thr3ads.net - samba - [Samba] Problems joining Samba 4 in the domain [Aug 2019]

If this information is useful, please help other people find it:
Share via:

L.P.H. van Belle

2019-Aug-12 15:01 UTC

[Samba] Problems joining Samba 4 in the domain

Ah, so the error changed.. 
?
Can you try 
?
samba-tool domain join empresa.com.br DC -k yes -d 3
--server=samba4-dc01.empresa.com.br?
so we try to join through samba4-dc1 and not the windows DC. 
?
Looking at below again.
(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such
object: dsdb_search at ../source4/dsdb/common/util.c:4691) and from
/var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
This looks familuar..? i have to look this up.. ( tomorrow, office is closing
here.. sorry )
?
> Do I need to manually enter information (ldap and kerberos) about the new
DC in the DNS entries in the msdcs.empresa.com.br e empresa.com.br trees?No, these records should and need to be created by the server. 
?
So far, 
?
Louis
?
?

Van: Marcio Demetrio Bacci [mailto:marciobacci at gmail.com] 
Verzonden: maandag 12 augustus 2019 16:52
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Problems joining Samba 4 in the domain



Hi,

I created a new Samba 4 with a different name from the previous one.

I followed your configuration guidelines for the /etc/ hosts and
/etc/resolv.conf files. I also removed the smb.conf file of the new DC

I did maintenance on Samba 4 DC1:

samba-tool dbcheck --cross-ncs ?--fix --yes
Checking 6340 objects
Checked 6340 objects (0 errors)

I cleaned up DNS records.

However, the following error occurred:

root at samba4-new-dc:/etc/samba# samba-tool domain join empresa.com.br DC -k
yes -d 3
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Finding a writeable DC for domain 'empresa.com.br'
resolve_lmhosts: Attempting lmhosts lookup for name
_ldap._tcp.empresa.com.br<0x0>
Found DC win-dc2.empresa.com.br
resolve_lmhosts: Attempting lmhosts lookup for name
win-dc2.empresa.com.br<0x20>
workgroup is EMPRESA
realm is empresa.com.br
Adding CN=SAMBA4-NEW-DC,OU=Domain Controllers,DC=empresa,DC=com,DC=br
Adding
CN=SAMBA4-NEW-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
Adding CN=NTDS
Settings,CN=SAMBA4-NEW-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
Using binding ncacn_ip_tcp:win-dc2.empresa.com.br[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name
win-dc2.empresa.com.br<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
win-dc2.empresa.com.br<0x20>
Join failed - cleaning up
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch machine
account password for EMPRESA from both secrets.ldb (Could not find entry to
match filter: '(&(flatname=EMPRESA)(objectclass=primaryDomain))'
base: 'cn=Primary Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4691) and from /var/lib/samba/private/secrets.tdb:
NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Deleted CN=SAMBA4-NEW-DC,OU=Domain Controllers,DC=empresa,DC=com,DC=br
Deleted CN=NTDS
Settings,CN=SAMBA4-NEW-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
Deleted
CN=SAMBA4-NEW-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL - ?<0000202B:
RefErr: DSID-030A0AEB, data 0, 1 access points
ref 1:
'a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br'> <ldap://a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br>? File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
? ? return self.run(*args, **kwargs)
? File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
661, in run
? ? machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
? File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in
join_DC
? ? ctx.do_join()
? File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in
do_join
? ? ctx.join_add_objects()
? File "/usr/lib/python2.7/dist-packages/samba/join.py", line 668, in
join_add_objects
? ? ctx.samdb.modify(m)


Do I need to manually enter information (ldap and kerberos) about the new DC in
the DNS entries in the msdcs.empresa.com.br e empresa.com.br trees?



Regards,


M?rcio Bacci


Em qui, 8 de ago de 2019 ?s 11:48, L.P.H. van Belle via samba <samba at
lists.samba.org> escreveu:

Hai marcio, 

As far i can see, most look ok to me. 

A few very small points. 

First change this : > cat /etc/hosts
> 192.168.1.19? ?samba4-dc2.empresa.com.br? samba4-dc2
> 192.168.1.20? ?samba4-dc1.empresa.com.br. samba4-dc1
> 10.133.84.135? win-dc2.empresa.com.br.? ? wind-dc2
> 
> 
> cat /etc/resolv.conf
> domain empresa.com.br
> search empresa.com.br
> nameserver 192.168.1.20
To 

/etc/hosts
192.168.1.19? ?samba4-dc2.empresa.com.br? samba4-dc2
192.168.1.20? ?samba4-dc1.empresa.com.br samba4-dc1
10.133.84.135? win-dc2.empresa.com.br? ?wind-dc2


/etc/resolv.conf
search empresa.com.br
nameserver 10.133.84.135
nameserver 192.168.1.20
nameserver 192.168.1.19

Now, question. 
If this the first attempt to join this server? Of not, what guess based on the
output below.

- Then verify in the dns and AD if the old server is completely removed. 
? ? ? ? And take you time for this. 
- cleanup /var/lib/samba ( remove all files there and in subfolders, keep the
folders )
- cleanup /var/cache/samba ( remove all files there and in subfolders, keep the
folders )
- remove /etc/samba/smb.conf 
> Failed to get kerberos credentials (kerberos required): kinit for
> SAMBA4-DC2$@EMPRESA.COM.BR failed (Clients credentials have 
> been revoked)So this really looks like leftovers from previous attempt, so there must be
something in the AD domain with that hostname.
That that one is revoked. 


Then, after a good cleanup, you can try to join again. 

After the join, reboot Then change : 

/etc/resolv.conf
search empresa.com.br
nameserver 192.168.1.19
nameserver 192.168.1.20
nameserver 10.133.84.135

