samba - Nov 2018 - Setup a Samba AD DC as an additional DC

On Fri, 23 Nov 2018 08:20:42 +0000
"Barry D. Adkins via samba" <samba at lists.samba.org> wrote:
> Samba 4.7.6 Ubuntu
> 
> /etc/hosts:
> 
> 127.0.0.1       localhost.localdomain   localhost
> ::1             localhost6.localdomain6 localhost6
> 
> # The following lines are desirable for IPv6 capable hosts
> ::1     localhost ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> ff02::3 ip6-allhosts
Change the top two lines to:

127.0.0.1 localhost
::1       localhost6

Then add a line:

THE_DC_IP THE_DC_FQDN THE_DC_SHORT_HOSTNAME
> 
> /etc/resolv.conf:
> 
> # This file is managed by man:systemd-resolved(8). Do not edit.
> #
> # This is a dynamic resolv.conf file for connecting local clients to
> the # internal DNS stub resolver of systemd-resolved. This file lists
> all # configured search domains.
> #
> # Run "systemd-resolve --status" to see details about the uplink
DNS
> servers # currently in use.
> #
> # Third party programs must not access this file directly, but only
> through the # symlink at /etc/resolv.conf. To manage
> man:resolv.conf(5) in a different way, # replace this symlink by a
> static file or a different symlink. #
> # See man:systemd-resolved.service(8) for details about the supported
> modes of # operation for /etc/resolv.conf.
> 
> nameserver 127.0.0.53
Stop systemd-resolved from managing /etc/resolv.conf (in fact, stop
systemd-resolved)

Then create a new /etc/resolv.conf:

search YOUR_DNS_DOMAIN
nameserver AN_EXISTING_AD_DC

Once the DC is joined, change the 'nameserver' line to point the new
DC's ipaddress i.e. itself
> 
> /etc/krb5.conf:
> 
> [libdefaults]
>         default_realm = DARAM.COM
> #        dns_lookup_realm = false
> #        dns_lookup_kdc = true
You only need the four lines above, uncomment the last two
> 
> All suggestions failed.
> 
> I modified the last suggestion.. I had to add the -U option because
> there is no user in the DOMAIN for the UNIX user that is running the
> command.
Unless the 'UNIX user' is root (or you are using sudo), the unix user
shouldn't be running the command.
> 
> :~$ samba-tool domain join daram.com DC --dns-backend=SAMBA_INTERNAL
> --realm=DOMAIN.COM -U"DOMAIN\administrator" Finding a writeable
DC
> for domain 'domain.com' Found DC DC01.daram.com
> Password for [DOMAIN\administrator]:
> workgroup is DOMAIN
> realm is domain.com
> Adding CN=DCU1801,OU=Domain Controllers,DC=domain,DC=com
> Adding
> CN=DCU1801,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=domain,DC=com
> Adding CN=NTDS
>
Settings,CN=DCU1801,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=domain,DC=com
> Adding SPNs to CN=DCU1801,OU=Domain Controllers,DC=domain,DC=com
> Setting account password for DCU1801$ Enabling account Calling bare
> provision Join failed - cleaning up
> Deleted CN=DCU1801,OU=Domain Controllers,DC=domain,DC=com
> Deleted CN=NTDS
>
Settings,CN=DCU1801,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=domain,DC=com
> Deleted
> CN=DCU1801,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=domain,DC=com
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
> exception - ProvisioningError: guess_names: 'server role=standalone
> server' in /etc/samba/smb.conf must match chosen server role
'active
> directory domain controller'!  Please remove the smb.conf file and
> let provision generate it File
Do what it tells you, remove the existing smb.conf
> 
> I am happy to install a different version of Samba, however, I would
> rather not have to compile Samaba.  Moreover, I'd have to uninstall
> the current Samba Version.  However, if easier, I'd just reinstall
> Ubuntu.  Guidance for this would be appreciated.
As you are are using Ubuntu 18.04, you could just install Louis's Samba
packages. They will install over and replace your existing Samba
packages.

Rowland

>> I am happy to install a different version of Samba, however, I would 
>> rather not have to compile Samaba.  Moreover, I'd have to uninstall
> >the current Samba Version.  However, if easier, I'd just reinstall 
> >Ubuntu.  Guidance for this would be appreciated.
>
>As you are are using Ubuntu 18.04, you could just install Louis's Samba
packages. They will install over and replace your existing Samba packages.
I did this and the domain join with a Samba DC succeeded.

Barry Adkins

>>As you are are using Ubuntu 18.04, you could just install Louis's
Samba packages. They will install over and replace your existing Samba packages.
>
>I did this and the domain join with a Samba DC succeeded.
Well these "errors/warnings" were reported even though the command
succeeded:

A Kerberos configuration suitable for Samba AD has been generated at
/var/lib/samba/private/krb5.conf
Merge the contents of this file with your system krb5.conf or replace it with
this one. Do not create a symlink!

I don't know why this warning because the system krb5.conf has the entries
in that file they want to be merged.  Maybe the install examined the file in
/usr/shar/samba/setup  ??

AND at the very end of a long list of things it did:

ERROR(runtime): uncaught exception - (9601,
'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 177, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
716, in run
    backend_store=backend_store)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1500, in
join_DC
    ctx.do_join()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1405, in
do_join
    ctx.join_add_dns_records()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1164, in
join_add_dns_records
    None)

Barry Adkins

++++++++++++
Wait, I spoke too soon.  After reviewing the long list of things it did do, but
didn't before... I see, "Join failed - cleaning up".

I have not listed the entire list of things it did accomplish but will if
needed.  Here is the "end" where it appears to go wrong (I think)...

Partition[DC=daram,DC=com] objects[5985/14688] linked_values[0/385]
dsdb_replicated_objects_convert: Ignoring object outside partition
c67ea78b-bf13-4fff-9edf-7f1d71013476 DC=DomainDnsZones,DC=daram,DC=com:
WERR_DS_ADD_REPLICA_INHIBITED
dsdb_replicated_objects_convert: Ignoring object outside partition
e511e246-2bca-4040-9ee1-c2192848072b CN=Configuration,DC=daram,DC=com:
WERR_DS_ADD_REPLICA_INHIBITED
dsdb_replicated_objects_convert: Ignoring object outside partition
3e776b4d-bd1d-4d16-afd8-43a3cbf03938 DC=ForestDnsZones,DC=daram,DC=com:
WERR_DS_ADD_REPLICA_INHIBITED
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=daram,DC=com
Partition[DC=DomainDnsZones,DC=daram,DC=com] objects[402/480] linked_values[0/0]
Partition[DC=DomainDnsZones,DC=daram,DC=com] objects[419/480] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=daram,DC=com
Partition[DC=ForestDnsZones,DC=daram,DC=com] objects[9/9] linked_values[0/0]
Exop on[CN=RID Manager$,CN=System,DC=daram,DC=com] objects[3] linked_values[0]
Committing SAM database
Adding 1 remote DNS records for HOUDCU1801.daram.com
Adding DNS A record HOUDCU1801.daram.com for IPv4 IP: 131.192.176.40
Adding DNS CNAME record c5a25e6e-d388-4b93-bf00-37471a4e2951._msdcs.daram.com
for HOUDCU1801.daram.com
Join failed - cleaning up
Deleted CN=RID Set,CN=HOUDCU1801,OU=Domain Controllers,DC=daram,DC=com
Deleted CN=HOUDCU1801,OU=Domain Controllers,DC=daram,DC=com
Deleted CN=NTDS
Settings,CN=HOUDCU1801,CN=Servers,CN=Houston,CN=Sites,CN=Configuration,DC=daram,DC=com
Deleted
CN=HOUDCU1801,CN=Servers,CN=Houston,CN=Sites,CN=Configuration,DC=daram,DC=com
Deleted
DC=HOUDCU1801,DC=daram.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=daram,DC=com
ERROR(runtime): uncaught exception - (9601,
'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 177, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
716, in run
    backend_store=backend_store)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1500, in
join_DC
    ctx.do_join()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1405, in
do_join
    ctx.join_add_dns_records()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1164, in
join_add_dns_records
    None)

"'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST'"

I'm not sure what DNS Zone it is looking for, but I suspect it must need to
look for something different than it is looking for.

Barry Adkins

On Sat, 24 Nov 2018 07:36:56 +0000
"Barry D. Adkins via samba" <samba at lists.samba.org> wrote:
> >>As you are are using Ubuntu 18.04, you could just install
Louis's
> >>Samba packages. They will install over and replace your existing
> >>Samba packages.
> >
> >I did this and the domain join with a Samba DC succeeded.
> 
> Well these "errors/warnings" were reported even though the
command
> succeeded:
> 
> A Kerberos configuration suitable for Samba AD has been generated
> at /var/lib/samba/private/krb5.conf Merge the contents of this file
> with your system krb5.conf or replace it with this one. Do not create
> a symlink!
> 
> I don't know why this warning because the system krb5.conf has the
> entries in that file they want to be merged.  Maybe the install
> examined the file in /usr/shar/samba/setup  ??
No, it isn't a 'warning', it is a notice. It is just telling you
that
there is a 'krb5.conf' file that you should use. This is a part of the
'provision' code that runs during the 'join' and can be ignored
in this
case, because the join wouldn't work if krb5.conf wasn't set up
correctly.
> 
> AND at the very end of a long list of things it did:
> 
> ERROR(runtime): uncaught exception - (9601,
> 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST') File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 177, in _run return self.run(*args, **kwargs) File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
716,
> in run backend_store=backend_store) File
> "/usr/lib/python2.7/dist-packages/samba/join.py", line 1500, in
> join_DC ctx.do_join() File
> "/usr/lib/python2.7/dist-packages/samba/join.py", line 1405, in
> do_join ctx.join_add_dns_records() File
> "/usr/lib/python2.7/dist-packages/samba/join.py", line 1164, in
> join_add_dns_records None)
> 
Very strange, it looks like it is trying to add a dns record to a zone
that doesn't exist, does the Windows DC you are using to join to the
domain run a dns server ?

Rowland