleted
CN=DCG3RO-TEST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=unn,DC=global
My test environment:
dcg1.unn.global 192.168.59.23 DC (CentOS 7.3.1611, 3.10.0-514.6.1 x64,
firewall stoped, selinux disabled, Samba 4.6.4, DNS=SAMBA_INTERNAL)
dcg2.unn.global 192.168.59.29 DC FSMO (CentOS 7.3.1611, 3.10.0-514.6.1
x64, firewall stoped, selinux disabled, Samba 4.6.4, DNS=SAMBA_INTERNAL)
dcg3ro-test.unn.global 192.168.59.233 It does not want to become RODC
(CentOS 7.3.1611, 3.10.0-514.21.1 x64, firewall stoped, selinux
disabled, Samba 4.6.4)
Samba configure options: --exec-prefix=/usr --sysconfdir=/etc
--libdir=/usr/lib64 --localstatedir=/var --enable-fhs
--with-lockdir=/var/cache/samba --with-modulesdir=/usr/lib64/samba
There are ~54000 objects in domain.
Can you give me some advice?
--
Best Wishes,
Evgeniy Semenov
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
On Wed, 2017-06-07 at 20:24 +0300, Evgeniy Semenov via samba wrote:> Hello, > > I try to test joining new RODC (samba-tool domain join unn.global RODC > -U Administrator -d5) and it's fail with message:> There are ~54000 objects in domain. > > Can you give me some advice?If at all possible wait until Samba 4.7 to use the RODC. We fixed a lot of bugs recently, and it really hasn't been in good shape until now. We now have tests to show that the RODC works and this will help prevent regressions. Otherwise git master may be an option. I suspect we have a mixup regarding the special secrets processing flags (needed to omit the passwords) in your case, but it is just a guess right now. I hope this helps. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Andrej, thank you so much. The problem was with the permissions on the default naming context. 08.06.2017 10:54, Andrej Gessel via samba пишет:> Hi, > > i had the same problem. > > The Solution was to check the permissions on NC for Enterprise Read-only domain controllers group. > > Here some additional information:https://support.microsoft.com/en-us/help/2022387/troubleshooting-ad-replication-error-8453-replication-access-was-denied. Look at "Fix Invalid Default Security Descriptors" > > > Andrej-- Evgeniy
Hello Andrew, thanks for the information, it can save a lot of effort. I will wait until Samba 4.7 is released before the RODC is deployed to the production environment. 08.06.2017 12:29, Andrew Bartlett via samba пишет:> If at all possible wait until Samba 4.7 to use the RODC. We fixed a > lot of bugs recently, and it really hasn't been in good shape until > now. > > We now have tests to show that the RODC works and this will help > prevent regressions.-- С уважением, Евгений Семёнов ведущий программист управления информатизации ННГУ им. Лобачевского т.: (831) 462 35 60 e-mail: sem at unn.ru