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marcio Demetrio Bacci via samba
> Verzonden: donderdag 8 augustus 2019 16:26
> Aan: sambalist
> Onderwerp: [Samba] Problems joining Samba 4 in the domain
> 
> Hi,
> 
> I have 2 DC in my network.
> 
> DC master is a Samba 4 and the secondary is Windows Server 2008.
> 
> I want to put another Samba 4 as DC to replace Windows 
> Server, however the
> following errors are emerging:
> 
> root at samba4-dc2:~# samba-tool domain join empresa.com.br DC 
> -k yes -d 3
> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Finding a writeable DC for domain 'empresa.com.br'
> resolve_lmhosts: Attempting lmhosts lookup for name _ldap._
> tcp.empresa.com.br<0x0>
> Found DC win-dc2.empresa.com.br
> resolve_lmhosts: Attempting lmhosts lookup for name 
> win-dc2.empresa.com.br
> <0x20>
> workgroup is EMPRESA
> realm is empresa.com.br
> Adding CN=SAMBA4-DC2,OU=Domain Controllers,DC=empresa,DC=com,DC=br
> Adding
> CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
N=Configuration,DC=empresa,DC=com,DC=br> Adding CN=NTDS
> Settings,CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,C
N=Sites,CN=Configuration,DC=empresa,DC=com,DC=br> Using binding ncacn_ip_tcp:win-dc2.empresa.com.br[,seal]
> resolve_lmhosts: Attempting lmhosts lookup for name 
> win-dc2.empresa.com.br
> <0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name 
> win-dc2.empresa.com.br
> <0x20>
> Join failed - cleaning up
> ldb_wrap open of secrets.ldb
> resolve_lmhosts: Attempting lmhosts lookup for name 
> win-dc2.empresa.com.br
> <0x20>
> Failed to get kerberos credentials (kerberos required): kinit for
> SAMBA4-DC2$@EMPRESA.COM.BR failed (Clients credentials have 
> been revoked)
> 
> Account locked out: kinit for SAMBA4-DC2$@EMPRESA.COM.BR 
> failed (Clients
> credentials have been revoked)
> 
> SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for 
> ldap/win-dc2.empresa.com.br
> failed (next[(null)]): NT_STATUS_ACCOUNT_LOCKED_OUT
> Failed to bind - LDAP client internal error: 
> NT_STATUS_ACCOUNT_LOCKED_OUT
> Failed to connect to 'ldap://win-dc2.empresa.com.br' with 
> backend 'ldap':
> LDAP client internal error: NT_STATUS_ACCOUNT_LOCKED_OUT
> Deleted CN=SAMBA4-DC2,OU=Domain Controllers,DC=empresa,DC=com,DC=br
> Deleted CN=NTDS
> Settings,CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,C
N=Sites,CN=Configuration,DC=empresa,DC=com,DC=br> Deleted
> CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
N=Configuration,DC=empresa,DC=com,DC=br> ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL 
> -? <0000202B:
> RefErr: DSID-030A0AEB, data 0, 1 access points
> ref 1: 'a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br'
> >
<ldap://a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br>
>? ?File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 176, in _run
>? ? ?return self.run(*args, **kwargs)
>? ?File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
661,
> in run
>? ? ?machinepass=machinepass, use_ntvfs=use_ntvfs, 
> dns_backend=dns_backend)
>? ?File "/usr/lib/python2.7/dist-packages/samba/join.py", line
1474, in
> join_DC
>? ? ?ctx.do_join()
>? ?File "/usr/lib/python2.7/dist-packages/samba/join.py", line
1375, in
> do_join
>? ? ?ctx.join_add_objects()
>? ?File "/usr/lib/python2.7/dist-packages/samba/join.py", line
668, in
> join_add_objects
>? ? ?ctx.samdb.modify(m)
> 
> ##############################################################
> ###############################################
> 
> 
> root at samba4-dc2:~# samba-tool domain join empresa.com.br DC
> -U"EMPRESA\administrator" -d 3
> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Finding a writeable DC for domain 'empresa.com.br'
> resolve_lmhosts: Attempting lmhosts lookup for name _ldap._
> tcp.empresa.com.br<0x0>
> Found DC win-dc2.empresa.com.br
> resolve_lmhosts: Attempting lmhosts lookup for name 
> win-dc2.empresa.com.br
> <0x20>
> Password for [EMPRESA\administrador]:
> Cannot reach a KDC we require to contact (null) : kinit for
> administrador at EMPRESA failed (Cannot contact any KDC for 
> requested realm)
> 
> SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for 
> ldap/win-dc2.empresa.com.br
> failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS
> Got challenge flags:
> Got NTLMSSP neg_flags=0x62898235
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x62088235
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088235
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088235
> workgroup is EMPRESA
> realm is empresa.com.br
> Adding CN=SAMBA4-DC2,OU=Domain Controllers,DC=empresa,DC=com,DC=br
> Adding
> CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
N=Configuration,DC=empresa,DC=com,DC=br> Adding CN=NTDS
> Settings,CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,C
N=Sites,CN=Configuration,DC=empresa,DC=com,DC=br> Using binding ncacn_ip_tcp:win-dc2.empresa.com.br[,seal]
> resolve_lmhosts: Attempting lmhosts lookup for name 
> win-dc2.empresa.com.br
> <0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name 
