Rowland Penny
2019-Mar-27 09:01 UTC
[Samba] samba 4.9.5 - joining Samba DC to existing Samba AD failed
On Wed, 27 Mar 2019 09:45:18 +0100 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hai, > > > I dont think one noticed this.. > > ldbsearch -H ldap://dc4 -UAdministrator > ldbsearch -H ldap://dc1 -U Administrator > > So whats the difference when you see this responce of the command: > Invalid option -U: unknown ... > > The " " between -U Admin... > Try again without the space or use --user=Administrator > > > Greetz, > > LouisThe space doesn't make any difference '-U Administrator' or '-UAdministrator' both work, as does '-U administrator' or '-Uadministrator' I just wonder where '-U' went ? Rowland
Rowland Penny
2019-Mar-27 09:36 UTC
[Samba] samba 4.9.5 - joining Samba DC to existing Samba AD failed
On Wed, 27 Mar 2019 09:01:39 +0000 Rowland Penny via samba <samba at lists.samba.org> wrote:> On Wed, 27 Mar 2019 09:45:18 +0100 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > Hai, > > > > > > I dont think one noticed this.. > > > > ldbsearch -H ldap://dc4 -UAdministrator > > ldbsearch -H ldap://dc1 -U Administrator > > > > So whats the difference when you see this responce of the command: > > Invalid option -U: unknown ... > > > > The " " between -U Admin... > > Try again without the space or use --user=Administrator > > > > > > Greetz, > > > > Louis > > The space doesn't make any difference '-U Administrator' or > '-UAdministrator' both work, as does '-U administrator' or > '-Uadministrator' > > I just wonder where '-U' went ? > > Rowland >I have been looking at the 'Administrator' object that the OP posted. The failure in his original post was this: ERROR(ldb): uncaught exception - descriptor_modify on CN=Administrator,CN=Users,DC=zamecek,DC=home failed: operations error at ../source4/dsdb/samdb/ldb_modules/descriptor.c:819 lines 816 - 820 in descriptor.c are these: objectclass = dsdb_get_last_structural_class(schema, objectclass_element); if (objectclass == NULL) { return ldb_operr(ldb); } So, it looks like (to me anyway) that it is looking for the objectclass for 'nTSecurityDescriptor' and trying to match it to the last objectclass found in the list: objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: posixAccount I may be barking up the wrong tree here, but I would remove all the rfc2307 attributes and objectclass from 'Administrator': objectClass: posixAccount gidNumber: 1103 uidNumber: 0 loginShell: /bin/bash unixHomeDirectory: /root They are definitely not required and could be causing the problem. Rowland
Franta Hanzlík
2019-Mar-27 12:00 UTC
[Samba] samba 4.9.5 - joining Samba DC to existing Samba AD failed (ldbsearch has not -U and -V)
On Wed, 27 Mar 2019 09:01:39 +0000 Rowland Penny via samba <samba at lists.samba.org> wrote:> On Wed, 27 Mar 2019 09:45:18 +0100 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > Hai, > > > > > > I dont think one noticed this.. > > > > ldbsearch -H ldap://dc4 -UAdministrator > > ldbsearch -H ldap://dc1 -U Administrator > > > > So whats the difference when you see this responce of the command: > > Invalid option -U: unknown ... > > > > The " " between -U Admin... > > Try again without the space or use --user=Administrator > > > > > > Greetz, > > > > Louis > > The space doesn't make any difference '-U Administrator' or > '-UAdministrator' both work, as does '-U administrator' or > '-Uadministrator' > > I just wonder where '-U' went ?Yes, is no difference between '-UAdministrator' and '-U Administrator'. But it seems, as ldbsearch in 4.9.5 is different than 4.9.4-. (I was furious with that, because I found lot articles on net, where -U _username_ was stated. My ldbsearch is from pure Samba-4.9.5, self compiled on Fedora 29 x86_64. And now I see it even has not '-V' switch: [root at dc1 bind-dns]# ldbsearch --usage Usage: [-?viraS] [-?