samba - Dec 2017 - WERR_DS_DRA_MISSING_PARENT while Joining Samba4 DC to Samba4 Domain

Yes, I am running 4.7.3 on both servers. One has been upgraded (many times). The
new one, obviously, is freshly installed.

I am running DNS on the domain controller. In fact, I'm running all the
default "server services". As I said, I have had some problems in the
past, and for a while the DNS was not working (perhaps due to some database
corruption) and I had to switch it off in smb.conf. DNS seems to be working fine
now. However, I am wondering if there are still some inconsistencies in the
database which would cause this?

Here is my smb.conf file:

[global]
        workgroup = REDACTED
        realm = redacted.domain.local
        netbios name = SAMBA4DOM
        server role = active directory domain controller
        log level = 2
        allow dns updates = signed
        encrypt passwords = yes
        lanman auth = No
        client ntlmv2 auth = Yes
        ntlm auth = Yes
        client lanman auth = No
        client plaintext auth = No
        client min protocol = SMB2
        client signing = mandatory
        server signing = mandatory

[netlogon]
        path = /var/lib/samba/sysvol/redacted.domain.local/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No


Daniel McFeeters 

----- Original Message -----
> From: "samba" <samba at lists.samba.org>
> To: "Daniel McFeeters" <danielj.mcfeeters at lcdhd.org>,
"samba" <samba at lists.samba.org>
> Sent: Thursday, December 21, 2017 1:44:41 PM
> Subject: Re: [Samba] WERR_DS_DRA_MISSING_PARENT while Joining Samba4 DC to
Samba4 Domain
> On Thu, 2017-12-21 at 11:04 -0500, Daniel McFeeters via samba wrote:
>> I have a Samba4 Domain Controller, which we have run in production
since ~2009
>> (early alpha). It's had a few issues over the years which we've
managed to
>> recover from. I'm trying to join a second Samba4 DC to the domain,
but having
>> trouble when I issue the join. I have run dbcheck on the existing DC,
which
> > found and fixed some errors. There are still about 60+ errors like
this:
> > # samba-tool dbcheck --cross-ncs
> > ...
>> ERROR: no target object found for GUID component for objectCategory in
object
> > DC=...
> > Not removing dangling forward link
>> I'm running the same Samba version on both systems. Just upgraded
to 4.7.3
>> (Ubuntu 18.04 beta) in attempting to resolve this problem. (I attempted
with
> > earlier versions with the same problem.)
> > Any suggestions would be greatly appreciated!
> > Here is the output from the second DC when I attempt to join:
> > $ samba --version
> > Version 4.7.3-Ubuntu
> So both versions servers run Samba 4.7.3? I would normally expect this
> only if the existing server was much older.
> Thanks,
> Andrew Bartlett
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

Hi,

If you slowly turn up the debug level for the join, there may be some
clues as to which object is causing the issues. Do note, that these logs
can contain sensitive data.

Cheers,

Garming


On 22/12/17 08:51, Daniel McFeeters via samba wrote:
> Yes, I am running 4.7.3 on both servers. One has been upgraded (many
times). The new one, obviously, is freshly installed.
>
> I am running DNS on the domain controller. In fact, I'm running all the
default "server services". As I said, I have had some problems in the
past, and for a while the DNS was not working (perhaps due to some database
corruption) and I had to switch it off in smb.conf. DNS seems to be working fine
now. However, I am wondering if there are still some inconsistencies in the
database which would cause this?
>
> Here is my smb.conf file:
>
> [global]
>         workgroup = REDACTED
>         realm = redacted.domain.local
>         netbios name = SAMBA4DOM
>         server role = active directory domain controller
>         log level = 2
>         allow dns updates = signed
>         encrypt passwords = yes
>         lanman auth = No
>         client ntlmv2 auth = Yes
>         ntlm auth = Yes
>         client lanman auth = No
>         client plaintext auth = No
>         client min protocol = SMB2
>         client signing = mandatory
>         server signing = mandatory
>
> [netlogon]
>         path = /var/lib/samba/sysvol/redacted.domain.local/scripts
>         read only = No
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>
>
> Daniel McFeeters 
>
> ----- Original Message -----
>> From: "samba" <samba at lists.samba.org>
>> To: "Daniel McFeeters" <danielj.mcfeeters at
lcdhd.org>, "samba" <samba at lists.samba.org>
>> Sent: Thursday, December 21, 2017 1:44:41 PM
>> Subject: Re: [Samba] WERR_DS_DRA_MISSING_PARENT while Joining Samba4 DC
to Samba4 Domain
>> On Thu, 2017-12-21 at 11:04 -0500, Daniel McFeeters via samba wrote:
>>> I have a Samba4 Domain Controller, which we have run in production
since ~2009
>>> (early alpha). It's had a few issues over the years which
we've managed to
>>> recover from. I'm trying to join a second Samba4 DC to the
domain, but having
>>> trouble when I issue the join. I have run dbcheck on the existing
DC, which
>>> found and fixed some errors. There are still about 60+ errors like
this:
>>> # samba-tool dbcheck --cross-ncs
>>> ...
>>> ERROR: no target object found for GUID component for objectCategory
in object
>>> DC=...
>>> Not removing dangling forward link
>>> I'm running the same Samba version on both systems. Just
upgraded to 4.7.3
>>> (Ubuntu 18.04 beta) in attempting to resolve this problem. (I
attempted with
>>> earlier versions with the same problem.)
>>> Any suggestions would be greatly appreciated!
>>> Here is the output from the second DC when I attempt to join:
>>> $ samba --version
>>> Version 4.7.3-Ubuntu
>> So both versions servers run Samba 4.7.3? I would normally expect this
>> only if the existing server was much older.
>> Thanks,
>> Andrew Bartlett
>> --
>> Andrew Bartlett http://samba.org/~abartlet/
>> Authentication Developer, Samba Team http://samba.org
>> Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba

OK, we're getting closer here I think. I repeated with -d 2 without much
help. Here is -d 3, which may point us in the right direction. As I suspected,
it seems to point to some corruption in the DNS still, perhaps?

The key line seems to be here:
Missing parent while attempting to apply records: No parent with GUID
60e25dda-6d35-4aab-bfa5-6137cb271e27 found for object remotely known as
CN=MicrosoftDNS,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
Failed to commit objects: WERR_DS_DRA_MISSING_PARENT

Here is the full output in context:

$ sudo samba-tool domain join redacted.domain.local DC
-U"REDACTED\my.domain.admin"  --dns-backend=SAMBA_INTERNAL -d 3
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Finding a writeable DC for domain 'redacted.domain.local'
resolve_lmhosts: Attempting lmhosts lookup for name
_ldap._tcp.redacted.domain.local<0x0>
Found DC samba4dom.redacted.domain.local
resolve_lmhosts: Attempting lmhosts lookup for name
samba4dom.redacted.domain.local<0x20>
cli_credentials(REDACTED\my.domain.admin) without realm, cannot use kerberos for
this connection ldap/samba4dom.redacted.domain.local
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
Password for [REDACTED\my.domain.admin]:
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NO DNS zone information found in source domain, not replicating DNS
workgroup is REDACTED
realm is redacted.domain.local
Adding CN=SAMBA4DC2,OU=Domain Controllers,DC=redacted,DC=domain,DC=local
Adding
CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
Adding CN=NTDS
Settings,CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
Using binding ncacn_ip_tcp:samba4dom.redacted.domain.local[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name
samba4dom.redacted.domain.local<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
samba4dom.redacted.domain.local<0x20>
cli_credentials(REDACTED\my.domain.admin) without realm, cannot use kerberos for
this connection ldap/SAMBA4DOM.REDACTED.DOMAIN.LOCAL
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
Adding SPNs to CN=SAMBA4DC2,OU=Domain Controllers,DC=redacted,DC=domain,DC=local
Setting account password for SAMBA4DC2$
Enabling account
Calling bare provision
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
ldb_wrap open of hklm.ldb
Key 'key=SOFTWARE,hive=NONE' not found
key added: key=SOFTWARE,hive=NONE
Key 'key=Microsoft,key=SOFTWARE,hive=NONE' not found
key added: key=Microsoft,key=SOFTWARE,hive=NONE
Key 'key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found
key added: key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE
Key 'key=CurrentVersion,key=Windows
NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found
key added: key=CurrentVersion,key=Windows
NT,key=Microsoft,key=SOFTWARE,hive=NONE
Key 'key=SYSTEM,hive=NONE' not found
key added: key=SYSTEM,hive=NONE
Key 'key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key
'key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE'
not found
key added:
key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE'
not found
key added: key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=Terminal
Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=Terminal
Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key
'key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
not found
key added: key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key
'key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
not found
key added:
key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key
'key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
not found
key added: key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key
'key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
not found
key added:
key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
partition_metadata: Migrating partition metadata: open of metadata.tdb gave:
(null)
A Kerberos configuration suitable for Samba AD has been generated at
/var/lib/samba/private/krb5.conf
Provision OK for domain DN DC=redacted,DC=domain,DC=local
Starting replication
Using binding ncacn_ip_tcp:samba4dom.redacted.domain.local[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name
samba4dom.redacted.domain.local<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
samba4dom.redacted.domain.local<0x20>
cli_credentials(REDACTED\my.domain.admin) without realm, cannot use kerberos for
this connection ldap/SAMBA4DOM.REDACTED.DOMAIN.LOCAL
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local]
objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local]
objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local]
objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local]
objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Replicated 1550 objects (0 linked attributes) for
CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local
Partition[CN=Configuration,DC=redacted,DC=domain,DC=local] objects[402/1610]
linked_values[0/0]
Replicated 402 objects (0 linked attributes) for
CN=Configuration,DC=redacted,DC=domain,DC=local
Partition[CN=Configuration,DC=redacted,DC=domain,DC=local] objects[804/1610]
linked_values[0/0]
Replicated 402 objects (0 linked attributes) for
CN=Configuration,DC=redacted,DC=domain,DC=local
Partition[CN=Configuration,DC=redacted,DC=domain,DC=local] objects[1206/1610]
linked_values[0/0]
Replicated 402 objects (0 linked attributes) for
CN=Configuration,DC=redacted,DC=domain,DC=local
Partition[CN=Configuration,DC=redacted,DC=domain,DC=local] objects[1608/1610]
linked_values[0/15]
Replicated 402 objects (0 linked attributes) for
CN=Configuration,DC=redacted,DC=domain,DC=local
Partition[CN=Configuration,DC=redacted,DC=domain,DC=local] objects[1609/1610]
linked_values[22/22]
Replicated 1 objects (22 linked attributes) for
CN=Configuration,DC=redacted,DC=domain,DC=local
Replicating critical objects from the base DN of the domain
Partition[DC=redacted,DC=domain,DC=local] objects[76/74] linked_values[21/21]
Replicated 76 objects (21 linked attributes) for DC=redacted,DC=domain,DC=local
Partition[DC=redacted,DC=domain,DC=local] objects[478/19962] linked_values[0/0]
Missing parent while attempting to apply records: No parent with GUID
60e25dda-6d35-4aab-bfa5-6137cb271e27 found for object remotely known as
CN=MicrosoftDNS,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
Failed to commit objects: WERR_DS_DRA_MISSING_PARENT
Join failed - cleaning up
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch machine
account password for REDACTED from both secrets.ldb (Could not find entry to
match filter: '(&(flatname=REDACTED)(objectclass=primaryDomain))'
base: 'cn=Primary Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4636) and from /var/lib/samba/private/secrets.tdb:
NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Deleted CN=SAMBA4DC2,OU=Domain Controllers,DC=redacted,DC=domain,DC=local
Deleted CN=NTDS
Settings,CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
Deleted
CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
ERROR(runtime): uncaught exception - (8460, "Failed to process
'chunk' of DRS replicated objects: WERR_DS_DRA_MISSING_PARENT")
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
661, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in
join_DC
    ctx.do_join()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1377, in
do_join
    ctx.join_replicate()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 936, in
join_replicate
    replica_flags=ctx.domain_replica_flags)
  File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line
295, in replicate
    schema=schema, req_level=req_level, req=req)
$