> win-dc2.empresa.com.br
> <0x20>
> Cannot reach a KDC we require to contact (null) : kinit for
> administrador at EMPRESA failed (Cannot contact any KDC for 
> requested realm)
> 
> SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for 
> ldap/WIN-DC2.EMPRESA.COM.BR
> failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS
> Got challenge flags:
> Got NTLMSSP neg_flags=0x62898235
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x62088235
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088235
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088235
> Join failed - cleaning up
> ldb_wrap open of secrets.ldb
> resolve_lmhosts: Attempting lmhosts lookup for name 
> win-dc2.empresa.com.br
> <0x20>
> Account locked out: kinit for SAMBA4-DC2$@EMPRESA.COM.BR 
> failed (Clients
> credentials have been revoked)
> 
> SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for 
> ldap/win-dc2.empresa.com.br
> failed (next[ntlmssp]): NT_STATUS_ACCOUNT_LOCKED_OUT
> Got challenge flags:
> Got NTLMSSP neg_flags=0x62898235
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x62088235
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088235
> Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -? <8009030C:
> LdapErr: DSID-0C09052B, comment: AcceptSecurityContext error, 
> data 52e,
> v1773> <>
> Failed to connect to 'ldap://win-dc2.empresa.com.br' with 
> backend 'ldap':
> LDAP error 49 LDAP_INVALID_CREDENTIALS -? <8009030C: LdapErr:
> DSID-0C09052B, comment: AcceptSecurityContext error, data 
> 52e, v1773> <>
> Deleted CN=SAMBA4-DC2,OU=Domain Controllers,DC=empresa,DC=com,DC=br
> Deleted CN=NTDS
> Settings,CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,C
N=Sites,CN=Configuration,DC=empresa,DC=com,DC=br> Deleted
> CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
N=Configuration,DC=empresa,DC=com,DC=br> ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL 
> -? <0000202B:
> RefErr: DSID-030A0AEB, data 0, 1 access points
> ref 1: 'a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br'
> >
<ldap://a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br>
>? ?File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 176, in _run
>? ? ?return self.run(*args, **kwargs)
>? ?File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
661,
> in run
>? ? ?machinepass=machinepass, use_ntvfs=use_ntvfs, 
> dns_backend=dns_backend)
>? ?File "/usr/lib/python2.7/dist-packages/samba/join.py", line
1474, in
> join_DC
>? ? ?ctx.do_join()
>? ?File "/usr/lib/python2.7/dist-packages/samba/join.py", line
1375, in
> do_join
>? ? ?ctx.join_add_objects()
>? ?File "/usr/lib/python2.7/dist-packages/samba/join.py", line
668, in
> join_add_objects
>? ? ?ctx.samdb.modify(m)
> 
> ##############################################################
> ###############################
> 
> I did some tests in the new Samaba4 DC and it seems OK as below:
> 
> root at samba4-dc2:~# kinit Administrator
> Password for marcio at EMPRESA.COM.BR:
> 
> 
> root at samba4-dc2:~# klist -l
> Principal name? ? ? ? ? ? ? ? ?Cache name
> --------------? ? ? ? ? ? ? ? ?----------
> Administrator at EMPRESA.COM.BR? ? ? FILE:/tmp/krb5cc_0
> 
> root at samba4-dc2:~# host -t SRV _kerberos._udp.EMPRESA.COM.BR
> _kerberos._udp.EMPRESA.COM.BR has SRV record 0 100 88
> samba4-dc1.empresa.com.br.
> _kerberos._udp.EMPRESA.COM.BR has SRV record 0 100 88 
> win-dc2.empresa.com.br
> .
> root at samba4-dc2:~#
> root at samba4-dc2:~#
> root at samba4-dc2:~# host -t SRV _ldap._tcp.EMPRESA.COM.BR
> _ldap._tcp.EMPRESA.COM.BR has SRV record 0 100 389 
> win-dc2.empresa.com.br.
> _ldap._tcp.EMPRESA.COM.BR has SRV record 0 100 389 
> samba4-dc1.empresa.com.br
> .
> root at samba4-dc2:~#
> root at samba4-dc2:~# cat /etc/krb5.conf
> [libdefaults]
>? ? ?dns_lookup_realm = false
>? ? ?dns_lookup_kdc = true
>? ? ?default_realm = EMPRESA.COM.BR
> root at samba4-dc2:~# host -t EMPRESA.COM.BR
> host: invalid type: EMPRESA.COM.BR
> 
> root at samba4-dc2:~# host -t A EMPRESA.COM.BR
> EMPRESA.COM.BR has address 10.133.84.135 # Wind-DC2
> EMPRESA.COM.BR has address 192.168.1.20 # Samba4-DC1
> EMPRESA.COM.BR has address 192.168.1.19 #? Samba4-DC2 . I did not
> understand why. He hasn't joined in the domain yet.
> 
> 
> My kerberos configurations:
> 
> cat /etc/krb5.conf
> 
> [libdefaults]
>? ? ?dns_lookup_realm = false
>? ? ?dns_lookup_kdc = true
>? ? ?default_realm = EMPRESA.COM.BR
> 
> 
> Another configurations:
> 
> cat /etc/hosts
> 192.168.1.19? ?samba4-dc2.empresa.com.br? samba4-dc2
> 192.168.1.20? ?samba4-dc1.empresa.com.br. samba4-dc1
> 10.133.84.135? win-dc2.empresa.com.br.? ? wind-dc2
> 
> 
> cat /etc/resolv.conf
> domain empresa.com.br
> search empresa.com.br
> nameserver 192.168.1.20
> nameserver 10.133.84.135
> 
> Could anybody help me?
> 
> Regards,
> 
> M?rcio Bacci
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:? https://lists.samba.org/mailman/options/samba
> 
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:? https://lists.samba.org/mailman/options/samba

Rowland penny

2019-Aug-12 15:40 UTC

head link

[Samba] Problems joining Samba 4 in the domain

On 12/08/2019 16:01, L.P.H. van Belle via samba wrote:> Ah, so the error changed..
>   
> Can you try
>   
> samba-tool domain join empresa.com.br DC -k yes -d 3
--server=samba4-dc01.empresa.com.br
> so we try to join through samba4-dc1 and not the windows DC.
You beat me to it Louis>   
> Looking at below again.
> (objectclass=primaryDomain))' base: 'cn=Primary Domains': No
such object: dsdb_search at ../source4/dsdb/common/util.c:4691) and from
/var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> This looks familuar..? i have to look this up.. ( tomorrow, office is
closing here.. sorry )
Yes, it is familiar, but misleading ;-)

You can ignore anything after:? 'Join failed - cleaning up'

The error occurred before this point.

Rowland

Marcio Demetrio Bacci

2019-Aug-12 17:56 UTC

head link

[Samba] Problems joining Samba 4 in the domain

Hi,

I have downgraded samba 4.7 (van-belle repository) to 4.5.16 from the
Debian 9 repository and was able to put it in the domain.

root at samba4-new-dc:/etc/samba# samba -V
Version 4.5.16-Debian

samba-tool domain join empresa.com.br DC -k yes -d 3
--serversamba4-dc1.empresa.com.br