|--help] [--usage] [-H|--url=URL] [-b|--basedn=DN] [-e|--editor=PROGRAM] [-s|--scope=SCOPE] [-v|--verbose] [--trace] [-i|--interactive] [-r|--recursive] [--modules-path=PATH] [--num-searches=INT] [--num-records=INT] [-a|--all] [--nosync] [-S|--sorted] [-o=OPTION] [--controls=STRING] [--show-binary] [--paged] [--show-deleted] [--show-recycled] [--show-deactivated-link] [--reveal] [--relax] [--cross-ncs] [--extended-dn] [root at dc1 bind-dns]# ldbsearch -V Invalid option -V: unknown option Usage: ldbsearch <options> <expression> <attrs...> Usage: [OPTION...] -H, --url=URL database URL -b, --basedn=DN base DN -e, --editor=PROGRAM external editor -s, --scope=SCOPE search scope -v, --verbose increase verbosity --trace enable tracing -i, --interactive input from stdin -r, --recursive recursive delete --modules-path=PATH modules path --num-searches=INT number of test searches --num-records=INT number of test records -a, --all (|(objectClass=*)(distinguishedName=*)) --nosync non-synchronous transactions -S, --sorted sort attributes -o=OPTION ldb_connect option --controls=STRING controls --show-binary display binary LDIF --paged use a paged search --show-deleted show deleted objects --show-recycled show recycled objects --show-deactivated-link show deactivated links --reveal reveal ldb internals --relax pass relax control --cross-ncs search across NC boundaries --extended-dn show extended DNs Help options: -?, --help Show this help message --usage Display brief usage message -- Franta
Rowland Penny
2019-Mar-27 13:11 UTC
[Samba] samba 4.9.5 - joining Samba DC to existing Samba AD failed (ldbsearch has not -U and -V)
On Wed, 27 Mar 2019 13:00:42 +0100 Franta Hanzlík <franta at hanzlici.cz> wrote:> Yes, is no difference between '-UAdministrator' and '-U > Administrator'. But it seems, as ldbsearch in 4.9.5 is different than > 4.9.4-. (I was furious with that, because I found lot articles on > net, where -U _username_ was stated. > > My ldbsearch is from pure Samba-4.9.5, self compiled on Fedora 29 > x86_64. And now I see it even has not '-V' switch: > > [root at dc1 bind-dns]# ldbsearch --usage > Usage: [-?viraS] [-?|--help] [--usage] [-H|--url=URL] > [-b|--basedn=DN] [-e|--editor=PROGRAM] [-s|--scope=SCOPE] > [-v|--verbose] [--trace] [-i|--interactive] [-r|--recursive] > [--modules-path=PATH] [--num-searches=INT] [--num-records=INT] > [-a|--all] [--nosync] [-S|--sorted] [-o=OPTION] [--controls=STRING] > [--show-binary] [--paged] [--show-deleted] [--show-recycled] > [--show-deactivated-link] [--reveal] [--relax] [--cross-ncs] > [--extended-dn] [root at dc1 bind-dns]# ldbsearch -V Invalid option -V: > unknown option Usage: ldbsearch <options> <expression> <attrs...