Rowland Penny
2018-Oct-02 09:03 UTC
[Samba] Unable to add additional domain controller - uncaught exception - LDAP error 10 on join
On Tue, 2 Oct 2018 10:33:35 +0200 Fabio Fantoni <fabio.fantoni at m2r.biz> wrote:> Il 01/10/2018 17:33, Rowland Penny via samba ha scritto: > > On Mon, 1 Oct 2018 17:14:09 +0200 > > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > >> Hai Fabio, > >> > >> We dont mind crappy english... > >> At least not me, I'm the same, lots of typos. You will learn it, > >> the more you type it. ;-) > >> > >> https://lists.samba.org/archive/samba/2018-February/214118.html > >> Shows exact the same, but not solution. > >> > >> Looks like a left over from an other DC. > Thanks for your reply, as explained I already did some search and > solve/workaround 2 previous fails with different error but I not > found solution for this :( > >> > >>> ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL - > >>> <0000202B: RefErr: DSID-030A0B09, data 0, 1 access points > >>> ref 1: > >>> 'a45ce9be-c350-4429-964b-a10c1dd92af5._msdcs.m2r.local' > >>> > <ldap://a45ce9be-c350-4429-964b-a10c1dd92af5._msdcs.m2r.local> > >> Try to find : a45ce9be-c350-4429-964b-a10c1dd92af5._msdcs.m2r.local > >> And check what that is, any old server, a running one? > > a45ce9be-c350-4429-964b-a10c1dd92af5._msdcs.m2r.local is a cname of > the actual and correct pdc d7npdc.m2r.local (with same version samba) > > >> > >> > >> > >> Greetz, > >> > >> Louis > >> > >> > > I wonder if this is sort of self inflicted ? > > The OP tried to join as a second DC, but this failed, he then tried > > again. I wonder if the first try set up something (and didn't remove > > it) that the second attempt doesn't like ? > > > > Rowland > > > Sorry for my bad english but here I not understand what you mean.Your English isn't that bad, I just phrased the comment in a away you didn't understand ;-) What I was trying to say was, did the first attempt to join the second DC to the first DC (NOTE: please don't call it a pdc, it isn't a pdc) create something in AD that the second join attempt didn't like. Can I suggest this: go here: http://apt.van-belle.nl/ Upgrade your first DC to 4.8.5 using Louis's packages. Clean up and rename the PC that will become the second DC and then, using Louis's 4.8.5 packages try again. The debian 4.5.x packages are EOL as far as Samba is concerned and there have been many changes since they were released. Rowland
Fabio Fantoni
2018-Oct-02 13:21 UTC
[Samba] Unable to add additional domain controller - uncaught exception - LDAP error 10 on join
Il 02/10/2018 11:03, Rowland Penny via samba ha scritto:> On Tue, 2 Oct 2018 10:33:35 +0200 > Fabio Fantoni <fabio.fantoni at m2r.biz> wrote: > >> Il 01/10/2018 17:33, Rowland Penny via samba ha scritto: >>> On Mon, 1 Oct 2018 17:14:09 +0200 >>> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: >>> >>>> Hai Fabio, >>>> >>>> We dont mind crappy english... >>>> At least not me, I'm the same, lots of typos. You will learn it, >>>> the more you type it. ;-) >>>> >>>> https://lists.samba.org/archive/samba/2018-February/214118.html >>>> Shows exact the same, but not solution. >>>> >>>> Looks like a left over from an other DC. >> Thanks for your reply, as explained I already did some search and >> solve/workaround 2 previous fails with different error but I not >> found solution for this :( >>>>> ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL - >>>>> <0000202B: RefErr: DSID-030A0B09, data 0, 1 access points >>>>> ref 1: >>>>> 'a45ce9be-c350-4429-964b-a10c1dd92af5._msdcs.m2r.local' >>>>> > <ldap://a45ce9be-c350-4429-964b-a10c1dd92af5._msdcs.m2r.local> >>>> Try to find : a45ce9be-c350-4429-964b-a10c1dd92af5._msdcs.m2r.local >>>> And check what that is, any old server, a running one? >> a45ce9be-c350-4429-964b-a10c1dd92af5._msdcs.m2r.local is a cname of >> the actual and correct pdc d7npdc.m2r.local (with same version samba) >> >>>> >>>> >>>> Greetz, >>>> >>>> Louis >>>> >>>> >>> I wonder if this is sort of self inflicted ? >>> The OP tried to join as a second DC, but this failed, he then tried >>> again. I wonder if the first try set up something (and didn't remove >>> it) that the second attempt doesn't like ? >>> >>> Rowland >>> >> Sorry for my bad english but here I not understand what you mean. > Your