William Edwards
2019-Jul-09 08:56 UTC
[Samba] Adding new DC causes samba.join.DCJoinException
Hi, I have a primary DC that I provisioned with this command: samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm={{ samba_default_realm }} --domain={{ samba_default_realm_domain }} --adminpass={{ samba_ldap_adminpw }} I am now trying to provision a second DC in the same domain with the command: samba-tool domain join {{ samba_default_realm | lower }} DC -U"{{ samba_default_realm_domain }}\Administrator" --password={{ samba_ldap_adminpw }} Naturally, the variables ({{ }}) are replaced with actual values. However, when I run the second command on the new DC, I get: -- resolve_lmhosts: Attempting lmhosts lookup for name DC1.domain.tld<0x20> ERROR(<class 'samba.join.DCJoinException'>): uncaught exception - Can't join, error: Not removing account DC2$ which looks like a Samba DC account matching the password we already have. ?To override, remove secrets.ldb and secrets.tdb ? File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185, in _run ? ? return self.run(*args, **kwargs) ? File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line 699, in run ? ? backend_store=backend_store) ? File "/usr/lib/python3/dist-packages/samba/join.py", line 1535, in join_DC ? ? ctx.do_join() ? File "/usr/lib/python3/dist-packages/samba/join.py", line 1424, in do_join ? ? ctx.cleanup_old_join() ? File "/usr/lib/python3/dist-packages/samba/join.py", line 283, in cleanup_old_join ? ? ctx.cleanup_old_accounts(force=force) ? File "/usr/lib/python3/dist-packages/samba/join.py", line 253, in cleanup_old_accounts ? ? % ctx.samname) -- I'm using Samba Version 4.10.5-Debian (from apt.van-belle.nl repo). I read something about this having to do with the internal DNS backend which I use that should've been fixed in Samba 4.7. Any idea why I'm getting this error? -- Groeten, William Edwards Tuxis Internet Engineering
Rowland penny
2019-Jul-09 09:31 UTC
[Samba] Adding new DC causes samba.join.DCJoinException
On 09/07/2019 09:56, William Edwards via samba wrote:> Hi, > > > I have a primary DC that I provisioned with this command:No you haven't, you have an AD DC, a PDC is something else entirely ;-)> > > samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm={{ samba_default_realm }} --domain={{ samba_default_realm_domain }} --adminpass={{ samba_ldap_adminpw }} > > > I am now trying to provision a second DC in the same domain with the command:No, you are trying to join another DC to your AD domain ;-)> > > samba-tool domain join {{ samba_default_realm | lower }} DC -U"{{ samba_default_realm_domain }}\Administrator" --password={{ samba_ldap_adminpw }} > > > Naturally, the variables ({{ }}) are replaced with actual values. > > > However, when I run the second command on the new DC, I get: > > > -- > > resolve_lmhosts: Attempting lmhosts lookup for name DC1.domain.tld<0x20> > ERROR(<class 'samba.join.DCJoinException'>): uncaught exception - Can't join, error: Not removing account DC2$ which looks like a Samba DC account matching the password we already have. ?To override, remove secrets.ldb and secrets.tdbDid you have a DC called 'DC2' before ? Or have you tried multiple times to join the DC ? Try doing what it is telling you to do, remove secrets.ldb & secrets.tdb (they are in /var/lib/samba/private by default on Debian) Rowland
Rowland penny
2019-Jul-09 10:06 UTC
[Samba] Adding new DC causes samba.join.DCJoinException
On 09/07/2019 10:42, William Edwards wrote:> I removed the files as follows: > > root at addc1:~# updatedb > root at addc1:~# locate secrets.ldb > /var/lib/samba/private/secrets.ldb > root at addc1:/var/lib/samba/private# systemctl stop samba-ad-dc > root at addc1:/var/lib/samba/private# mv secrets.ldb{,.bak} > root at addc1:/var/lib/samba/private# mv secrets.tdb{,.bak} > > I then attempted to join the domain again and got: > > "Joined domain xxx as a DC" > > Everything still seems to work fine now (although, despite the > warning, the second DC was already a domain member and domain DC > before!). I'm quite confident I found a bug here though. Thanks for > the help.And I am quite confident you haven't, If the computer was a DC with the same name, you cannot join it again without removing the 'old' DC from AD and cleaning up the computer before you run the join command. Rowland> ----- Originele b > ------------------------------------------------------------------------
Rowland penny
2019-Jul-09 10:22 UTC
[Samba] Adding new DC causes samba.join.DCJoinException
On 09/07/2019 11:13, William Edwards wrote:> There was no old DC. >Then why did you post this [quote] Everything still seems to work fine now (although, despite the warning, the second DC was already a domain member and domain DC before!). [/quote] Rowland