me at tdiehl.org
2018-Jun-21 18:32 UTC
[Samba] Problem joining a samba Dc to a winbdows domain
Hi Rowland, On Thu, 21 Jun 2018, Rowland Penny via samba wrote:> On Thu, 21 Jun 2018 12:02:41 -0400 (EDT) > Tom Diehl via samba <samba at lists.samba.org> wrote: > >> Hi, >> >> I am trying to join a self compiled samba 4.8.2 DC to an existing >> Windows domain using >> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller >> as instructions. >> >> The smb.conf looks like the following: >> >> [global] >> netbios name = PHT-VDC1 >> realm = EXAMPLE.COM >> server role = active directory domain controller >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >> drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = EXAMPLE >> >> [netlogon] >> path = /usr/local/samba/var/locks/sysvol/example.com/scripts >> read only = No >> >> [sysvol] >> path = /usr/local/samba/var/locks/sysvol >> read only = No >> >> The above was generated by the following samba-tool command line: >> samba-tool domain join example.com DC -U"example\admin" >> --dns-backend=BIND9_DLZ >> >> When I run samba-tool I get the following output: >> (pht-vdc1 pts10) # samba-tool domain join example.com DC >> -U"example\admin" --dns-backend=BIND9_DLZ Finding a writeable DC for >> domain 'example.com' Found DC PHT1.example.com >> Password for [EXAMPLE\admin]: >> workgroup is EXAMPLE >> realm is example.com >> Adding CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com >> Adding >> CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com >> Adding CN=NTDS >> Settings,CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com >> Adding SPNs to CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com >> Setting account password for PHT-VDC1$ Enabling account Adding DNS >> account CN=dns-PHT-VDC1,CN=Users,DC=example,DC=com with dns/ SPN >> Setting account password for dns-PHT-VDC1 Calling bare provision >> Looking up IPv4 addresses >> Looking up IPv6 addresses >> No IPv6 address will be assigned >> Setting up share.ldb >> Setting up secrets.ldb >> Setting up the registry >> Setting up the privileges database >> Setting up idmap db >> Setting up SAM db >> Setting up sam.ldb partitions and settings >> Setting up sam.ldb rootDSE >> Pre-loading the Samba 4 and AD schema >> Unable to determine the DomainSID, can not enforce uniqueness >> constraint on local domainSIDs >> >> A Kerberos configuration suitable for Samba AD has been generated >> at /usr/local/samba/private/krb5.conf Merge the contents of this file >> with your system krb5.conf or replace it with this one. Do not create >> a symlink! Provision OK for domain DN DC=example,DC=com Starting >> replication Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] >> objects[402/4383] linked_values[0/0] >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] >> objects[804/4383] linked_values[0/0] >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] >> objects[1206/4383] linked_values[0/0] >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] >> objects[1608/4383] linked_values[0/0] >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] >> objects[2010/4383] linked_values[0/0] >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] >> objects[2412/4383] linked_values[0/0] >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] >> objects[2814/4383] linked_values[0/0] >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] >> objects[3216/4383] linked_values[0/0] >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] >> objects[3618/4383] linked_values[0/0] >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] >> objects[3735/4383] linked_values[0/0] Analyze and apply schema >> objects Partition[CN=Configuration,DC=example,DC=com] >> objects[402/7722] linked_values[0/355] >> Partition[CN=Configuration,DC=example,DC=com] objects[804/7722] >> linked_values[0/355] ... >> Partition[CN=Configuration,DC=example,DC=com] objects[6376/7722] >> linked_values[0/355] Partition[CN=Configuration,DC=example,DC=com] >> objects[6510/7722] linked_values[12/355] Replicating critical objects >> from the base DN of the domain Partition[DC=example,DC=com] >> objects[105/156] linked_values[42/388] Partition[DC=example,DC=com] >> objects[296/7902] linked_values[1/388] Partition[DC=example,DC=com] >> objects[466/7902] linked_values[72/388] Failed to commit objects: DOS >> code 0x000021bf Join failed - cleaning up > > This is where it seems to fail and 0x000021bf is this: > > The replication operation failed because the target object referenced > by a link value is recycled. > > So it might be an idea to check the DC you are trying to join to.Check it for what? If I understand correctly the error is saying that the target object is not there. The problem is I do not understand what the target object is or how to find it. Assuming that the error is referring to Partition[DC=example,DC=com] objects[466/7952] linked_values[72/388] How do I figure out what the error is referring to? As I said in a separate message, I can successfully join using 4.7.7. If this is a problem with the existing MS DC, why does 4.7.7 join without error? To be clear I am not doubting your advice and I do appreciate it. I am just trying to understand. Regards, -- Tom me at tdiehl.org
Rowland Penny
2018-Jun-21 18:58 UTC
[Samba] Problem joining a samba Dc to a winbdows domain
On Thu, 21 Jun 2018 14:32:49 -0400 (EDT) me at tdiehl.org wrote:> Hi Rowland, > > On Thu, 21 Jun 2018, Rowland Penny via samba wrote: > > > On Thu, 21 Jun 2018 12:02:41 -0400 (EDT) > > Tom Diehl via samba <samba at lists.samba.org> wrote: > > > >> Hi, > >> > >> I am trying to join a self compiled samba 4.8.2 DC to an existing > >> Windows domain using > >> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller > >> as instructions. > >> > >> The smb.conf looks like the following: > >> > >> [global] > >> netbios name = PHT-VDC1 > >> realm = EXAMPLE.COM > >> server role = active directory domain controller > >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > >> drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = EXAMPLE > >> > >> [netlogon] > >> path = /usr/local/samba/var/locks/sysvol/example.com/scripts > >> read only = No > >> > >> [sysvol] > >> path = /usr/local/samba/var/locks/sysvol > >> read only = No > >> > >> The above was generated by the following samba-tool command line: > >> samba-tool domain join example.com DC -U"example\admin" > >> --dns-backend=BIND9_DLZ > >> > >> When I run samba-tool I get the following output: > >> (pht-vdc1 pts10) # samba-tool domain join example.com DC > >> -U"example\admin" --dns-backend=BIND9_DLZ Finding a writeable DC > >> for domain 'example.com' Found DC PHT1.example.com > >> Password for [EXAMPLE\admin]: > >> workgroup is EXAMPLE > >> realm is example.com > >> Adding CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com > >> Adding > >> CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > >> Adding CN=NTDS > >> Settings,CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > >> Adding SPNs to CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com > >> Setting account password for PHT-VDC1$ Enabling account Adding DNS > >> account CN=dns-PHT-VDC1,CN=Users,DC=example,DC=com with dns/ SPN > >> Setting account password for dns-PHT-VDC1 Calling bare provision > >> Looking up IPv4 addresses > >> Looking up IPv6 addresses > >> No IPv6 address will be assigned > >> Setting up share.ldb > >> Setting up secrets.ldb > >> Setting up the registry > >> Setting up the privileges database > >> Setting up idmap db > >> Setting up SAM db > >> Setting up sam.ldb partitions and settings > >> Setting up sam.ldb rootDSE > >> Pre-loading the Samba 4 and AD schema > >> Unable to determine the DomainSID, can not enforce uniqueness > >> constraint on local domainSIDs > >> > >> A Kerberos configuration suitable for Samba AD has been generated > >> at /usr/local/samba/private/krb5.conf Merge the contents of this > >> file with your system krb5.conf or replace it with this one. Do > >> not create a symlink! Provision OK for domain DN DC=example,DC=com > >> Starting replication > >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] > >> objects[402/4383] linked_values[0/0] > >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] > >> objects[804/4383] linked_values[0/0] > >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] > >> objects[1206/4383] linked_values[0/0] > >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] > >> objects[1608/4383] linked_values[0/0] > >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] > >> objects[2010/4383] linked_values[0/0] > >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] > >> objects[2412/4383] linked_values[0/0] > >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] > >> objects[2814/4383] linked_values[0/0] > >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] > >> objects[3216/4383] linked_values[0/0] > >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] > >> objects[3618/4383] linked_values[0/0] > >> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] > >> objects[3735/4383] linked_values[0/0] Analyze