English isn't that bad, I just phrased the comment in a away you > didn't understand ;-) > > What I was trying to say was, did the first attempt to join the second > DC to the first DC (NOTE: please don't call it a pdc, it isn't a pdc) > create something in AD that the second join attempt didn't like. > > Can I suggest this: > go here: http://apt.van-belle.nl/ > > Upgrade your first DC to 4.8.5 using Louis's packages. > Clean up and rename the PC that will become the second DC and then, > using Louis's 4.8.5 packages try again. > > The debian 4.5.x packages are EOL as far as Samba is concerned and > there have been many changes since they were released. > > Rowland >I updated both the linux domain controllers to samba 4.8.5, changed the hostname of server I tried to add as dc but same error:> samba-tool domain join m2r.local DC -Uadministrator --realm=m2r.local > --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes' > Finding a writeable DC for domain 'm2r.local' > Found DC DUO-ADD-DC.m2r.local > Password for [WORKGROUP\administrator]: > workgroup is M2R > realm is m2r.local > Adding CN=D9NDC,OU=Domain Controllers,DC=m2r,DC=local > Adding > CN=D9NDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local > Adding CN=NTDS > Settings,CN=D9NDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local > Join failed - cleaning up > Deleted CN=D9NDC,OU=Domain Controllers,DC=m2r,DC=local > Deleted CN=NTDS > Settings,CN=D9NDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local > Deleted > CN=D9NDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local > ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL - > <0000202B: RefErr: DSID-030A0B09, data 0, 1 access points > ref 1: 'a45ce9be-c350-4429-964b-a10c1dd92af5._msdcs.m2r.local' > > <ldap://a45ce9be-c350-4429-964b-a10c1dd92af5._msdcs.m2r.local> > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line > 706, in run > plaintext_secrets=plaintext_secrets) > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1482, in > join_DC > ctx.do_join() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1381, in > do_join > ctx.join_add_objects() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 673, in > join_add_objects > ctx.samdb.modify(m)d7npdc have all roles:> samba-tool fsmo show > SchemaMasterRole owner: CN=NTDS > Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local > InfrastructureMasterRole owner: CN=NTDS > Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local > RidAllocationMasterRole owner: CN=NTDS > Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local > PdcEmulationMasterRole owner: CN=NTDS > Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local > DomainNamingMasterRole owner: CN=NTDS > Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local > DomainDnsZonesMasterRole owner: CN=NTDS > Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local > ForestDnsZonesMasterRole owner: CN=NTDS > Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=localDUO-ADD-DC.m2r.local is additional dc w2008r2 added recently, d7npdc what at samba 4.5 at the windows dc join. Initially there was "s4pdc" debian 6 server with samba 4.0 beta or rc when I did provisioning, after I upgraded it to 4.0, added d7npdc (initially with debian 7 and it samba official backports packages), upgraded both to latest samba 4.1 and migrated all roles to d7npdc, after I upgraded them to debian 8, removed s4pdc, upgraded d7npdc to debian 9 and added the windows dc, previous week I tried to add additional debian 9 dc and today I upgraded samba to 4.8. I also did dbcheck and other things after any samba upgrade until today that after 4.8 there are error that fail to fix:> ERROR: incorrect DN SID component for member in object CN=Domain > Users,CN=Users,DC=m2r,DC=local - > <GUID=6fcff21c-b468-4417-99f9-a1a766708b06>;<RMD_ADDTIME=131758801250000000>;<RMD_CHANGETIME=131775157830000000>;<RMD_FLAGS=1>;<RMD_INVOCID=725f5ec4-75c7-4888-89a6-4fc935c7eb63>;<RMD_LOCAL_USN=101925>;<RMD_ORIGINATING_USN=101925>;<RMD_VERSION=11>;CN=Fabio > Fantoni,OU=Accounts,DC=m2r,DC=local > Change DN to > <GUID=6fcff21c-b468-4417-99f9-a1a766708b06>;<SID=S-1-5-21-2277923408-2990964511-2040291283-1126>;CN=Fabio > Fantoni,OU=Accounts,DC=m2r,DC=local? [y/N/all/none] all > Failed to fix incorrect DN SID on attribute member : (68, 'samldb: > member CN=Fabio Fantoni,OU=Accounts,DC=m2r,DC=local already set via > primaryGroupID 513') > ERROR: incorrect DN SID component for member in object CN=Domain > Users,CN=Users,DC=m2r,DC=local - > <GUID=6d68eb67-0fec-4cd2-bd1f-f374538c9f37>;<RMD_ADDTIME=131758801350000000>;<RMD_CHANGETIME=131775157700000000>;<RMD_FLAGS=1>;<RMD_INVOCID=725f5ec4-75c7-4888-89a6-4fc935c7eb63>;<RMD_LOCAL_USN=101922>;<RMD_ORIGINATING_USN=101922>;<RMD_VERSION=13>;CN=Amministrazione,OU=Accounts,DC=m2r,DC=localAnd others are same type. Thanks for any reply. --- Questa e-mail è stata controllata per individuare virus con Avast antivirus. https://www.avast.com/antivirus
Rowland Penny
2018-Oct-02 13:47 UTC
[Samba] Unable to add additional domain controller - uncaught exception - LDAP error 10 on join
On Tue, 2 Oct 2018 15:21:03 +0200 Fabio Fantoni <fabio.fantoni at m2r.biz> wrote:> Il 02/10/2018 11:03, Rowland Penny via samba ha scritto: > > On Tue, 2 Oct 2018 10:33:35 +0200 > > Fabio Fantoni <fabio.fantoni at m2r.biz> wrote: > > > >> Il 01/10/2018 17:33, Rowland Penny via samba ha scritto: > >>> On Mon, 1 Oct 2018 17:14:09 +0200 > >>> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > >>> > >>>> Hai Fabio, > >>>> > >>>> We dont mind crappy english... > >>>> At least not me, I'm the same, lots of typos. You will learn it, > >>>> the more you type it. ;-) > >>>> > >>>> https://lists.samba.org/archive/samba/2018-February/214118.html > >>>> Shows exact the same, but not solution. > >>>> > >>>> Looks like a left over from an other DC. > >> Thanks for your reply, as explained I already did some search and > >> solve/workaround 2 previous fails with different error but I not > >> found solution for this :( > >>>>> ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL - > >>>>> <0000202B: RefErr: DSID-030A0B09, data 0, 1 access points > >>>>> ref 1: > >>>>> 'a45ce9be-c350-4429-964b-a10c1dd92af5._msdcs.m2r.local' > >>>>> > <ldap://a45ce9be-c350-4429-964b-a10c1dd92af5._msdcs.m2r.local> > >>>> Try to find : > >>>> a45ce9be-c350-4429-964b-a10c1dd92af5._msdcs.m2r.local And check > >>>> what that is, any old server, a running one? > >> a45ce9be-c350-4429-964b-a10c1dd92af5._msdcs.m2r.local is a cname of > >> the actual and correct pdc d7npdc.m2r.local (with same version > >> samba) > >> > >>>> > >>>> > >>>> Greetz, > >>>> > >>>> Louis > >>>> > >>>> > >>> I wonder if this is sort of self inflicted ? > >>> The OP tried to join as a second DC, but this failed, he then > >>> tried again. I wonder if the first try set up something (and > >>> didn't remove it) that the second attempt doesn't like ? > >>> > >>> Rowland > >>> > >> Sorry for my bad english but here I not understand what you mean. > > Your English isn't that bad, I just phrased the comment in a away > > you didn't understand ;-) > > > > What I was trying to say was, did the first attempt to join the > > second DC to the first DC (NOTE: please don't call it a pdc, it > > isn't a pdc) create something in AD that the second join attempt > > didn't like. > > > > Can I suggest this: > > go here: http://apt.van-belle.nl/ > > > > Upgrade your first DC to 4.8.5 using Louis's packages. > > Clean up and rename the PC that will become the second DC and then, > > using Louis's 4.8.5 packages try again. > > > > The debian 4.5.x packages are EOL as far as Samba is concerned and > > there have been many changes since they were released. > > > > Rowland > > > I updated both the linux domain controllers to samba 4.8.5, changed > the hostname of server I tried to add as dc but same error: > > > samba-tool domain join m2r.local DC -Uadministrator > > --realm=m2r.local --dns-backend=SAMBA_INTERNAL > > --option='idmap_ldb:use rfc2307 = yes' Finding a writeable DC for > > domain 'm2r.local' Found DC DUO-ADD-DC.m2r.local > > Password for [WORKGROUP\administrator]: > > workgroup is M2R > > realm is m2r.local > > Adding CN=D9NDC,OU=Domain Controllers,DC=m2r,DC=local > > Adding > > CN=D9NDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local > > Adding CN=NTDS > > Settings,CN=D9NDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local > > Join failed - cleaning up > > Deleted CN=D9NDC,OU=Domain Controllers,DC=m2r,DC=local > > Deleted CN=NTDS > > Settings,CN=D9NDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local > > Deleted > > CN=D9NDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local > > ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL - > > <0000202B: RefErr: DSID-030A0B09, data 0, 1 access points > > ref 1: 'a45ce9be-c350-4429-964b-a10c1dd92af5._msdcs.m2r.local' > > > <ldap://a45ce9be-c350-4429-964b-a10c1dd92af5._msdcs.m2r.local> > > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > > line 176, in _run > > return self.run(*args, **kwargs) > > File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", > > line 706, in run > > plaintext_secrets=plaintext_secrets) > > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1482, > > in join_DC > > ctx.do_join() > > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1381, > > in do_join > > ctx.join_add_objects() > > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 673, > > in join_add_objects > > ctx.samdb.modify(m) > > > d7npdc have all roles: > > > samba-tool fsmo show > > SchemaMasterRole owner: CN=NTDS > > Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local > > InfrastructureMasterRole owner: CN=NTDS > > Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local > > RidAllocationMasterRole owner: CN=NTDS > > Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local > > PdcEmulationMasterRole owner: CN=NTDS > > Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local > > DomainNamingMasterRole owner: CN=NTDS > > Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local > > DomainDnsZonesMasterRole owner: CN=NTDS > > Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local > > ForestDnsZonesMasterRole owner: CN=NTDS > > Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local > > DUO-ADD-DC.m2r.local is additional dc w2008r2 added recently, d7npdc > what at samba 4.5 at the windows dc join. > > Initially there was "s4pdc" debian 6 server with samba 4.0 beta or rc > when I did provisioning, after I upgraded it to 4.0, added d7npdc > (initially with debian 7 and it samba official backports packages), > upgraded both to latest samba 4.1 and migrated all roles to d7npdc, > after I upgraded them to debian 8, removed s4pdc, upgraded d7npdc to > debian 9 and added the windows dc, previous week I tried to add > additional debian 9 dc and today I upgraded samba to 4.8. > > I also did dbcheck and other things after any samba upgrade until > today that after 4.8 there are error that fail to fix: > > > ERROR: incorrect DN SID component for member in object CN=Domain > > Users,CN=Users,DC=m2r,DC=local - > > <GUID=6fcff21c-b468-4417-99f9-a1a766708b06>;<RMD_ADDTIME=131758801250000000>;<RMD_CHANGETIME=131775157830000000>;<RMD_FLAGS=1>;<RMD_INVOCID=725f5ec4-75c7-4888-89a6-4fc935c7eb63>;<RMD_LOCAL_USN=101925>;<RMD_ORIGINATING_USN=101925>;<RMD_VERSION=11>;CN=Fabio > > Fantoni,OU=Accounts,DC=m2r,DC=local > > Change DN to > > <GUID=6fcff21c-b468-4417-99f9-a1a766708b06>;<SID=S-1-5-21-2277923408-2990964511-2040291283-1126>;CN=Fabio > > Fantoni,OU=Accounts,DC=m2r,DC=local? [y/N/all/none] all > > Failed to fix incorrect DN SID on attribute member : (68, 'samldb: > > member CN=Fabio Fantoni,OU=Accounts,DC=m2r,DC=local already set via > > primaryGroupID 513') > > ERROR: incorrect DN SID component for member in object CN=Domain > > Users,CN=Users,DC=m2r,DC=local - > > <GUID=6d68eb67-0fec-4cd2-bd1f-f374538c9f37>;<RMD_ADDTIME=131758801350000000>;<RMD_CHANGETIME=131775157700000000>;<RMD_FLAGS=1>;<RMD_INVOCID=725f5ec4-75c7-4888-89a6-4fc935c7eb63>;<RMD_LOCAL_USN=101922>;<RMD_ORIGINATING_USN=101922>;<RMD_VERSION=13>;CN=Amministrazione,OU=Accounts,DC=m2r,DC=local > > And others are same type. >Hmm 'ERROR: incorrect DN SID component for member in object CN=Domain Users,CN=Users,DC=m2r,DC=local ' There shouldn't be any 'member' attributes in the 'Domain Users' object, all users are automatically members of 'Domain Users'. Have you done something strange, such as changing all (or some) of your users primaryGroupID attributes ? Rowland
Alexey Sheplyakov
2018-Oct-03 11:00 UTC
[Samba] Unable to add additional domain controller - uncaught exception - LDAP error 10 on join
On 10/02/2018 05:21 PM, Fabio Fantoni via samba wrote:> I updated both the linux domain controllers to samba 4.8.5, changed > the hostname of server I tried to add as dc but same error: > >> samba-tool domain join m2r.local DC -Uadministrator --realm=m2r.local >> --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes' >> Finding a writeable DC for domain 'm2r.local' >> Found DC DUO-ADD-DC.m2r.local >> Password for [WORKGROUP\administrator]: >> workgroup is M2R >> realm is m2r.local >> Adding CN=D9NDC,OU=Domain Controllers,DC=m2r,DC=local >> Adding >> CN=D9NDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local >> Adding CN=NTDS >> Settings,CN=D9NDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local >> Join failed - cleaning up >> Deleted CN=D9NDC,OU=Domain Controllers,DC=m2r,DC=local >> Deleted CN=NTDS >> Settings,CN=D9NDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local >> Deleted >> CN=D9NDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local >> ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL - >> <0000202B: RefErr: DSID-030A0B09, data 0, 1 access points >> ref 1: 'a45ce9be-c350-4429-964b-a10c1dd92af5._msdcs.m2r.local' >> > <ldap://a45ce9be-c350-4429-964b-a10c1dd92af5._msdcs.m2r.local> >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", >> line 176, in _run >> return self.run(*args, **kwargs) >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", >> line 706, in run >> plaintext_secrets=plaintext_secrets) >> File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1482, >> in join_DC >> ctx.do_join() >> File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1381, >> in do_join >> ctx.join_add_objects() >> File "/usr/lib/python2.7/dist-packages/samba/join.py", line 673, in >> join_add_objects >> ctx.samdb.modify(m) > > > d7npdc have all roles: > >> samba-tool fsmo show >> SchemaMasterRole owner: CN=NTDS >> Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local >> InfrastructureMasterRole owner: CN=NTDS >> Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local >> RidAllocationMasterRole owner: CN=NTDS >> Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local >> PdcEmulationMasterRole owner: CN=NTDS >> Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local >> DomainNamingMasterRole owner: CN=NTDS >> Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local >> DomainDnsZonesMasterRole owner: CN=NTDS >> Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local >> ForestDnsZonesMasterRole owner: CN=NTDS >> Settings,CN=D7NPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=m2r,DC=local > > DUO-ADD-DC.m2r.local is additional dc w2008r2 added recently, d7npdc > what at samba 4.5 at the windows dc join.We have been experiencing a similar (same?) problem when joining samba4 DC's to windows (2008 r2) ones, see this thread for more details: https://lists.samba.org/archive/samba-technical/2018-June/128672.html As far as I understand the problem is caused by 3 factors 1) samba-tool prefers to pick a windows DC to perform the join 2) when joining as a DC samba-tool tries to modify the application directory partition (presumably describing DNS zone) via LDAP (as opposed to DRS RPC) 3) windows strictly obeys FSMO roles and returns an error (or rather a referral) if (to a DC holding `Domain naming master` FSMO role) To solve the problem one can instruct samba-tool to talk with a DC holding `Domain naming master' FSMO role (d7npdc in your example), something like this: samba-tool domain join m2r.local DC --server=D7NPDC.m2r.local -Uadministrator --realm=m2r.local --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes' Or apply a patch which does this automatically (attached), and (if you feel lucky) convince samba developers to merge it (so people won't face this problem ever and ever again). -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-join.py-automatically-connect-to-domain-naming-maste.patch Type: text/x-patch Size: 4453 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20181003/aeb9b4f8/0001-join.py-automatically-connect-to-domain-naming-maste.bin>
Reasonably Related Threads
- Unable to add additional domain controller - uncaught exception - LDAP error 10 on join
- Unable to add additional domain controller - uncaught exception - LDAP error 10 on join
- Unable to add additional domain controller - uncaught exception - LDAP error 10 on join
- Unable to add additional domain controller - uncaught exception - LDAP error 10 on join
- Unable to add additional domain controller - uncaught exception - LDAP error 10 on join