Daniel McFeeters 

----- Original Message -----
> From: "samba" <samba at lists.samba.org>
> To: "Daniel McFeeters" <danielj.mcfeeters at lcdhd.org>,
"Andrew Bartlett" <abartlet at samba.org>
> Cc: "samba" <samba at lists.samba.org>
> Sent: Thursday, December 21, 2017 4:47:46 PM
> Subject: Re: [Samba] WERR_DS_DRA_MISSING_PARENT while Joining Samba4 DC to
Samba4 Domain
> Hi,
> If you slowly turn up the debug level for the join, there may be some
> clues as to which object is causing the issues. Do note, that these logs
> can contain sensitive data.
> Cheers,
> Garming
> On 22/12/17 08:51, Daniel McFeeters via samba wrote:
>> Yes, I am running 4.7.3 on both servers. One has been upgraded (many
times). The
> > new one, obviously, is freshly installed.
>> I am running DNS on the domain controller. In fact, I'm running all
the default
>> "server services". As I said, I have had some problems in the
past, and for a
>> while the DNS was not working (perhaps due to some database corruption)
and I
>> had to switch it off in smb.conf. DNS seems to be working fine now.
However, I
>> am wondering if there are still some inconsistencies in the database
which
> > would cause this?
> > Here is my smb.conf file:
> > [global]
> > workgroup = REDACTED
> > realm = redacted.domain.local
> > netbios name = SAMBA4DOM
> > server role = active directory domain controller
> > log level = 2
> > allow dns updates = signed
> > encrypt passwords = yes
> > lanman auth = No
> > client ntlmv2 auth = Yes
> > ntlm auth = Yes
> > client lanman auth = No
> > client plaintext auth = No
> > client min protocol = SMB2
> > client signing = mandatory
> > server signing = mandatory
> > [netlogon]
> > path = /var/lib/samba/sysvol/redacted.domain.local/scripts
> > read only = No
> > [sysvol]
> > path = /var/lib/samba/sysvol
> > read only = No
> > Daniel McFeeters
> > ----- Original Message -----
> >> From: "samba" <samba at lists.samba.org>
>>> To: "Daniel McFeeters" <danielj.mcfeeters at
lcdhd.org>, "samba"
> >> <samba at lists.samba.org>
> >> Sent: Thursday, December 21, 2017 1:44:41 PM
>>> Subject: Re: [Samba] WERR_DS_DRA_MISSING_PARENT while Joining
Samba4 DC to
> >> Samba4 Domain
> >> On Thu, 2017-12-21 at 11:04 -0500, Daniel McFeeters via samba
wrote:
> >>> I have a Samba4 Domain Controller, which we have run in
production since ~2009
> >>> (early alpha). It's had a few issues over the years which
we've managed to
> >>> recover from. I'm trying to join a second Samba4 DC to the
domain, but having
> >>> trouble when I issue the join. I have run dbcheck on the
existing DC, which
> >>> found and fixed some errors. There are still about 60+ errors
like this:
> >>> # samba-tool dbcheck --cross-ncs
> >>> ...
> >>> ERROR: no target object found for GUID component for
objectCategory in object
> >>> DC=...
> >>> Not removing dangling forward link
> >>> I'm running the same Samba version on both systems. Just
upgraded to 4.7.3
> >>> (Ubuntu 18.04 beta) in attempting to resolve this problem. (I
attempted with
> >>> earlier versions with the same problem.)
> >>> Any suggestions would be greatly appreciated!
> >>> Here is the output from the second DC when I attempt to join:
> >>> $ samba --version
> >>> Version 4.7.3-Ubuntu
> >> So both versions servers run Samba 4.7.3? I would normally expect
this
> >> only if the existing server was much older.
> >> Thanks,
> >> Andrew Bartlett
> >> --
> >> Andrew Bartlett http://samba.org/~abartlet/
> >> Authentication Developer, Samba Team http://samba.org
> >> Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba