Hi, I'm trying to join a Samba installation (4.8.6, Debian Strech) to existing 2012-R2 DC. Fails with the message below: # samba-tool domain join mydomain.tld DC -U"MYDOMAIN.TLD\Administrator" --dns-backend=BIND9_DLZ --server=10.22.1.91 Password for [MYDOMAIN.TLD\Administrator]: workgroup is MYDOMAIN realm is mydomain.tld Adding CN=DC3,OU=Domain Controllers,DC=mydomain,DC=tld Join failed - cleaning up ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <00002010: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0> <>File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 706, in run plaintext_secrets=plaintext_secrets) File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1482, in join_DC ctx.do_join() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1381, in do_join ctx.join_add_objects() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 616, in join_add_objects ctx.samdb.add(rec)
Hi, The problem that I mentioned above was related on Windows side (maybe misconfigured 2nd DC). Btw, when I do a new provision from scratch, error is gone but a new one appears: DsAddEntry failed with status WERR_ACCESS_DENIED info (8567, 'WERR_DS_INCOMPATIBLE_VERSION') Join failed - cleaning up At this I point, I need a certain answer for "Is Samba 4.8.x compatible with 2012-R2 function level for forest and domain?". Release notes say that Samba is compatible with 2012-R2 since 4.7. So what should I do make Samba 4.8 to join an existing 2012-R2 DC in order to benefit this feature? Thanks.> Hi, > > I'm trying to join a Samba installation (4.8.6, Debian Strech) to > existing 2012-R2 DC. Fails with the message below: > > # samba-tool domain join mydomain.tld DC > -U"MYDOMAIN.TLD\Administrator" --dns-backend=BIND9_DLZ > --server=10.22.1.91 > > Password for [MYDOMAIN.TLD\Administrator]: > workgroup is MYDOMAIN > realm is mydomain.tld > Adding CN=DC3,OU=Domain Controllers,DC=mydomain,DC=tld > Join failed - cleaning up > ERROR(ldb): uncaught exception - LDAP error 53 > LDAP_UNWILLING_TO_PERFORM - <00002010: SvcErr: DSID-031A12D2, problem > 5003 (WILL_NOT_PERFORM), data 0 > > <> > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 176, in _run return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line > 706, in run plaintext_secrets=plaintext_secrets) > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1482, in > join_DC ctx.do_join() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1381, in > do_join ctx.join_add_objects() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 616, in > join_add_objects ctx.samdb.add(rec)
On Thu, 25 Oct 2018 15:13:39 +0300 Taner Tas via samba <samba at lists.samba.org> wrote:> Hi, > > The problem that I mentioned above was related on Windows side > (maybe misconfigured 2nd DC). Btw, when I do a > new provision from scratch, error is gone but a new one appears: > > DsAddEntry failed with status WERR_ACCESS_DENIED info (8567, > 'WERR_DS_INCOMPATIBLE_VERSION') > Join failed - cleaning up > > At this I point, I need a certain answer for "Is Samba 4.8.x > compatible with 2012-R2 function level for forest and domain?".As a DC, no, as a a Unix domain member, yes> Release notes say that Samba is compatible with 2012-R2 since 4.7. SoWhere does it say this ?> what should I do make Samba 4.8 to join an existing 2012-R2 DC in > order to benefit this feature?Join as a Unix domain member. The problem is the different schema versions, Samba AD uses 47 and 2012 use 56 or 67 Try reading this: https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD Rowland
Apparently Analagous Threads
- Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC'
- Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC'
- Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC'
- Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC'
- Unable to Join the Active Directory as a Domain Controller