> > Usage: [OPTION...] -H, --url=URL database URL -b, > --basedn=DN base DN -e, --editor=PROGRAM > external editor -s, --scope=SCOPE search scope -v, > --verbose increase verbosity > --trace enable tracing -i, > --interactive input from stdin -r, > --recursive recursive delete > --modules-path=PATH modules path --num-searches=INT > number of test searches --num-records=INT number of test > records -a, --all > (|(objectClass=*)(distinguishedName=*)) --nosync > non-synchronous transactions -S, --sorted sort > attributes -o=OPTION ldb_connect option > --controls=STRING controls > --show-binary display binary LDIF > --paged use a paged search > --show-deleted show deleted objects > --show-recycled show recycled objects > --show-deactivated-link show deactivated links > --reveal reveal ldb internals > --relax pass relax control > --cross-ncs search across NC boundaries > --extended-dn show extended DNs > > Help options: > -?, --help Show this help message > --usage Display brief usage messageHow did you compile Samba ? You seem to have lost a lot of the options :-) on Debian 4.9.5, you get this: ldbsearch --usage Usage: [-?viraSNPeV] [-?|--help] [--usage] [-H|--url=URL] [-b|--basedn=DN] [-e|--editor=PROGRAM] [-s|--scope=SCOPE] [-v|--verbose] [--trace] [-i|--interactive] [-r|--recursive] [--modules-path=PATH] [--num-searches=INT] [--num-records=INT] [-a|--all] [--nosync] [-S|--sorted] [-o=OPTION] [--controls=STRING] [--show-binary] [--paged] [--show-deleted] [--show-recycled] [--show-deactivated-link] [--reveal] [--relax] [--cross-ncs] [--extended-dn] [-d|--debuglevel=DEBUGLEVEL] [--debug-stderr] [-s|--configfile=CONFIGFILE] [--option=name=value] [-l|--log-basename=LOGFILEBASE] [--leak-report] [--leak-report-full] [-U|--user=[DOMAIN/]USERNAME[%PASSWORD]] [-N|--no-pass] [--password=STRING] [-A|--authentication-file=FILE] [-P|--machine-pass] [--simple-bind-dn=STRING] [-k|--kerberos=STRING] [--krb5-ccache=STRING] [-S|--sign] [-e|--encrypt] [-R|--name-resolve=NAME-RESOLVE-ORDER] [-O|--socket-options=SOCKETOPTIONS] [-n|--netbiosname=NETBIOSNAME] [-S|--signing=on|off|required] [-W|--workgroup=WORKGROUP] [--realm=REALM] [-i|--scope=SCOPE] [-m|--maxprotocol=MAXPROTOCOL] [-V|--version] It looks like you have lost these: Usage: [-NPeV] [--reveal] [--relax] [--cross-ncs] [--extended-dn] [-d|--debuglevel=DEBUGLEVEL] [--debug-stderr] [-s|--configfile=CONFIGFILE] [--option=name=value] [-l|--log-basename=LOGFILEBASE] [--leak-report] [--leak-report-full] [-U|--user=[DOMAIN/]USERNAME[%PASSWORD]] [-N|--no-pass] [--password=STRING] [-A|--authentication-file=FILE] [-P|--machine-pass] [--simple-bind-dn=STRING] [-k|--kerberos=STRING] [--krb5-ccache=STRING] [-S|--sign] [-e|--encrypt] [-R|--name-resolve=NAME-RESOLVE-ORDER] [-O|--socket-options=SOCKETOPTIONS] [-n|--netbiosname=NETBIOSNAME] [-S|--signing=on|off|required] [-W|--workgroup=WORKGROUP] [--realm=REALM] [-i|--scope=SCOPE] [-m|--maxprotocol=MAXPROTOCOL] [-V|--version] Rowland
Franta Hanzlík
2019-Mar-27 14:51 UTC
[Samba] samba 4.9.5 - joining Samba DC to existing Samba AD failed
On Wed, 27 Mar 2019 09:36:55 +0000 Rowland Penny via samba <samba at lists.samba.org> wrote:> On Wed, 27 Mar 2019 09:01:39 +0000 > Rowland Penny via samba <samba at lists.samba.org> wrote: > > > On Wed, 27 Mar 2019 09:45:18 +0100 > > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > > > Hai, > > > > > > > > > I dont think one noticed this.. > > > > > > ldbsearch -H ldap://dc4 -UAdministrator > > > ldbsearch -H ldap://dc1 -U Administrator > > > > > > So whats the difference when you see this responce of the command: > > > Invalid option -U: unknown ... > > > > > > The " " between -U Admin... > > > Try again without the space or use --user=Administrator > > > > > > > > > Greetz, > > > > > > Louis > > > > The space doesn't make any difference '-U Administrator' or > > '-UAdministrator' both work, as does '-U administrator' or > > '-Uadministrator' > > > > I just wonder where '-U' went ? > > > > Rowland > > > > I have been looking at the 'Administrator' object that the OP posted. > > The failure in his original post was this: > > ERROR(ldb): uncaught exception - descriptor_modify on > CN=Administrator,CN=Users,DC=zamecek,DC=home failed: operations error > at ../source4/dsdb/samdb/ldb_modules/descriptor.c:819 > > lines 816 - 820 in descriptor.c are these: > > objectclass = dsdb_get_last_structural_class(schema, > objectclass_element); > if (objectclass == NULL) { > return ldb_operr(ldb); > } > > So, it looks like (to me anyway) that it is looking for the objectclass > for 'nTSecurityDescriptor' and trying to match it to the last ( > objectclass found in the list: > > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > objectClass: posixAccount > > I may be barking up the wrong tree here, but I would remove all the > rfc2307 attributes and objectclass from 'Administrator': > > objectClass: posixAccount > gidNumber: 1103 > uidNumber: 0 > loginShell: /bin/bash > unixHomeDirectory: /root > > They are definitely not required and could be causing the problem.I remove these attributes (via LDB_MODULES_PATH="/usr/lib64/samba/ldb/" ldbedit -e joe -H /var/lib/samba/private/sam.ldb -s sub '(CN=Administrator)' ). I also deleted some orphaned/abandoned SSS words from /etc/nsswitch (Fedora by default is installed with sssd support, and it seems even when is system switching to winbind, some sss stuff remain there - concretely: shadow: files sss services: files sss netgroup: sss automount: files sss ) - it caused problem, when I tried join other Samba machine (fileserver) into domain, this SSS parts caused DNS errors as: [root at lynx samba]# net ads join -U Administrator Using short domain name -- SSUPS-ZAMECEK Joined 'LYNX' to dns domain 'zamecek.home' DNS Update for lynx.zamecek.home failed: ERROR_DNS_INVALID_MESSAGE DNS update failed: NT_STATUS_UNSUCCESSFUL [root at lynx samba]# net ads join -U Administrator Using short domain name -- SSUPS-ZAMECEK Joined 'LYNX' to dns domain 'zamecek.home' DNS Update for lynx.zamecek.home failed: ERROR_DNS_GSS_ERROR DNS update failed: NT_STATUS_UNSUCCESSFUL and after removing, all was OK. _And joind second DC now seems be now finally also good! : [root at dc2-lynx etc]# samba-tool domain join zamecek.home DC -U"SSUPS-ZAMECEK\administrator" --option='idmap_ldb:use rfc2307 = yes' --dns-backend=BIND9_DLZ Finding a writeable DC for domain 'zamecek.home' Found DC dc1.zamecek.home Password for [SSUPS-ZAMECEK\administrator]: workgroup is SSUPS-ZAMECEK realm is zamecek.home Adding CN=DC2-LYNX,OU=Domain Controllers,DC=zamecek,DC=home Adding CN=DC2-LYNX,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zamecek,DC=home Adding CN=NTDS Settings,CN=DC2-LYNX,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zamecek,DC=home Adding SPNs to CN=DC2-LYNX,OU=Domain Controllers,DC=zamecek,DC=home Setting account password for DC2-LYNX$ Enabling account Adding DNS account CN=dns-DC2-LYNX,CN=Users,DC=zamecek,DC=home with dns/ SPN Setting account password for dns-DC2-LYNX Calling bare provision Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink! Provision OK for domain DN DC=zamecek,DC=home