Hi, I need to join a Samba 4 DC to a Windows 2008 R2 Active Directory Domain. Do I need provisioned with --use-rfc2307 ? For example: samba-tool domain join samdom.example.com DC -U"SAMDOM\administrator" --use-rfc2307 I intend use SAMBA_INTERNAL DNS. Do I need provision with --intercative for select SAMBA_INTERNAL DNS ? Can I to inform other DNS existing (primary DNS) in my local network in DNS Resolver Forwarding ? Finally, I'm migrating my network IP range, thus my Samba 4 DC and Windows DC are in different networks. This way, is there any problem? Regards, M?rcio Bacci
On 23/06/2019 15:07, Marcio Demetrio Bacci via samba wrote:> Hi, > > I need to join a Samba 4 DC to a Windows 2008 R2 Active Directory Domain. > > Do I need provisioned with --use-rfc2307 ? > > For example: > > samba-tool domain join samdom.example.com DC -U"SAMDOM\administrator" > --use-rfc2307Not sure exactly what you mean, but '--use-rfc2307' isn't a valid join option.> > I intend use SAMBA_INTERNAL DNS. Do I need provision with --intercative for > select SAMBA_INTERNAL DNS ?Again '--interactive' isn't a valid join option (note you do not 'provision' a secondary DC, you 'join' it), but if you do not specify the DNS server to use during the join, you will use the internal DNS server.> Can I to inform other DNS existing (primary DNS) in my local network in DNS > Resolver Forwarding ?Why would you want to ? You set a forwarder in smb.conf on your new DC pointing to an external DNS server.> Finally, I'm migrating my network IP range, thus my Samba 4 DC and Windows > DC are in different networks. This way, is there any problem?This shouldn't be a problem, just so long as they are in the same DNS domain. Rowland
On 23/06/2019 17:36, Marcio Demetrio Bacci wrote:> There was an error when I tried to join Samba 4 in the domain, as below: > > root at samba4dc:~# samba-tool domain join empresa.com.br > <http://empresa.com.br> DC -U"EMPRESA\administrator" > INFO 2019-06-23 12:48:22,189 pid:728 > /usr/local/samba/lib/python3.5/site-packages/samba/join.py #103: > Finding a writeable DC for domain 'empresa.com.br <http://empresa.com.br>' > INFO 2019-06-23 12:48:22,198 pid:728 > /usr/local/samba/lib/python3.5/site-packages/samba/join.py #105: Found > DC windc2.empresa.com.br <http://windc2.empresa.com.br> > Password for [EMPRESA\administrator]: > INFO 2019-06-23 12:48:33,708 pid:728 > /usr/local/samba/lib/python3.5/site-packages/samba/join.py #1519: > workgroup is EMPRESA > INFO 2019-06-23 12:48:33,708 pid:728 > /usr/local/samba/lib/python3.5/site-packages/samba/join.py #1522: > realm is empresa.com.br <http://empresa.com.br> > Adding CN=SAMBA4DC,OU=Domain Controllers,DC=empresa,DC=com,DC=br > Adding > CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br > Adding CN=NTDS > Settings,CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br > Join failed - cleaning up > Deleted CN=SAMBA4DC,OU=Domain Controllers,DC=empresa,DC=com,DC=br > Deleted CN=NTDS > Settings,CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br > Deleted > CN=SAMBA4DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br > ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL - > ?<0000202B: RefErr: DSID-030A0AEB, data 0, 1 access points > ? ? ? ? ref 1: > 'd580939f-a8b9-43ea-84e9-be0f9bd29468._msdcs.empresa.com.br > <http://msdcs.empresa.com.br>' > > <ldap://d580939f-a8b9-43ea-84e9-be0f9bd29468._msdcs.empresa.com.br > <http://msdcs.empresa.com.br>> > ? File > "/usr/local/samba/lib/python3.5/site-packages/samba/netcmd/__init__.py", > line 185, in _run > ? ? return self.run(*args, **kwargs) > ? File > "/usr/local/samba/lib/python3.5/site-packages/samba/netcmd/domain.py", > line 699, in run > ? ? backend_store=backend_store) > ? File "/usr/local/samba/lib/python3.5/site-packages/samba/join.py", > line 1535, in join_DC > ? ? ctx.do_join() > ? File "/usr/local/samba/lib/python3.5/site-packages/samba/join.py", > line 1427, in do_join > ? ? ctx.join_add_objects() > ? File "/usr/local/samba/lib/python3.5/site-packages/samba/join.py", > line 698, in join_add_objects > ? ? ctx.samdb.modify(m) >You seem to have installed krb5-kdc, you do not need this unless you are compiling Samba yourself with MIT, but this is not recommended because it is marked as experimental. You also have a line '127.0.1.1' in /etc/hosts pointing to your hosts info, you should remove this and whatever is also running on port 53 Can I ask, are you trying to join an existing Samba AD DC to the Windows domain ? Rowland
On 23/06/2019 18:51, Marcio Demetrio Bacci wrote:> Can I ask, are you trying to join an existing Samba AD DC to the > Windows domain ? > > Yes, I'm trying to join an Samba AD DC to the existing Windows domain. > I intend to replace my Windows 2008 Server R2 DC to Samba 4 DC. >If you have a Samba AD DC that has already been provisioned, you cannot join it to another DC or domain. Rowland
On 23/06/2019 19:37, Marcio Demetrio Bacci wrote:> Sorry, my english isn't good. > > No, This moment I have not a Samba 4 DC, only Windows in the domain. > This server will be the first Samba 4 joined in the domain.What OS are you using ? Have you read this: https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory Rowland
On 23/06/2019 20:02, Marcio Demetrio Bacci wrote:> I'm using Debian 9. > > I already read the article > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory > I installed the packages dependencies this > link: > https://wiki.samba.org/index.php/Package_Dependencies_Required_to_Build_Samba#Debian_.2F_Ubuntu > > After, I compiled and installed Samba 4: > configure > make > make install. > >Why are you building Samba ? Why not use Louis's repo: http://apt.van-belle.nl/ Rowland
On Sun, 2019-06-23 at 11:07 -0300, Marcio Demetrio Bacci via samba wrote:> Hi, > > I need to join a Samba 4 DC to a Windows 2008 R2 Active Directory > Domain. > > Do I need provisioned with --use-rfc2307 ?No, you will just get the same settings as whatever windows was set up with. All that really does is fill in the (now deprecated in Window 2012) NIS domain objects to make that a little easier.> For example: > > samba-tool domain join samdom.example.com DC -U"SAMDOM\administrator" > --use-rfc2307 > > I intend use SAMBA_INTERNAL DNS. Do I need provision with -- > intercative for > select SAMBA_INTERNAL DNS ?No, it is the default.> Can I to inform other DNS existing (primary DNS) in my local network > in DNS > Resolver Forwarding ?Yes, that sounds fine.> Finally, I'm migrating my network IP range, thus my Samba 4 DC and > Windows > DC are in different networks. This way, is there any problem?No, just update the subnets when you finish the migration, or add new sites. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
On Sun, 2019-06-23 at 18:01 +0100, Rowland penny via samba wrote:> On 23/06/2019 17:36, Marcio Demetrio Bacci wrote: > > There was an error when I tried to join Samba 4 in the domain, as > > below: > > > > root at samba4dc:~# samba-tool domain join empresa.com.br > > <http://empresa.com.br> DC -U"EMPRESA\administrator" > > INFO 2019-06-23 12:48:22,189 pid:728 > > /usr/local/samba/lib/python3.5/site-packages/samba/join.py #103: > > Finding a writeable DC for domain 'empresa.com.br < > > http://empresa.com.br>' > > INFO 2019-06-23 12:48:22,198 pid:728 > > /usr/local/samba/lib/python3.5/site-packages/samba/join.py #105: > > Found > > DC windc2.empresa.com.br <http://windc2.empresa.com.br> > > Password for [EMPRESA\administrator]: > > INFO 2019-06-23 12:48:33,708 pid:728 > > /usr/local/samba/lib/python3.5/site-packages/samba/join.py #1519: > > workgroup is EMPRESA > > INFO 2019-06-23 12:48:33,708 pid:728 > > /usr/local/samba/lib/python3.5/site-packages/samba/join.py #1522: > > realm is empresa.com.br <http://empresa.com.br> > > Adding CN=SAMBA4DC,OU=Domain Controllers,DC=empresa,DC=com,DC=br > > Adding > > CN=SAMBA4DC,CN=Servers,CN=Default-First-Site- > > Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br > > Adding CN=NTDS > > Settings,CN=SAMBA4DC,CN=Servers,CN=Default-First-Site- > > Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br > > Join failed - cleaning up > > Deleted CN=SAMBA4DC,OU=Domain Controllers,DC=empresa,DC=com,DC=br > > Deleted CN=NTDS > > Settings,CN=SAMBA4DC,CN=Servers,CN=Default-First-Site- > > Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br > > Deleted > > CN=SAMBA4DC,CN=Servers,CN=Default-First-Site- > > Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br > > ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL - > > <0000202B: RefErr: DSID-030A0AEB, data 0, 1 access points > > ref 1: > > 'd580939f-a8b9-43ea-84e9-be0f9bd29468._msdcs.empresa.com.br > > <http://msdcs.empresa.com.br>' > > > <ldap://d580939f-a8b9-43ea-84e9- > > > be0f9bd29468._msdcs.empresa.com.br > > > > <http://msdcs.empresa.com.br>> > > File > > "/usr/local/samba/lib/python3.5/site- > > packages/samba/netcmd/__init__.py", > > line 185, in _run > > return self.run(*args, **kwargs) > > File > > "/usr/local/samba/lib/python3.5/site- > > packages/samba/netcmd/domain.py", > > line 699, in run > > backend_store=backend_store) > > File "/usr/local/samba/lib/python3.5/site- > > packages/samba/join.py", > > line 1535, in join_DC > > ctx.do_join() > > File "/usr/local/samba/lib/python3.5/site- > > packages/samba/join.py", > > line 1427, in do_join > > ctx.join_add_objects() > > File "/usr/local/samba/lib/python3.5/site- > > packages/samba/join.py", > > line 698, in join_add_objects > > ctx.samdb.modify(m) > > > > You seem to have installed krb5-kdc, you do not need this unless you > are > compiling Samba yourself with MIT, but this is not recommended > because > it is marked as experimental.G'Day Rowland, I don't think this is related. What it will be related to is the existing DNS zones and the layout of the DNS partitions on the windows AD DC. There seems to be a fair bit of variation in how that can be done, and this isn't the first big of trouble we have hit. The easiest fix is to try and make that as 'standard' as possible on the windows side of things.> You also have a line '127.0.1.1' in /etc/hosts pointing to your > hosts > info, you should remove this and whatever is also running on port 53 > > Can I ask, are you trying to join an existing Samba AD DC to the > Windows > domain ?A join just overwites the local domain in any case, just like a local provision. I hope this clarifies things. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba