UNOFFICIAL Firstly thanks for the help with my previous problem building SAMBA. The UNOFFICIAL in the subject heading is added automatically by our email system. I'm getting the following error when trying to join a 2003 server domain. ... Adding CN=TITUS,OU=Domain Controllers,DC=SSUNIT050,DC=local Adding CN=TITUS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SSUNIT050,DC=local Adding CN=NTDS Settings,CN=TITUS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SSUNIT050,DC=local DsAddEntry failed with status WERR_ACCESS_DENIED info (8363, 'WERR_DS_NO_CROSSREF_FOR_NC') ... I can't find out what WERR_DS_NO_CROSSREF_FOR_NC means. I have previously joined this domain with an older version of Samba. That SAMBA box is now dead and I have removed it from AD. I think that I have done this correctly. This domain is standalone (air-gapped). I currently have no way to get info off TITUS, so the above output from samba-tool was hand copied - might have typos. Cheers Russell
On 30/05/2019 08:22, Thamm, Russell via samba wrote:> UNOFFICIAL > Firstly thanks for the help with my previous problem building SAMBA. The UNOFFICIAL in the subject heading is added automatically by our email system.OFFICIAL Stupid idea in my opinion> > I'm getting the following error when trying to join a 2003 server domain.Didn't you get the memo, 2003 is EOL ;-)> > ... > Adding CN=TITUS,OU=Domain Controllers,DC=SSUNIT050,DC=local > Adding CN=TITUS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SSUNIT050,DC=local > Adding CN=NTDS Settings,CN=TITUS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SSUNIT050,DC=local > DsAddEntry failed with status WERR_ACCESS_DENIED info (8363, 'WERR_DS_NO_CROSSREF_FOR_NC') > ... > > I can't find out what WERR_DS_NO_CROSSREF_FOR_NC means.The cross-reference for the specified naming context could not be found> > I have previously joined this domain with an older version of Samba. That SAMBA box is now dead and I have removed it from AD. > I think that I have done this correctly.What version worked ? How did you remove it ? What version are you using now ? What OS ?> > This domain is standalone (air-gapped). I currently have no way to get info off TITUS, so the above output from samba-tool was hand copied - might have typos.I think you might have to find a way in, you might have to do a lot of typing otherwise. Rowland
On Thu, 2019-05-30 at 07:22 +0000, Thamm, Russell via samba wrote:> UNOFFICIAL > Firstly thanks for the help with my previous problem building SAMBA. The UNOFFICIAL in the subject heading is added automatically by our email system.No worries, mate :-)> I'm getting the following error when trying to join a 2003 server domain. > > ... > Adding CN=TITUS,OU=Domain Controllers,DC=SSUNIT050,DC=local > Adding CN=TITUS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SSUNIT050,DC=local > Adding CN=NTDS Settings,CN=TITUS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SSUNIT050,DC=local > DsAddEntry failed with status WERR_ACCESS_DENIED info (8363, 'WERR_DS_NO_CROSSREF_FOR_NC') > ... > > I can't find out what WERR_DS_NO_CROSSREF_FOR_NC means.DsAddEntry is a bit like LDAP Add, but for special objects like the NTDS Settings you see above, because there is special processing done server-sdie. My guess is that we have something in that new NTDS Settings object (for the Samba DC) that it doesn't like.> I have previously joined this domain with an older version of Samba. That SAMBA box is now dead and I have removed it from AD. > I think that I have done this correctly.This may have been unfortunate. Samba is likely more flexible than windows, and joining the modern version of Samba to that, rather than directly to the 2003 server, might have been a way forward.> This domain is standalone (air-gapped). I currently have no way to get info off TITUS, so the above output from samba-tool was hand copied - might have typos.That sounds frustrating to work with, but the info so far is good enough. I think what is happening is that the partition list (NC is naming context, which we also call a partition, being the AD domain, config, schema and 2x dns partitions) that we think we should say we host isn't lining up with what the DC thinks it has. What functional level is the domain? Do you need Samba joined to the domain long-term, or where you joining it to access the secrets (we have some tricks for replicating the data without creating the DC objects if that would help). If you can let us know a little more your purpose here we may be able to figure another way out. Thanks! Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba