samba - Jul 2018 - join samba to an existing AD failed

Hello,

I was trying to join a samba DC to an existing AD. But it failed when I used the
command ‘samba-tool domain join euler.huawei.com DC ‘ to join it to the domain.
Here’s the log:

 
euler-2:/usr/custom #  samba-tool domain join euler.huawei.com DC
--option='idmap_ldb:use rfc2307 = yes' -U vdsadmin at euler.huawei.com

Finding a writeable DC for domain 'euler.huawei.com'

Found DC euler-1.euler.huawei.com

Password for [vdsadmin at euler.huawei.com]:

workgroup is EULER

realm is euler.huawei.com

Adding CN=EULER-2,OU=Domain Controllers,DC=euler,DC=huawei,DC=com

Adding
CN=EULER-2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=euler,DC=huawei,DC=com

Adding CN=NTDS
Settings,CN=EULER-2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=euler,DC=huawei,DC=com

Join failed - cleaning up

Deleted CN=EULER-2,OU=Domain Controllers,DC=euler,DC=huawei,DC=com

Deleted
CN=EULER-2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=euler,DC=huawei,DC=com

ERROR(runtime): uncaught exception - (3221225653, '{Device Timeout} The
specified I/O operation on %hs was not completed before the time-out period
expired.')

  File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run

    return self.run(*args, **kwargs)

  File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py",
line 706, in run

    plaintext_secrets=plaintext_secrets)

  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1482,
in join_DC

    ctx.do_join()

  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1381,
in do_join

    ctx.join_add_objects()

  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 644,
in join_add_objects

    ctx.join_add_ntdsdsa()

  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 575,
in join_add_ntdsdsa

    ctx.DsAddEntry([rec])

  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 470,
in DsAddEntry

    ctx.drsuapi_connect()

  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 448,
in drsuapi_connect

    ctx.drsuapi = drsuapi.drsuapi(binding_string, ctx.lp, ctx.creds)


 The samba version is 4.8.3.

The log is not like what is described in the samba wiki
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory.
Does any one know the reason and how to resolve it?

Thanks.
Ryan

On Fri, 6 Jul 2018 15:50:08 +0800 (CST)
Ryan via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> I was trying to join a samba DC to an existing AD. But it failed when
> I used the command ‘samba-tool domain join euler.huawei.com DC ‘ to
> join it to the domain. Here’s the log:
> 
>  
> euler-2:/usr/custom #  samba-tool domain join euler.huawei.com DC
> --option='idmap_ldb:use rfc2307 = yes' -U vdsadmin at
euler.huawei.com
> 
> Finding a writeable DC for domain 'euler.huawei.com'
> 
> Found DC euler-1.euler.huawei.com
> 
> Password for [vdsadmin at euler.huawei.com]:
> 
> workgroup is EULER
> 
> realm is euler.huawei.com
> 
> Adding CN=EULER-2,OU=Domain Controllers,DC=euler,DC=huawei,DC=com
> 
> Adding
>
CN=EULER-2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=euler,DC=huawei,DC=com
> 
> Adding CN=NTDS
>
Settings,CN=EULER-2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=euler,DC=huawei,DC=com
> 
> Join failed - cleaning up
> 
> Deleted CN=EULER-2,OU=Domain Controllers,DC=euler,DC=huawei,DC=com
> 
> Deleted
>
CN=EULER-2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=euler,DC=huawei,DC=com
> 
> ERROR(runtime): uncaught exception - (3221225653, '{Device Timeout}
> The specified I/O operation on %hs was not completed before the
> time-out period expired.')
> 
>   File
"/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
> 
>     return self.run(*args, **kwargs)
> 
>   File
"/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py",
> line 706, in run
> 
>     plaintext_secrets=plaintext_secrets)
> 
>   File "/usr/lib64/python2.7/site-packages/samba/join.py", line
1482,
> in join_DC
> 
>     ctx.do_join()
> 
>   File "/usr/lib64/python2.7/site-packages/samba/join.py", line
1381,
> in do_join
> 
>     ctx.join_add_objects()
> 
>   File "/usr/lib64/python2.7/site-packages/samba/join.py", line
644,
> in join_add_objects
> 
>     ctx.join_add_ntdsdsa()
> 
>   File "/usr/lib64/python2.7/site-packages/samba/join.py", line
575,
> in join_add_ntdsdsa
> 
>     ctx.DsAddEntry([rec])
> 
>   File "/usr/lib64/python2.7/site-packages/samba/join.py", line
470,
> in DsAddEntry
> 
>     ctx.drsuapi_connect()
> 
>   File "/usr/lib64/python2.7/site-packages/samba/join.py", line
448,
> in drsuapi_connect
> 
>     ctx.drsuapi = drsuapi.drsuapi(binding_string, ctx.lp, ctx.creds)
> 
> 
>  The samba version is 4.8.3.
> 
> The log is not like what is described in the samba wiki
>
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory.
> Does any one know the reason and how to resolve it?
> 
> Thanks.
> Ryan
It seems to be possibly credentials related, does your admin user have
all the required permissions ?
Also, does it work if you use Administrator ?

What are you trying to join the new DC to ?

Rowland

On Fri, 2018-07-06 at 15:50 +0800, Ryan via samba wrote:
> Hello,
> 
> I was trying to join a samba DC to an existing AD. But it failed when I
used the command ‘samba-tool domain join euler.huawei.com DC ‘ to join it to the
domain. Here’s the log:
> 
>  
> euler-2:/usr/custom #  samba-tool domain join euler.huawei.com DC
--option='idmap_ldb:use rfc2307 = yes' -U vdsadmin at euler.huawei.com
> 
> Finding a writeable DC for domain 'euler.huawei.com'
> 
> Found DC euler-1.euler.huawei.com
> 
> Password for [vdsadmin at euler.huawei.com]:
> 
> workgroup is EULER
> 
> realm is euler.huawei.com
> 
> Adding CN=EULER-2,OU=Domain Controllers,DC=euler,DC=huawei,DC=com
> 
> Adding
CN=EULER-2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=euler,DC=huawei,DC=com
> 
> Adding CN=NTDS
Settings,CN=EULER-2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=euler,DC=huawei,DC=com
> 
> Join failed - cleaning up
> ERROR(runtime): uncaught exception - (3221225653, '{Device Timeout} The
specified I/O operation on %hs was not completed before the time-out period
expired.')
> 
>   File
"/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line
176, in _run
> 
>     return self.run(*args, **kwargs)
> 
>   File
"/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 706,
in run
> 
>     plaintext_secrets=plaintext_secrets)
> 
>   File "/usr/lib64/python2.7/site-packages/samba/join.py", line
1482, in join_DC
> 
>     ctx.do_join()
> 
>   File "/usr/lib64/python2.7/site-packages/samba/join.py", line
1381, in do_join
> 
>     ctx.join_add_objects()
> 
>   File "/usr/lib64/python2.7/site-packages/samba/join.py", line
644, in join_add_objects
> 
>     ctx.join_add_ntdsdsa()
> 
>   File "/usr/lib64/python2.7/site-packages/samba/join.py", line
575, in join_add_ntdsdsa
> 
>     ctx.DsAddEntry([rec])
> 
>   File "/usr/lib64/python2.7/site-packages/samba/join.py", line
470, in DsAddEntry
> 
>     ctx.drsuapi_connect()
> 
>   File "/usr/lib64/python2.7/site-packages/samba/join.py", line
448, in drsuapi_connect
> 
>     ctx.drsuapi = drsuapi.drsuapi(binding_string, ctx.lp, ctx.creds)
Can you check you can get to the RPC ports (135 and a high port, probably 1024)
on the DC?

It looks firewall related to me, given we have already been able to
contact the LDAP server by this stage.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

The user vdsadmin has been add to domain administrators group when I built my
domain. It should have all required permissions, I think.
I want to join the new DC to a AD that also based on samba 4.8.3. The new DC and
the existing AD are both samba 4.8.3 installing on centos 7.1.


>On Fri, 6 Jul 2018 15:50:08 +0800 (CST)
>Ryan via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>> 
>> I was trying to join a samba DC to an existing AD. But it failed when
>> I used the command ‘samba-tool domain join euler.huawei.com DC ‘ to
>> join it to the domain. Here’s the log:
>> 
>>  
>> euler-2:/usr/custom #  samba-tool domain join euler.huawei.com DC
>> --option='idmap_ldb:use rfc2307 = yes' -U vdsadmin at
euler.huawei.com
>> 
>> Finding a writeable DC for domain 'euler.huawei.com'
>> 
>> Found DC euler-1.euler.huawei.com
>> 
>> Password for [vdsadmin at euler.huawei.com]:
>> 
>> workgroup is EULER
>> 
>> realm is euler.huawei.com
>> 
>> Adding CN=EULER-2,OU=Domain Controllers,DC=euler,DC=huawei,DC=com
>> 
>> Adding
>>
CN=EULER-2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=euler,DC=huawei,DC=com
>> 
>> Adding CN=NTDS
>>
Settings,CN=EULER-2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=euler,DC=huawei,DC=com
>> 
>> Join failed - cleaning up
>> 
>> Deleted CN=EULER-2,OU=Domain Controllers,DC=euler,DC=huawei,DC=com
>> 
>> Deleted
>>
CN=EULER-2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=euler,DC=huawei,DC=com
>> 
>> ERROR(runtime): uncaught exception - (3221225653, '{Device Timeout}
>> The specified I/O operation on %hs was not completed before the
>> time-out period expired.')
>> 
>>   File
"/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
>> line 176, in _run
>> 
>>     return self.run(*args, **kwargs)
>> 
>>   File
"/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py",
>> line 706, in run
>> 
>>     plaintext_secrets=plaintext_secrets)
>> 
>>   File "/usr/lib64/python2.7/site-packages/samba/join.py",
line 1482,
>> in join_DC
>> 
>>     ctx.do_join()
>> 
>>   File "/usr/lib64/python2.7/site-packages/samba/join.py",
line 1381,
>> in do_join
>> 
>>     ctx.join_add_objects()
>> 
>>   File "/usr/lib64/python2.7/site-packages/samba/join.py",
line 644,
>> in join_add_objects
>> 
>>     ctx.join_add_ntdsdsa()
>> 
>>   File "/usr/lib64/python2.7/site-packages/samba/join.py",
line 575,
>> in join_add_ntdsdsa
>> 
>>     ctx.DsAddEntry([rec])
>> 
>>   File "/usr/lib64/python2.7/site-packages/samba/join.py",
line 470,
>> in DsAddEntry
>> 
>>     ctx.drsuapi_connect()
>> 
>>   File "/usr/lib64/python2.7/site-packages/samba/join.py",
line 448,
>> in drsuapi_connect
>> 
>>     ctx.drsuapi = drsuapi.drsuapi(binding_string, ctx.lp, ctx.creds)
>> 
>> 
>>  The samba version is 4.8.3.
>> 
>> The log is not like what is described in the samba wiki
>>
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory.
>> Does any one know the reason and how to resolve it?
>> 
>> Thanks.
>> Ryan
>
>It seems to be possibly credentials related, does your admin user have
>all the required permissions ?
>Also, does it work if you use Administrator ?
>
>What are you trying to join the new DC to ?
>
>Rowland
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

Thank you for your apply. I just try to enable 1024 in the DC, it seems work! 
But it confuses me that when I do the same act in SuSE, this problem doesn't
appear. Does the RPC use different port in different system?
>On Fri, 2018-07-06 at 15:50 +0800, Ryan via samba wrote:
>> Hello,
>> 
>> I was trying to join a samba DC to an existing AD. But it failed when I
used the command ‘samba-tool domain join euler.huawei.com DC ‘ to join it to the
domain. Here’s the log:
>> 
>>  
>> euler-2:/usr/custom #  samba-tool domain join euler.huawei.com DC
--option='idmap_ldb:use rfc2307 = yes' -U vdsadmin at euler.huawei.com
>> 
>> Finding a writeable DC for domain 'euler.huawei.com'
>> 
>> Found DC euler-1.euler.huawei.com
>> 
>> Password for [vdsadmin at euler.huawei.com]:
>> 
>> workgroup is EULER
>> 
>> realm is euler.huawei.com
>> 
>> Adding CN=EULER-2,OU=Domain Controllers,DC=euler,DC=huawei,DC=com
>> 
>> Adding
CN=EULER-2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=euler,DC=huawei,DC=com
>> 
>> Adding CN=NTDS
Settings,CN=EULER-2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=euler,DC=huawei,DC=com
>> 
>> Join failed - cleaning up
>
>
>> ERROR(runtime): uncaught exception - (3221225653, '{Device Timeout}
The specified I/O operation on %hs was not completed before the time-out period
expired.')
>> 
>>   File
"/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line
176, in _run
>> 
>>     return self.run(*args, **kwargs)
>> 
>>   File
"/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 706,
in run
>> 
>>     plaintext_secrets=plaintext_secrets)
>> 
>>   File "/usr/lib64/python2.7/site-packages/samba/join.py",
line 1482, in join_DC
>> 
>>     ctx.do_join()
>> 
>>   File "/usr/lib64/python2.7/site-packages/samba/join.py",
line 1381, in do_join
>> 
>>     ctx.join_add_objects()
>> 
>>   File "/usr/lib64/python2.7/site-packages/samba/join.py",
line 644, in join_add_objects
>> 
>>     ctx.join_add_ntdsdsa()
>> 
>>   File "/usr/lib64/python2.7/site-packages/samba/join.py",
line 575, in join_add_ntdsdsa
>> 
>>     ctx.DsAddEntry([rec])
>> 
>>   File "/usr/lib64/python2.7/site-packages/samba/join.py",
line 470, in DsAddEntry
>> 
>>     ctx.drsuapi_connect()
>> 
>>   File "/usr/lib64/python2.7/site-packages/samba/join.py",
line 448, in drsuapi_connect
>> 
>>     ctx.drsuapi = drsuapi.drsuapi(binding_string, ctx.lp, ctx.creds)
>
>Can you check you can get to the RPC ports (135 and a high port, probably
1024) on the DC?
>
>It looks firewall related to me, given we have already been able to
>contact the LDAP server by this stage.
>
>Andrew Bartlett
>
>-- 
>Andrew Bartlett                       http://samba.org/~abartlet/
>Authentication Developer, Samba Team  http://samba.org
>Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba