samba - May 2019 - Problem joining domain [SEC=UNCLASSIFIED]

UNCLASSIFIED

Hi Andrew and Roland,

I originally installed samba-4.1.7 on CentOS 6.5. I successfully joined the
domain. I intended to take over from the 2003 server but because the domain was
being heavily used, I delayed seizing the roles.

Now I really, really want to replace the 2003 server. The network is currently
not in use and I want to complete the job while I have an opportunity. If I have
no other option, I will create a new domain, but I'd prefer to avoid having
to create new user accounts.

When I tried to join the domain with the new samba box, I got the error I
reported. I hoped removing the old server from AD might fix the problem but alas
no.

I removed the samba 4 server (Gollum) following the instructions
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup

Ndsutil failed, so I used Active Directory Users and Computers to delete
Gollum's Domain Controller entry, specifying that the old controller was
permanently offline. I used Active Directory Sites and Services to delete NTDS
Settings and the Service under Default-First-Site again specifying that the
Gollum was permanently offline.  I backed up the AD on the 2003 server first, so
in theory, I can undo these changes.

The new server is CentOS 7 (1810) and the version of SAMBA is the 4.10.4.

The 2003 domain is at the highest functional level.

Cheers
Russell

-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland penny
via samba
Sent: Thursday, 30 May, 2019 5:35 p.m.
To: samba at lists.samba.org
Subject: Re: [Samba] Problem joining domain [SEC=UNCLASSIFIED]

On 30/05/2019 08:22, Thamm, Russell via samba wrote:
> UNOFFICIAL
> Firstly thanks for the help with my previous problem building SAMBA. The
UNOFFICIAL in the subject heading is added automatically by our email system.
OFFICIAL
Stupid idea in my opinion
>
> I'm getting the following error when trying to join a 2003 server
domain.
Didn't you get the memo, 2003 is EOL ;-)
>
> ...
> Adding CN=TITUS,OU=Domain Controllers,DC=SSUNIT050,DC=local Adding 
> CN=TITUS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configurati
> on,DC=SSUNIT050,DC=local Adding CN=NTDS 
> Settings,CN=TITUS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Co
> nfiguration,DC=SSUNIT050,DC=local DsAddEntry failed with status 
> WERR_ACCESS_DENIED info (8363, 'WERR_DS_NO_CROSSREF_FOR_NC') ...
>
> I can't find out what WERR_DS_NO_CROSSREF_FOR_NC means.
The cross-reference for the specified naming context could not be
found
>
> I have previously joined this domain with an older version of Samba. That
SAMBA box is now dead and I have removed it from AD.
> I think that I have done this correctly.
What version worked ?

How did you remove it ?

What version are you using now ?

What OS ?
>
> This domain is standalone (air-gapped). I currently have no way to get info
off TITUS, so the above output from samba-tool was hand copied - might have
typos.
I think you might have to find a way in, you might have to do a lot of typing
otherwise.

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

IMPORTANT: This email remains the property of the Department of Defence and is
subject to the jurisdiction of section 70 of the Crimes Act 1914. If you have
received this email in error, you are requested to contact the sender and delete
the email.

On Fri, 2019-05-31 at 06:21 +0000, Thamm, Russell via samba
wrote:
> UNCLASSIFIED
> 
> Hi Andrew and Roland,
> 
> I originally installed samba-4.1.7 on CentOS 6.5. I successfully joined the
domain. I intended to take over from the 2003 server but because the domain was
being heavily used, I delayed seizing the roles.
> 
> Now I really, really want to replace the 2003 server. The network is
currently not in use and I want to complete the job while I have an opportunity.
If I have no other option, I will create a new domain, but I'd prefer to
avoid having to create new user accounts.
How about trying this:

https://wiki.samba.org/index.php/Create_a_samba_lab-domain

If that works, then you may be able to try this:

https://wiki.samba.org/index.php/Back_up_and_Restoring_a_Samba_AD_DC

an online backup might work against windows, but I suspect you will
hit:

https://bugzilla.samba.org/show_bug.cgi?id=13917

If you can apply patches (difficult air-gapped I know), try the
backported one attached to the bug.

Restoring the backup won't allow the windows server to still operate
(they will fight), but might get you a way out. 

Anyway, I hope this is of some help.  Otherwise we need to try and work
out a bit more about why the windows DC is unhappy with our list of
NCs.

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On 31/05/2019 08:23, Andrew Bartlett wrote:
> On Fri, 2019-05-31 at 06:21 +0000, Thamm, Russell via samba wrote:
>> UNCLASSIFIED
>>
>> Hi Andrew and Roland,
>>
>> I originally installed samba-4.1.7 on CentOS 6.5. I successfully joined
the domain. I intended to take over from the 2003 server but because the domain
was being heavily used, I delayed seizing the roles.
>>
>> Now I really, really want to replace the 2003 server. The network is
currently not in use and I want to complete the job while I have an opportunity.
If I have no other option, I will create a new domain, but I'd prefer to
avoid having to create new user accounts.
> How about trying this:
>
> https://wiki.samba.org/index.php/Create_a_samba_lab-domain
Isn't the OP going to run into a chicken & egg situation here, will it 
work against a Windows DC ?
>
> If that works, then you may be able to try this:
>
> https://wiki.samba.org/index.php/Back_up_and_Restoring_a_Samba_AD_DC
>
> an online backup might work against windows, but I suspect you will
> hit:
>
> https://bugzilla.samba.org/show_bug.cgi?id=13917
>
> If you can apply patches (difficult air-gapped I know), try the
> backported one attached to the bug.
>
> Restoring the backup won't allow the windows server to still operate
> (they will fight), but might get you a way out.
>
> Anyway, I hope this is of some help.  Otherwise we need to try and work
> out a bit more about why the windows DC is unhappy with our list of
> NCs.
>
> Andrew Bartlett
If a Centos 6 Samba AD DC was able to join, then I would try going down 
that path again, but to save time and not compile Samba, I would use 
Debian 8 instead. If you get a Samba DC to join, you could then walk up 
the Samba versions (probably needed unless the bug is fixed) by using 
Louis's repo. Once you get past 4.8.x, you could then seize all the FSMO 
roles and turn off the windows DC and remove it from the domain.

Rowland