which samba version, because i've een reports the 4.8 fails and 4.7 fails but 4.6 should work, and i dont know about 4.9.2 Can you show your /etc/hosts file and /etc/resolv.conf and /etc/krb5.conf You used : samba-tool domain join mydomain.com DC -U"MYDOMAIN\administrator" --dns-backend=SAMBA_INTERNAL --option="interfaces=ens2f0" not wrong, but can you try. kinit Administrator samba-tool domain join mydomain.com DC --dns-backend=SAMBA_INTERNAL --site=MySite --option="interfaces=ens2f0" -k If that does not work. samba-tool domain join mydomain.com DC --dns-backend=SAMBA_INTERNAL --option="interfaces=ens2f0" -k If not,... samba-tool domain join mydomain.com DC --dns-backend=SAMBA_INTERNAL -k If not, samba-tool domain join mydomain.com DC --dns-backend=SAMBA_INTERNAL --realm=YOUR_REALM -k Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Barry D. Adkins via samba > Verzonden: woensdag 21 november 2018 22:15 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Setup a Samba AD DC as an additional DC > > Samba-tool FAILED > > > I've installed these packages: > > > > apt-get install samba winbind libnss-winbind libpam-winbind > > libpam-krb5 krb5-config > > > > Installing on fresh Ubuntu 18.04 server > > > > :~$ samba-tool domain join mydomain.com DC > -U"MYDOMAIN\administrator" --dns-backend=SAMBA_INTERNAL > --site=MySite --option="interfaces=ens2f0" > Finding a writeable DC for domain 'mydomain.com' > Found DC DC01.mydomain.com > Password for [MYDOMAIN\administrator]: > workgroup is MYDOMAIN > realm is mydomain.com > Adding CN=DCU18,OU=Domain Controllers,DC=mydomain,DC=com > Adding > CN=DCU18,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=myd > omain,DC=com > Adding CN=NTDS > Settings,CN=DCU18,CN=Servers,CN=MySite,CN=Sites,CN=Configurati > on,DC=mydomain,DC=com > Join failed - cleaning up > Deleted CN=DCU18,OU=Domain Controllers,DC=mydomain,DC=com > Deleted CN=NTDS > Settings,CN=DCU18,CN=Servers,CN=MySite,CN=Sites,CN=Configurati > on,DC=mydomain,DC=com > Deleted > CN=DCU18,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=myd > omain,DC=com > ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL > - <0000202B: RefErr: DSID-030A0AEB, data 0, 1 access points > ref 1: '50bb59f8-933c-41a5-87d9-f98ad1fa4e10._msdcs.daram.com' > > <ldap://50bb59f8-933c-41a5-87d9-f98ad1fa4e10._msdcs.mydomain.com> > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", > line 661, in run > machinepass=machinepass, use_ntvfs=use_ntvfs, > dns_backend=dns_backend) > File "/usr/lib/python2.7/dist-packages/samba/join.py", line > 1474, in join_DC > ctx.do_join() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line > 1375, in do_join > ctx.join_add_objects() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line > 668, in join_add_objects > ctx.samdb.modify(m) > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Samba 4.7.6 Ubuntu
/etc/hosts:
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
/etc/resolv.conf:
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "systemd-resolve --status" to see details about the uplink DNS
servers
# currently in use.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.
nameserver 127.0.0.53
/etc/krb5.conf:
[libdefaults]
default_realm = DARAM.COM
# dns_lookup_realm = false
# dns_lookup_kdc = true
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu
kdc = kerberos-1.mit.edu
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
CSAIL.MIT.EDU = {
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
ANDREW.CMU.EDU = {
admin_server = kerberos.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos-1.srv.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
kdc = kerberos-3.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementix.org
kdc = kerberos2.dementix.org
admin_server = kerberos.dementix.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
master_kdc = krb5auth1.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
UTORONTO.CA = {
kdc = kerberos1.utoronto.ca
kdc = kerberos2.utoronto.ca
kdc = kerberos3.utoronto.ca
admin_server = kerberos1.utoronto.ca
default_domain = utoronto.ca
}
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
.toronto.edu = UTORONTO.CA
.utoronto.ca = UTORONTO.CA
>You used :
>samba-tool domain join mydomain.com DC -U"MYDOMAIN\administrator"
--dns-backend=SAMBA_INTERNAL --option="interfaces=ens2f0"
>not wrong, but can you try.
>
>kinit Administrator
>samba-tool domain join mydomain.com DC --dns-backend=SAMBA_INTERNAL
--site=MySite --option="interfaces=ens2f0" -k If that does not work.
>samba-tool domain join mydomain.com DC --dns-backend=SAMBA_INTERNAL
--option="interfaces=ens2f0" -k If not,...
>samba-tool domain join mydomain.com DC --dns-backend=SAMBA_INTERNAL -k If
not, samba-tool domain join mydomain.com DC --dns-backend=SAMBA_INTERNAL
--realm=YOUR_REALM -k
-k option requires an argument
All suggestions failed.
I modified the last suggestion.. I had to add the -U option because there is no
user in the DOMAIN for the UNIX user that is running the command.
