samba - Feb 2018 - SAMBA failed join domain DC

On Tue, 20 Feb 2018 14:10:16 +0500
"denis.shigapov" <denis.shigapov at stroylandiya.ru> wrote:

It seems that the problem starts here:

Could not find machine account in secrets database

Yet near the top there is: Setting up secrets.ldb

It seems that either 'secrets.ldb' doesn't contain the required info
or
'vas.lah' doesn't have the required permissions to read it.

You also shouldn't need to set the DC to join to, Samba can find a DC
to use.

Is it possible you could try the join command like this:

samba-tool domain join EXAMPLE DC -UAdministrator --password=password
--realm=EXAMPLE.RU --site=SITE2

Rowland

Il 20/02/2018 12:47, Rowland Penny via samba ha scritto:
> On Tue, 20 Feb 2018 14:10:16 +0500
> "denis.shigapov" <denis.shigapov at stroylandiya.ru> wrote:
>
> It seems that the problem starts here:
>
> Could not find machine account in secrets database
>
> Yet near the top there is: Setting up secrets.ldb
>
> It seems that either 'secrets.ldb' doesn't contain the required
info or
> 'vas.lah' doesn't have the required permissions to read it.
>
> You also shouldn't need to set the DC to join to, Samba can find a DC
> to use.
>
> Is it possible you could try the join command like this:
>
> samba-tool domain join EXAMPLE DC -UAdministrator --password=password
> --realm=EXAMPLE.RU --site=SITE2
>
> Rowland
>
i have a similar issue i think
tryed this:

samba-tool domain join ADCOMLOCAL DC

and this is what i get

Finding a writeable DC for domain 'ADCOMLOCAL'
Found DC zeus.adcomlocal.local
Password for [administrator at ADCOMLOCAL.LOCAL]:
workgroup is ADCOMLOCAL
realm is adcomlocal.local
ERROR(<class 'samba.join.DCJoinException'>): uncaught exception -
Can't
join, error: Not removing account ZEUS$ which looks like a Samba DC 
account maching the password we already have. To override, remove 
secrets.ldb and secrets.tdb
   File 
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
     return self.run(*args, **kwargs)
   File 
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py",
line 661, in run
     machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
   File
"/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
line 1474, in join_DC
     ctx.do_join()
   File
"/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
line 1371, in do_join
     ctx.cleanup_old_join()
   File
"/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
line 270, in cleanup_old_join
     ctx.cleanup_old_accounts(force=force)
   File
"/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
line 239, in cleanup_old_accounts
     % ctx.samname)



---
Questa email è stata esaminata alla ricerca di virus da AVG.
http://www.avg.com

Not join((
samba-tool domain join example.ru DC -Uvas.lah --password=password
--realm=EXAMPLE.RU --site=SITE2 -d 4

samba find srv-site3-dc01 and failed join to server DC srv-site3-dc01


lpcfg_load: refreshing parameters from /etc/samba/smb.conf
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
added interface eth0 ip=10.2.1.15 bcast=10.2.7.255 netmask=255.255.248.0
added interface eth0 ip=10.2.1.15 bcast=10.2.7.255 netmask=255.255.248.0
added interface eth0 ip=10.2.1.15 bcast=10.2.7.255 netmask=255.255.248.0
added interface eth0 ip=10.2.1.15 bcast=10.2.7.255 netmask=255.255.248.0
added interface eth0 ip=10.2.1.15 bcast=10.2.7.255 netmask=255.255.248.0
added interface eth0 ip=10.2.1.15 bcast=10.2.7.255 netmask=255.255.248.0
resolve_lmhosts: Attempting lmhosts lookup for name
srv-site3-dc01.example.ru<0x20>
getlmhostsent: lmhost entry: 127.0.0.1 localhost 
getlmhostsent: lmhost entry: 192.168.55.1 srv-dc01 
Advancing clock by 3 seconds to cope with clock skew
workgroup is EXAMPLE
realm is EXAMPLE.ru
Adding CN=SRV-SITE2-DC01,OU=Domain Controllers,DC=example,DC=ru
Adding
CN=SRV-SITE2-DC01,CN=Servers,CN=SITE2,CN=Sites,CN=Configuration,DC=example,DC=ru
Adding CN=NTDS
Settings,CN=SRV-SITE2-DC01,CN=Servers,CN=SITE2,CN=Sites,CN=Configuration,DC=example,DC=ru
Using binding ncacn_ip_tcp:srv-site3-dc01.EXAMPLE.ru[,seal]
Mapped to DCERPC endpoint 135
added interface eth0 ip=10.2.1.15 bcast=10.2.7.255 netmask=255.255.248.0
added interface eth0 ip=10.2.1.15 bcast=10.2.7.255 netmask=255.255.248.0
resolve_lmhosts: Attempting lmhosts lookup for name
srv-site3-dc01.EXAMPLE.ru<0x20>
getlmhostsent: lmhost entry: 127.0.0.1 localhost 
getlmhostsent: lmhost entry: 192.168.55.1 srv-dc01 
Mapped to DCERPC endpoint 50244
added interface eth0 ip=10.2.1.15 bcast=10.2.7.255 netmask=255.255.248.0
added interface eth0 ip=10.2.1.15 bcast=10.2.7.255 netmask=255.255.248.0
resolve_lmhosts: Attempting lmhosts lookup for name
srv-site3-dc01.example.ru<0x20>
getlmhostsent: lmhost entry: 127.0.0.1 localhost 
getlmhostsent: lmhost entry: 192.168.55.1 srv-dc01 
Join failed - cleaning up
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch machine
account password for EXAMPLE from both secrets.ldb (Could not find entry to
match
filter: '(&(fl
atname=EXAMPLE)(objectclass=primaryDomain))' base: 'cn=Primary
Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4636)
and from
/var/lib/samba/private/
secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Deleted CN=SRV-SITE2-DC01,OU=Domain Controllers,DC=example,DC=ru
Deleted CN=NTDS
Settings,CN=SRV-SITE2-DC01,CN=Servers,CN=SITE2,CN=Sites,CN=Configuration,DC=EXAMPLE,DC=ru
Deleted
CN=SRV-SITE2-DC01,CN=Servers,CN=SITE2,CN=Sites,CN=Configuration,DC=EXAMPLE,DC=ru
ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL -  <0000202B:
RefErr: DSID-030A0B09, data 0, 1 access points
        ref 1:
'7bbe1649-5261-430c-b473-9b85a36719b5._msdcs.EXAMPLE.ru'
> <ldap://7bbe1649-5261-430c-b473-9b85a36719b5._msdcs.EXAMPLE.ru>
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py",
line 661, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1474,
in join_DC
    ctx.do_join()
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1375,
in do_join
    ctx.join_add_objects()
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 668,
in join_add_objects
    ctx.samdb.modify(m)


В Вт, 20/02/2018 в 11:47 +0000, Rowland Penny via samba
пишет:
> On Tue, 20 Feb 2018 14:10:16 +0500
> "denis.shigapov" <denis.shigapov at stroylandiya.ru> wrote:
> 
> It seems that the problem starts here:
> 
> Could not find machine account in secrets database
> 
> Yet near the top there is: Setting up secrets.ldb
> 
> It seems that either 'secrets.ldb' doesn't contain the required
info or
> 'vas.lah' doesn't have the required permissions to read it.
> 
> You also shouldn't need to set the DC to join to, Samba can find a DC
> to use.
> 
> Is it possible you could try the join command like this:
> 
> samba-tool domain join EXAMPLE DC -UAdministrator --password=password
> --realm=EXAMPLE.RU --site=SITE2
> 
> Rowland
>

On Tue, 20 Feb 2018 17:34:00 +0500
"denis.shigapov" <denis.shigapov at stroylandiya.ru> wrote:
> Not join((
> samba-tool domain join example.ru DC -Uvas.lah --password=password
> --realm=EXAMPLE.RU --site=SITE2 -d 4 
'example.ru' is your dns domain name, you should be using your netbios
domain name 'EXAMPLE'

Who is 'vas.lah' ? does the user have the required permissions to join a
DC to the domain ?
> 
> samba find srv-site3-dc01 and failed join to server DC srv-site3-dc01
> 
As long as the DC the join command finds, is in the same REALM, it
shouldn't matter which DC is used.

Can you please try the join command:

samba-tool domain join EXAMPLE DC -UAdministrator --password=password
--realm=EXAMPLE.RU --site=SITE2 

Rowland