and apply schema > >> objects Partition[CN=Configuration,DC=example,DC=com] > >> objects[402/7722] linked_values[0/355] > >> Partition[CN=Configuration,DC=example,DC=com] objects[804/7722] > >> linked_values[0/355] ... > >> Partition[CN=Configuration,DC=example,DC=com] objects[6376/7722] > >> linked_values[0/355] Partition[CN=Configuration,DC=example,DC=com] > >> objects[6510/7722] linked_values[12/355] Replicating critical > >> objects from the base DN of the domain > >> Partition[DC=example,DC=com] objects[105/156] > >> linked_values[42/388] Partition[DC=example,DC=com] > >> objects[296/7902] linked_values[1/388] > >> Partition[DC=example,DC=com] objects[466/7902] > >> linked_values[72/388] Failed to commit objects: DOS code > >> 0x000021bf Join failed - cleaning up > > > > This is where it seems to fail and 0x000021bf is this: > > > > The replication operation failed because the target object > > referenced by a link value is recycled. > > > > So it might be an idea to check the DC you are trying to join to. > > Check it for what? If I understand correctly the error is saying that > the target object is not there. The problem is I do not understand > what the target object is or how to find it. Assuming that the error > is referring to Partition[DC=example,DC=com] objects[466/7952] > linked_values[72/388] How do I figure out what the error is referring > to? > > As I said in a separate message, I can successfully join using 4.7.7. > If this is a problem with the existing MS DC, why does 4.7.7 join > without error? > > To be clear I am not doubting your advice and I do appreciate it. I > am just trying to understand. > > Regards, >The index mode changed at 4.8.0, this might be more picky i.e. it wont allow things that 4.7.x would. If this was a Samba DC, I would suggest running 'samba-tool dbcheck' on it, but is there a windows version of this tool ? If 4.7.7 joins and works successfully, have you considered using this as the main DC and try joining the 4.8.2 to it ? Rowland
me at tdiehl.org
2018-Jun-21 20:01 UTC
[Samba] Problem joining a samba Dc to a winbdows domain
On Thu, 21 Jun 2018, Rowland Penny via samba wrote:> On Thu, 21 Jun 2018 14:32:49 -0400 (EDT) > me at tdiehl.org wrote: > >> Hi Rowland, >> >> On Thu, 21 Jun 2018, Rowland Penny via samba wrote: >> >>> On Thu, 21 Jun 2018 12:02:41 -0400 (EDT) >>> Tom Diehl via samba <samba at lists.samba.org> wrote: >>> >>>> Hi, >>>> >>>> I am trying to join a self compiled samba 4.8.2 DC to an existing >>>> Windows domain using >>>> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller >>>> as instructions. >>>> >>>> The smb.conf looks like the following: >>>> >>>> [global] >>>> netbios name = PHT-VDC1 >>>> realm = EXAMPLE.COM >>>> server role = active directory domain controller >>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >>>> drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = EXAMPLE >>>> >>>> [netlogon] >>>> path = /usr/local/samba/var/locks/sysvol/example.com/scripts >>>> read only = No >>>> >>>> [sysvol] >>>> path = /usr/local/samba/var/locks/sysvol >>>> read only = No >>>> >>>> The above was generated by the following samba-tool command line: >>>> samba-tool domain join example.com DC -U"example\admin" >>>> --dns-backend=BIND9_DLZ >>>> >>>> When I run samba-tool I get the following output: >>>> (pht-vdc1 pts10) # samba-tool domain join example.com DC >>>> -U"example\admin" --dns-backend=BIND9_DLZ Finding a writeable DC >>>> for domain 'example.com' Found DC PHT1.example.com >>>> Password for [EXAMPLE\admin]: >>>> workgroup is EXAMPLE >>>> realm is example.com >>>> Adding CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com >>>> Adding >>>> CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com >>>> Adding CN=NTDS >>>> Settings,CN=PHT-VDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com >>>> Adding SPNs to CN=PHT-VDC1,OU=Domain Controllers,DC=example,DC=com >>>> Setting account password for PHT-VDC1$ Enabling account Adding DNS >>>> account CN=dns-PHT-VDC1,CN=Users,DC=example,DC=com with dns/ SPN >>>> Setting account password for dns-PHT-VDC1 Calling bare provision >>>> Looking up IPv4 addresses >>>> Looking up IPv6 addresses >>>> No IPv6 address will be assigned >>>> Setting up share.ldb >>>> Setting up secrets.ldb >>>> Setting up the registry >>>> Setting up the privileges database >>>> Setting up idmap db >>>> Setting up SAM db >>>> Setting up sam.ldb partitions and settings >>>> Setting up sam.ldb rootDSE >>>> Pre-loading the Samba 4 and AD schema >>>> Unable to determine the DomainSID, can not enforce uniqueness >>>> constraint on local domainSIDs >>>> >>>> A Kerberos configuration suitable for Samba AD has been generated >>>> at /usr/local/samba/private/krb5.conf Merge the contents of this >>>> file with your system krb5.conf or replace it with this one. Do >>>> not create a symlink! Provision OK for domain DN DC=example,DC=com >>>> Starting replication >>>> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] >>>> objects[402/4383] linked_values[0/0] >>>> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] >>>> objects[804/4383] linked_values[0/0] >>>> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] >>>> objects[1206/4383] linked_values[0/0] >>>> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] >>>> objects[1608/4383] linked_values[0/0] >>>> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] >>>> objects[2010/4383] linked_values[0/0] >>>> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] >>>> objects[2412/4383] linked_values[0/0] >>>> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] >>>> objects[2814/4383] linked_values[0/0] >>>> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] >>>> objects[3216/4383] linked_values[0/0] >>>> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] >>>> objects[3618/4383] linked_values[0/0] >>>> Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] >>>> objects[3735/4383] linked_values[0/0] Analyze and apply schema >>>> objects Partition[CN=Configuration,DC=example,DC=com] >>>> objects[402/7722] linked_values[0/355] >>>> Partition[CN=Configuration,DC=example,DC=com] objects[804/7722] >>>> linked_values[0/355] ... >>>> Partition[CN=Configuration,DC=example,DC=com] objects[6376/7722] >>>> linked_values[0/355] Partition[CN=Configuration,DC=example,DC=com] >>>> objects[6510/7722] linked_values[12/355] Replicating critical >>>> objects from the base DN of the domain >>>> Partition[DC=example,DC=com] objects[105/156] >>>> linked_values[42/388] Partition[DC=example,DC=com] >>>> objects[296/7902] linked_values[1/388] >>>> Partition[DC=example,DC=com] objects[466/7902] >>>> linked_values[72/388] Failed to commit objects: DOS code >>>> 0x000021bf Join failed - cleaning up >>> >>> This is where it seems to fail and 0x000021bf is this: >>> >>> The replication operation failed because the target object >>> referenced by a link value is recycled. >>> >>> So it might be an idea to check the DC you are trying to join to. >> >> Check it for what? If I understand correctly the error is saying that >> the target object is not there. The problem is I do not understand >> what the target object is or how to find it. Assuming that the error >> is referring to Partition[DC=example,DC=com] objects[466/7952] >> linked_values[72/388] How do I figure out what the error is referring >> to? >> >> As I said in a separate message, I can successfully join using 4.7.7. >> If this is a problem with the existing MS DC, why does 4.7.7 join >> without error? >> >> To be clear I am not doubting your advice and I do appreciate it. I >> am just trying to understand. >> >> Regards, >> > > The index mode changed at 4.8.0, this might be more picky i.e. it wont > allow things that 4.7.x would. > > If this was a Samba DC, I would suggest running 'samba-tool > dbcheck' on it, but is there a windows version of this tool ?Apparently there is http://www.rebeladmin.com/2018/03/integrity-check-detect-low-level-active-directory-database-corruption/ Huh, learn something new every day!! :-) I am going to give that a try.> > If 4.7.7 joins and works successfully, have you considered using this > as the main DC and try joining the 4.8.2 to it ?That also sounds like a good idea. Thanks for the help. Regards, -- Tom me at tdiehl.org