:~$ samba-tool domain join daram.com DC --dns-backend=SAMBA_INTERNAL
--realm=DOMAIN.COM -U"DOMAIN\administrator"
Finding a writeable DC for domain 'domain.com'
Found DC DC01.daram.com
Password for [DOMAIN\administrator]:
workgroup is DOMAIN
realm is domain.com
Adding CN=DCU1801,OU=Domain Controllers,DC=domain,DC=com
Adding
CN=DCU1801,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=domain,DC=com
Adding CN=NTDS
Settings,CN=DCU1801,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=domain,DC=com
Adding SPNs to CN=DCU1801,OU=Domain Controllers,DC=domain,DC=com
Setting account password for DCU1801$
Enabling account
Calling bare provision
Join failed - cleaning up
Deleted CN=DCU1801,OU=Domain Controllers,DC=domain,DC=com
Deleted CN=NTDS
Settings,CN=DCU1801,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=domain,DC=com
Deleted
CN=DCU1801,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=domain,DC=com
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception - ProvisioningError: guess_names: 'server role=standalone
server' in /etc/samba/smb.conf must match chosen server role 'active
directory domain controller'! Please remove the smb.conf file and let
provision generate it
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
661, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in
join_DC
ctx.do_join()
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1376, in
do_join
ctx.join_provision()
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 840, in
join_provision
use_ntvfs=ctx.use_ntvfs, dns_backend=ctx.dns_backend)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 2028, in provision
sitename=sitename, rootdn=rootdn, domain_names_forced=(samdb_fill ==
FILL_DRS))
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 614, in guess_names
raise ProvisioningError("guess_names: 'server role=%s' in %s
must match chosen server role '%s'! Please remove the smb.conf file and
let provision generate it" % (lp.get("server role"),
lp.configfile, serverrole))
I am happy to install a different version of Samba, however, I would rather not
have to compile Samaba. Moreover, I'd have to uninstall the current Samba
Version. However, if easier, I'd just reinstall Ubuntu. Guidance for this
would be appreciated.
Barry Adkins
On Fri, 23 Nov 2018 08:20:42 +0000 "Barry D. Adkins via samba" <samba at lists.samba.org> wrote:> Samba 4.7.6 Ubuntu > > /etc/hosts: > > 127.0.0.1 localhost.localdomain localhost > ::1 localhost6.localdomain6 localhost6 > > # The following lines are desirable for IPv6 capable hosts > ::1 localhost ip6-localhost ip6-loopback > fe00::0 ip6-localnet > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > ff02::3 ip6-allhostsChange the top two lines to: 127.0.0.1 localhost ::1 localhost6 Then add a line: THE_DC_IP THE_DC_FQDN THE_DC_SHORT_HOSTNAME> > /etc/resolv.conf: > > # This file is managed by man:systemd-resolved(8). Do not edit. > # > # This is a dynamic resolv.conf file for connecting local clients to > the # internal DNS stub resolver of systemd-resolved. This file lists > all # configured search domains. > # > # Run "systemd-resolve --status" to see details about the uplink DNS > servers # currently in use. > # > # Third party programs must not access this file directly, but only > through the # symlink at /etc/resolv.conf. To manage > man:resolv.conf(5) in a different way, # replace this symlink by a > static file or a different symlink. # > # See man:systemd-resolved.service(8) for details about the supported > modes of # operation for /etc/resolv.conf. > > nameserver 127.0.0.53Stop systemd-resolved from managing /etc/resolv.conf (in fact, stop systemd-resolved) Then create a new /etc/resolv.conf: search YOUR_DNS_DOMAIN nameserver AN_EXISTING_AD_DC Once the DC is joined, change the 'nameserver' line to point the new DC's ipaddress i.e. itself> > /etc/krb5.conf: > > [libdefaults] > default_realm = DARAM.COM > # dns_lookup_realm = false > # dns_lookup_kdc = trueYou only need the four lines above, uncomment the last two> > All suggestions failed. > > I modified the last suggestion.. I had to add the -U option because > there is no user in the DOMAIN for the UNIX user that is running the > command.Unless the 'UNIX user' is root (or you are using sudo), the unix user shouldn't be running the command.> > :~$ samba-tool domain join daram.com DC --dns-backend=SAMBA_INTERNAL > --realm=DOMAIN.COM -U"DOMAIN\administrator" Finding a writeable DC > for domain 'domain.com' Found DC DC01.daram.com > Password for [DOMAIN\administrator]: > workgroup is DOMAIN > realm is domain.com > Adding CN=DCU1801,OU=Domain Controllers,DC=domain,DC=com > Adding > CN=DCU1801,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=domain,DC=com > Adding CN=NTDS > Settings,CN=DCU1801,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=domain,DC=com > Adding SPNs to CN=DCU1801,OU=Domain Controllers,DC=domain,DC=com > Setting account password for DCU1801$ Enabling account Calling bare > provision Join failed - cleaning up > Deleted CN=DCU1801,OU=Domain Controllers,DC=domain,DC=com > Deleted CN=NTDS > Settings,CN=DCU1801,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=domain,DC=com > Deleted > CN=DCU1801,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=domain,DC=com > ERROR(<class 'samba.provision.ProvisioningError'>): uncaught > exception - ProvisioningError: guess_names: 'server role=standalone > server' in /etc/samba/smb.conf must match chosen server role 'active > directory domain controller'! Please remove the smb.conf file and > let provision generate it FileDo what it tells you, remove the existing smb.conf> > I am happy to install a different version of Samba, however, I would > rather not have to compile Samaba. Moreover, I'd have to uninstall > the current Samba Version. However, if easier, I'd just reinstall > Ubuntu. Guidance for this would be appreciated.As you are are using Ubuntu 18.04, you could just install Louis's Samba packages. They will install over and replace your existing Samba packages. Rowland