Starting replication Schema-DN[CN=Schema,CN=Configuration,DC=zamecek,DC=home] objects[402/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=zamecek,DC=home] objects[804/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=zamecek,DC=home] objects[1206/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=zamecek,DC=home] objects[1550/1550] linked_values[0/0] Analyze and apply schema objects Partition[CN=Configuration,DC=zamecek,DC=home] objects[402/1632] linked_values[0/1] Partition[CN=Configuration,DC=zamecek,DC=home] objects[804/1632] linked_values[0/1] Partition[CN=Configuration,DC=zamecek,DC=home] objects[1206/1632] linked_values[0/1] Partition[CN=Configuration,DC=zamecek,DC=home] objects[1608/1632] linked_values[0/1] Partition[CN=Configuration,DC=zamecek,DC=home] objects[1632/1632] linked_values[46/46] Failed to commit objects: DOS code 0x000021bf Missing target object - retrying with DRS_GET_TGT Partition[CN=Configuration,DC=zamecek,DC=home] objects[2034/1632] linked_values[1/1] Partition[CN=Configuration,DC=zamecek,DC=home] objects[2436/1632] linked_values[0/1] Partition[CN=Configuration,DC=zamecek,DC=home] objects[2838/1632] linked_values[0/1] Partition[CN=Configuration,DC=zamecek,DC=home] objects[3240/1632] linked_values[0/1] Partition[CN=Configuration,DC=zamecek,DC=home] objects[3264/1632] linked_values[45/46] Replicating critical objects from the base DN of the domain Partition[DC=zamecek,DC=home] objects[98/97] linked_values[141/141] Partition[DC=zamecek,DC=home] objects[500/711] linked_values[0/22] Partition[DC=zamecek,DC=home] objects[809/711] linked_values[657/657] Done with always replicated NC (base, config, schema) Replicating DC=DomainDnsZones,DC=zamecek,DC=home Partition[DC=DomainDnsZones,DC=zamecek,DC=home] objects[60/60] linked_values[0/0] Replicating DC=ForestDnsZones,DC=zamecek,DC=home Partition[DC=ForestDnsZones,DC=zamecek,DC=home] objects[18/18] linked_values[0/0] Exop on[CN=RID Manager$,CN=System,DC=zamecek,DC=home] objects[3] linked_values[0] Committing SAM database Adding 1 remote DNS records for DC2-LYNX.zamecek.home Adding DNS A record DC2-LYNX.zamecek.home for IPv4 IP: 192.168.64.253 Adding DNS CNAME record c23dcb8b-6817-4576-9acd-e9b9f7d9fdcd._msdcs.zamecek.home for DC2-LYNX.zamecek.home All other DNS records (like _ldap SRV records) will be created samba_dnsupdate on first startup Replicating new DNS records in DC=DomainDnsZones,DC=zamecek,DC=home Partition[DC=DomainDnsZones,DC=zamecek,DC=home] objects[2/2] linked_values[0/0] Replicating new DNS records in DC=ForestDnsZones,DC=zamecek,DC=home Partition[DC=ForestDnsZones,DC=zamecek,DC=home] objects[2/2] linked_values[0/0] Sending DsReplicaUpdateRefs for all the replicated partitions Setting isSynchronized and dsServiceName Setting up secrets database See /var/lib/samba/bind-dns/named.conf for an example configuration include file for BIND and /var/lib/samba/bind-dns/named.txt for further documentation required for secure DNS updates Joined domain SSUPS-ZAMECEK (SID S-1-5-21-9998-9997-9996) as a DC Many, many thanks for Your valuable help! -- Franta Hanzlik
Possibly Parallel Threads
- samba 4.9.5 - joining Samba DC to existing Samba AD failed
- samba 4.9.5 - joining Samba DC to existing Samba AD failed
- samba 4.9.5 - joining Samba DC to existing Samba AD failed
- samba 4.9.5 - joining Samba DC to existing Samba AD failed
- samba 4.9.5 - joining Samba DC to existing Samba AD failed