Andrew Bartlett
2018-Jun-21 20:22 UTC
[Samba] Problem joining a samba Dc to a winbdows domain
On Thu, 2018-06-21 at 18:46 +0100, Rowland Penny via samba wrote:> On Thu, 21 Jun 2018 12:02:41 -0400 (EDT) > Tom Diehl via samba <samba at lists.samba.org> wrote: > > > Hi, > > > > I am trying to join a self compiled samba 4.8.2 DC to an existing > > Windows domain using > > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller > > as instructions. > > > > The smb.conf looks like the following: > > > > [global] > > netbios name = PHT-VDC1 > > realm = EXAMPLE.COM > > server role = active directory domain controller > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > > drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = EXAMPLE > > > > [netlogon] > > path = /usr/local/samba/var/locks/sysvol/example.com/scripts > > read only = No > > > > [sysvol] > > path = /usr/local/samba/var/locks/sysvol > > read only = No > > > > The above was generated by the following samba-tool command line: > > samba-tool domain join example.com DC -U"example\admin" > > --dns-backend=BIND9_DLZ > > > > When I run samba-tool I get the following output: > > (pht-vdc1 pts10) # samba-tool domain join example.com DC > > -U"example\admin" --dns-backend=BIND9_DLZ Finding a writeable DC for > > domain 'example.com' Found DC PHT1.example.com > > Password for [EXAMPLE\admin]:....> > Partition[CN=Configuration,DC=example,DC=com] objects[804/7722] > > linked_values[0/355] ... > > Partition[CN=Configuration,DC=example,DC=com] objects[6376/7722] > > linked_values[0/355] Partition[CN=Configuration,DC=example,DC=com] > > objects[6510/7722] linked_values[12/355] Replicating critical objects > > from the base DN of the domain Partition[DC=example,DC=com] > > objects[105/156] linked_values[42/388] Partition[DC=example,DC=com] > > objects[296/7902] linked_values[1/388] Partition[DC=example,DC=com] > > objects[466/7902] linked_values[72/388] Failed to commit objects: DOS > > code 0x000021bf Join failed - cleaning up > > This is where it seems to fail and 0x000021bf is this: > > The replication operation failed because the target object referenced > by a link value is recycled. > > So it might be an idea to check the DC you are trying to join to.Thanks Rowland, What is happening here is that Samba is trying to find the end of a link that it has been given, so as to be able to set the backlink. This used to just result in the backlink being dropped, and now we have fixed that (never dropping the link). However it seems that goes a bit wrong here against Windows. The reason this works with 4.7 is that the backlink is just ignored and dropped in this case. I've CC'ed Tim Beale who was the developer of that code, who may have some insights. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Hi Tom, The problem here is due to fundamental implementation differences in the way Windows and Samba store linked attributes. Your DB is likely fine (no corruptions). During replication (i.e. the join), Windows can sometimes send linked attributes before Samba knows about the source/target objects involved. As Andrew said, historically Samba has handled this by silently dropping these links, which isn't ideal. So on Samba 4.7, after the join succeeds, it's probably worth running 'samba-tool drs replicate --full-sync' to make sure the new DC has all the linked attributes. In Samba 4.8, instead of dropping the link, we added code that used the GET_TGT flag in the DRS message to force the Windows DC to send all the link target objects. This meant Samba could successfully process all the links. The problem is that the GET_TGT flag is a reasonably new addition to the Windows protocol, and the code in this case thinks it's not supported. GET_TGT (GETCHGREQ_V10) should be supported in Windows Server 2008 R2 onwards - what version of Windows are you running? Rowland's idea of joining a 4.7 DC (and then doing a 'drs replicate --full-sync'), then joining a 4.8 DC to the 4.7 DC should work. I'll have a think what else we could do to handle this situation better. Thanks, Tim On 22/06/18 08:22, Andrew Bartlett via samba wrote:> On Thu, 2018-06-21 at 18:46 +0100, Rowland Penny via samba wrote: >> On Thu, 21 Jun 2018 12:02:41 -0400 (EDT) >> Tom Diehl via samba <samba at lists.samba.org> wrote: >> >>> Hi, >>> >>> I am trying to join a self compiled samba 4.8.2 DC to an existing >>> Windows domain using >>> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller >>> as instructions. >>> >>> The smb.conf looks like the following: >>> >>> [global] >>> netbios name = PHT-VDC1 >>> realm = EXAMPLE.COM >>> server role = active directory domain controller >>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >>> drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = EXAMPLE >>> >>> [netlogon] >>> path = /usr/local/samba/var/locks/sysvol/example.com/scripts >>> read only = No >>> >>> [sysvol] >>> path = /usr/local/samba/var/locks/sysvol >>> read only = No >>> >>> The above was generated by the following samba-tool command line: >>> samba-tool domain join example.com DC -U"example\admin" >>> --dns-backend=BIND9_DLZ >>> >>> When I run samba-tool I get the following output: >>> (pht-vdc1 pts10) # samba-tool domain join example.com DC >>> -U"example\admin" --dns-backend=BIND9_DLZ Finding a writeable DC for >>> domain 'example.com' Found DC PHT1.example.com >>> Password for [EXAMPLE\admin]: > .... > >>> Partition[CN=Configuration,DC=example,DC=com] objects[804/7722] >>> linked_values[0/355] ... >>> Partition[CN=Configuration,DC=example,DC=com] objects[6376/7722] >>> linked_values[0/355] Partition[CN=Configuration,DC=example,DC=com] >>> objects[6510/7722] linked_values[12/355] Replicating critical objects >>> from the base DN of the domain Partition[DC=example,DC=com] >>> objects[105/156] linked_values[42/388] Partition[DC=example,DC=com] >>> objects[296/7902] linked_values[1/388] Partition[DC=example,DC=com] >>> objects[466/7902] linked_values[72/388] Failed to commit objects: DOS >>> code 0x000021bf Join failed - cleaning up >> This is where it seems to fail and 0x000021bf is this: >> >> The replication operation failed because the target object referenced >> by a link value is recycled. >> >> So it might be an idea to check the DC you are trying to join to. > Thanks Rowland, > > What is happening here is that Samba is trying to find the end of a > link that it has been given, so as to be able to set the backlink. > This used to just result in the backlink being dropped, and now we have > fixed that (never dropping the link). However it seems that goes a bit > wrong here against Windows. > > The reason this works with 4.7 is that the backlink is just ignored and > dropped in this case. > > I've CC'ed Tim Beale who was the developer of that code, who may have > some insights. > > Thanks, > > Andrew Bartlett
me at tdiehl.org
2018-Jun-22 03:28 UTC
[Samba] Problem joining a samba DC to a windows domain
Hi Tim Andrew and Rowland, Thanks for taking the time to look into this. On Fri, 22 Jun 2018, Tim Beale via samba wrote:> Hi Tom, > > The problem here is due to fundamental implementation differences in the > way Windows and Samba store linked attributes. Your DB is likely fine > (no corruptions).That is great to hear!> During replication (i.e. the join), Windows can sometimes send linked > attributes before Samba knows about the source/target objects involved. > As Andrew said, historically Samba has handled this by silently dropping > these links, which isn't ideal. So on Samba 4.7, after the join > succeeds, it's probably worth running 'samba-tool drs replicate > --full-sync' to make sure the new DC has all the linked attributes.I ran "samba-tool drs replicate PHT-VDC1 PHT1 dc=example,dc=com --full-sync" and it returned "Replicate from PHT1 to PHT-VDC1 was successful".> In Samba 4.8, instead of dropping the link, we added code that used the > GET_TGT flag in the DRS message to force the Windows DC to send all the > link target objects. This meant Samba could successfully process all the > links. The problem is that the GET_TGT flag is a reasonably new addition > to the Windows protocol, and the code in this case thinks it's not > supported. GET_TGT (GETCHGREQ_V10) should be supported in Windows Server > 2008 R2 onwards - what version of Windows are you running?Well based on your explanation above this problem makes perfect sense. The existing DC is sbs2008 which is running 2008 SP2. I guess I need to remember that anything older then 2008 R2 needs to start with 4.7 until there is a better solution.> Rowland's idea of joining a 4.7 DC (and then doing a 'drs replicate > --full-sync'), then joining a 4.8 DC to the 4.7 DC should work. I'll > have a think what else we could do to handle this situation better.Would it make sense to add a warning to the wiki until there is a better solution? Is this something that can be done while the 2008 SP2 DC is still on line or should I wait until after it is retired? Regards and Thanks again!! -- Tom me at tdiehl.org> > Thanks, > Tim > > On 22/06/18 08:22, Andrew Bartlett via samba wrote: >> On Thu, 2018-06-21 at 18:46 +0100, Rowland Penny via samba wrote: >>> On Thu, 21 Jun 2018 12:02:41 -0400 (EDT) >>> Tom Diehl via samba <samba at lists.samba.org> wrote: >>> >>>> Hi, >>>> >>>> I am trying to join a self compiled samba 4.8.2 DC to an existing >>>> Windows domain using >>>> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller >>>> as instructions. >>>> >>>> The smb.conf looks like the following: >>>> >>>> [global] >>>> netbios name = PHT-VDC1 >>>> realm = EXAMPLE.COM >>>> server role = active directory domain controller >>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >>>> drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = EXAMPLE >>>> >>>> [netlogon] >>>> path = /usr/local/samba/var/locks/sysvol/example.com/scripts >>>> read only = No >>>> >>>> [sysvol] >>>> path = /usr/local/samba/var/locks/sysvol >>>> read only = No >>>> >>>> The above was generated by the following samba-tool command line: >>>> samba-tool domain join example.com DC -U"example\admin" >>>> --dns-backend=BIND9_DLZ >>>> >>>> When I run samba-tool I get the following output: >>>> (pht-vdc1 pts10) # samba-tool domain join example.com DC >>>> -U"example\admin" --dns-backend=BIND9_DLZ Finding a writeable DC for >>>> domain 'example.com' Found DC PHT1.example.com >>>> Password for [EXAMPLE\admin]: >> .... >> >>>> Partition[CN=Configuration,DC=example,DC=com] objects[804/7722] >>>> linked_values[0/355] ... >>>> Partition[CN=Configuration,DC=example,DC=com] objects[6376/7722] >>>> linked_values[0/355] Partition[CN=Configuration,DC=example,DC=com] >>>> objects[6510/7722] linked_values[12/355] Replicating critical objects >>>> from the base DN of the domain Partition[DC=example,DC=com] >>>> objects[105/156] linked_values[42/388] Partition[DC=example,DC=com] >>>> objects[296/7902] linked_values[1/388] Partition[DC=example,DC=com] >>>> objects[466/7902] linked_values[72/388] Failed to commit objects: DOS >>>> code 0x000021bf Join failed - cleaning up >>> This is where it seems to fail and 0x000021bf is this: >>> >>> The replication operation failed because the target object referenced >>> by a link value is recycled. >>> >>> So it might be an idea to check the DC you are trying to join to. >> Thanks Rowland, >> >> What is happening here is that Samba is trying to find the end of a >> link that it has been given, so as to be able to set the backlink. >> This used to just result in the backlink being dropped, and now we have >> fixed that (never dropping the link). However it seems that goes a bit >> wrong here against Windows. >> >> The reason this works with 4.7 is that the backlink is just ignored and >> dropped in this case. >> >> I've CC'ed Tim Beale who was the developer of that code, who may have >> some insights. >> >> Thanks, >> >> Andrew Bartlett > > >