root at samba4-new-dc:/etc/samba# samba-tool domain join empresa.com.br DC -k
yes -d 3 --server=samba4-dc1.empresa.com.br
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
resolve_lmhosts: Attempting lmhosts lookup for name
samba4-dc1.empresa.com.br<0x20>
workgroup is EMPRESA
realm is empresa.com.br
Adding CN=SAMBA4-NEW-DC,OU=Domain Controllers,empresa.com.br
Adding
CN=SAMBA4-NEW-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,
empresa.com.br
Adding CN=NTDS
Settings,CN=SAMBA4-NEW-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,
empresa.com.br
Using binding ncacn_ip_tcp:samba4-dc1.empresa.com.br[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name
samba4-dc1.empresa.com.br<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
samba4-dc1.empresa.com.br<0x20>
Adding SPNs to CN=SAMBA4-NEW-DC,OU=Domain Controllers,empresa.com.br
Setting account password for SAMBA4-NEW-DC$
Enabling account
Calling bare provision
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
ldb_wrap open of hklm.ldb
Key 'key=SOFTWARE,hive=NONE' not found
key added: key=SOFTWARE,hive=NONE
Key 'key=Microsoft,key=SOFTWARE,hive=NONE' not found
key added: key=Microsoft,key=SOFTWARE,hive=NONE
Key 'key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found
key added: key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE
Key 'key=CurrentVersion,key=Windows
NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found
key added: key=CurrentVersion,key=Windows
NT,key=Microsoft,key=SOFTWARE,hive=NONE
Key 'key=SYSTEM,hive=NONE' not found
key added: key=SYSTEM,hive=NONE
Key 'key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key
'key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE'
not found
key added:
key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE'
not
found
key added: key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=Terminal
Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=Terminal
Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key
'key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
not found
key added:
key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key
'key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
not found
key added:
key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key
'key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
not found
key added:
key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key
'key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
not found
key added:
key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
partition_metadata: Migrating partition metadata: open of metadata.tdb
gave: (null)
A Kerberos configuration suitable for Samba 4 has been generated at
/var/lib/samba/private/krb5.conf
Provision OK for domain DN empresa.com.br
Starting replication
Using binding ncacn_ip_tcp:samba4-dc1.empresa.com.br[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name
samba4-dc1.empresa.com.br<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
samba4-dc1.empresa.com.br<0x20>
Schema-DN[CN=Schema,CN=Configuration,empresa.com.br] objects[402/1518]
linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,empresa.com.br] objects[804/1518]
linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,empresa.com.br] objects[1206/1518]
linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,empresa.com.br] objects[1518/1518]
linked_values[0/0]
Analyze and apply schema objects
Replicated 1518 objects (0 linked attributes) for
CN=Schema,CN=Configuration,empresa.com.br
Partition[CN=Configuration,empresa.com.br] objects[402/1984]
linked_values[0/0]
Replicated 402 objects (0 linked attributes) for CN=Configuration,
empresa.com.br
Partition[CN=Configuration,empresa.com.br] objects[804/1984]
linked_values[0/0]
Replicated 402 objects (0 linked attributes) for CN=Configuration,
empresa.com.br
Partition[CN=Configuration,empresa.com.br] objects[1206/1984]
linked_values[0/0]
Replicated 402 objects (0 linked attributes) for CN=Configuration,
empresa.com.br
Partition[CN=Configuration,empresa.com.br] objects[1608/1984]
linked_values[0/0]
Replicated 402 objects (0 linked attributes) for CN=Configuration,
empresa.com.br
Partition[CN=Configuration,empresa.com.br] objects[1984/1984]
linked_values[41/0]
Replicated 376 objects (41 linked attributes) for CN=Configuration,
empresa.com.br
Replicating critical objects from the base DN of the domain
Partition[empresa.com.br] objects[101/101] linked_values[35/0]
Replicated 101 objects (35 linked attributes) for empresa.com.br
Partition[empresa.com.br] objects[503/2180] linked_values[0/0]
Replicated 402 objects (0 linked attributes) for empresa.com.br
Partition[empresa.com.br] objects[905/2180] linked_values[0/0]
Replicated 402 objects (0 linked attributes) for empresa.com.br
Partition[empresa.com.br] objects[1307/2180] linked_values[0/0]
Replicated 402 objects (0 linked attributes) for empresa.com.br
Partition[empresa.com.br] objects[1709/2180] linked_values[0/0]
Replicated 402 objects (0 linked attributes) for empresa.com.br
Partition[empresa.com.br] objects[2111/2180] linked_values[0/0]
Replicated 402 objects (0 linked attributes) for empresa.com.br
Partition[empresa.com.br] objects[2281/2180] linked_values[1039/0]
Replicated 170 objects (1039 linked attributes) for empresa.com.br
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,empresa.com.br
Partition[DC=DomainDnsZones,empresa.com.br] objects[402/646]
linked_values[0/0]
Replicated 402 objects (0 linked attributes) for DC=DomainDnsZones,
empresa.com.br
Partition[DC=DomainDnsZones,empresa.com.br] objects[646/646]
linked_values[0/0]
Replicated 244 objects (0 linked attributes) for DC=DomainDnsZones,
empresa.com.br
Replicating DC=ForestDnsZones,empresa.com.br
Partition[DC=ForestDnsZones,empresa.com.br] objects[37/37]
linked_values[0/0]
Replicated 37 objects (0 linked attributes) for DC=ForestDnsZones,
empresa.com.br
Committing SAM database
Discarding older DRS linked attribute update to member on
CN=IIS_IUSRS,CN=Builtin,empresa.com.br from
71c305c7-564f-44dc-bdc7-c03ee501bd52
Discarding older DRS linked attribute update to member on CN=Domain
Admins,CN=Users,empresa.com.br from a20c8ed0-c72a-4e57-9e59-2236f127d0b8
Discarding older DRS linked attribute update to member on CN=Domain
Admins,CN=Users,empresa.com.br from 71c305c7-564f-44dc-bdc7-c03ee501bd52
Discarding older DRS linked attribute update to member on CN=Domain
Admins,CN=Users,empresa.com.br from ad07f0d5-237c-4611-80a5-3751a318329b
Discarding older DRS linked attribute update to member on CN=Usu?rios da
?rea de trabalho remota,CN=Builtin,empresa.com.br from
71c305c7-564f-44dc-bdc7-c03ee501bd52
Discarding older DRS linked attribute update to member on
CN=Administrators,CN=Builtin,empresa.com.br from
a20c8ed0-c72a-4e57-9e59-2236f127d0b8
Discarding older DRS linked attribute update to member on
CN=Administrators,CN=Builtin,empresa.com.br from
a20c8ed0-c72a-4e57-9e59-2236f127d0b8
Discarding older DRS linked attribute update to member on
CN=Administrators,CN=Builtin,empresa.com.br from
71c305c7-564f-44dc-bdc7-c03ee501bd52
Discarding older DRS linked attribute update to member on
CN=Administrators,CN=Builtin,empresa.com.br from
71c305c7-564f-44dc-bdc7-c03ee501bd52
Discarding older DRS linked attribute update to member on
CN=Administrators,CN=Builtin,empresa.com.br from
71c305c7-564f-44dc-bdc7-c03ee501bd52
Discarding older DRS linked attribute update to member on
CN=Administrators,CN=Builtin,empresa.com.br from
a20c8ed0-c72a-4e57-9e59-2236f127d0b8
Discarding older DRS linked attribute update to member on
CN=Administrators,CN=Builtin,empresa.com.br from
71c305c7-564f-44dc-bdc7-c03ee501bd52
Discarding older DRS linked attribute update to member on CN=Grupo de
acesso de autoriza??o Windows,CN=Builtin,empresa.com.br from
71c305c7-564f-44dc-bdc7-c03ee501bd52
Discarding older DRS linked attribute update to member on CN=Grupo de
acesso de autoriza??o Windows,CN=Builtin,empresa.com.br from
a20c8ed0-c72a-4e57-9e59-2236f127d0b8
Discarding older DRS linked attribute update to member on CN=Grupo de
Replica??o de Senha RODC Nega,CN=Users,empresa.com.br from
71c305c7-564f-44dc-bdc7-c03ee501bd52
Discarding older DRS linked attribute update to member on CN=Grupo de
Replica??o de Senha RODC Nega,CN=Users,empresa.com.br from
71c305c7-564f-44dc-bdc7-c03ee501bd52
Discarding older DRS linked attribute update to member on CN=Grupo de
Replica??o de Senha RODC Nega,CN=Users,empresa.com.br from
71c305c7-564f-44dc-bdc7-c03ee501bd52
Discarding older DRS linked attribute update to member on CN=Grupo de
Replica??o de Senha RODC Nega,CN=Users,empresa.com.br from
71c305c7-564f-44dc-bdc7-c03ee501bd52
Discarding older DRS linked attribute update to member on CN=Grupo de
Replica??o de Senha RODC Nega,CN=Users,empresa.com.br from
71c305c7-564f-44dc-bdc7-c03ee501bd52
Discarding older DRS linked attribute update to member on CN=Grupo de
Replica??o de Senha RODC Nega,CN=Users,empresa.com.br from
71c305c7-564f-44dc-bdc7-c03ee501bd52
Discarding older DRS linked attribute update to member on CN=Grupo de
Replica??o de Senha RODC Nega,CN=Users,empresa.com.br from
71c305c7-564f-44dc-bdc7-c03ee501bd52
Discarding older DRS linked attribute update to member on CN=Grupo de
Replica??o de Senha RODC Nega,CN=Users,empresa.com.br from
71c305c7-564f-44dc-bdc7-c03ee501bd52
Discarding older DRS linked attribute update to member on CN=Enterprise
Admins,CN=Users,empresa.com.br from a20c8ed0-c72a-4e57-9e59-2236f127d0b8
Discarding older DRS linked attribute update to member on CN=Enterprise
Admins,CN=Users,empresa.com.br from 71c305c7-564f-44dc-bdc7-c03ee501bd52
Discarding older DRS linked attribute update to member on CN=Enterprise
Admins,CN=Users,empresa.com.br from 71c305c7-564f-44dc-bdc7-c03ee501bd52
Discarding older DRS linked attribute update to member on CN=Enterprise
Admins,CN=Users,empresa.com.br from 71c305c7-564f-44dc-bdc7-c03ee501bd52
Discarding older DRS linked attribute update to member on
CN=Replicator,CN=Builtin,empresa.com.br from
71c305c7-564f-44dc-bdc7-c03ee501bd52
Discarding older DRS linked attribute update to member on
CN=Replicator,CN=Builtin,empresa.com.br from
71c305c7-564f-44dc-bdc7-c03ee501bd52
Discarding older DRS linked attribute update to member on CN=Group Policy
Creator Owners,CN=Users,empresa.com.br from
a20c8ed0-c72a-4e57-9e59-2236f127d0b8
Discarding older DRS linked attribute update to member on CN=Group Policy
Creator Owners,CN=Users,empresa.com.br from
71c305c7-564f-44dc-bdc7-c03ee501bd52
Discarding older DRS linked attribute update to member on CN=Group Policy
Creator Owners,CN=Users,empresa.com.br from
71c305c7-564f-44dc-bdc7-c03ee501bd52
Discarding older DRS linked attribute update to member on CN=Group Policy
Creator Owners,CN=Users,empresa.com.br from
71c305c7-564f-44dc-bdc7-c03ee501bd52
Discarding older DRS linked attribute update to member on CN=Schema
Admins,CN=Users,empresa.com.br from a20c8ed0-c72a-4e57-9e59-2236f127d0b8
Discarding older DRS linked attribute update to member on CN=Schema
Admins,CN=Users,empresa.com.br from 71c305c7-564f-44dc-bdc7-c03ee501bd52
Discarding older DRS linked attribute update to member on CN=Schema
Admins,CN=Users,empresa.com.br from 71c305c7-564f-44dc-bdc7-c03ee501bd52
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain EMPRESA (SID S-1-5-21-1712526294-259020848-313593124) as a DC

####################################################################################


However, I verified that the DNS records msdcs.empresa.com.br and
empresa.com.br (ldap, kerberos, gc, tcp, udp) were not updated with the
information of the new DC.

The following errors are verified:



samba-tool drs showrepl

Default-First-Site-Name\SAMBA4-DC1
DSA Options: 0x00000001
DSA object GUID: a1ab021c-0ef7-4fd3-a69d-28afc7c1260a
DSA invocationId: a20c8ed0-c72a-4e57-9e59-2236f127d0b8

==== INBOUND NEIGHBORS ===
DC=ForestDnsZones,DC=empresa,DC=com,DC=br
Default-First-Site-Name\WIN-DC2 via RPC
DSA object GUID: d580939f-a8b9-43ea-84e9-be0f9bd29468
Last attempt @ Mon Aug 12 14:30:49 2019 -03 was successful
0 consecutive failure(s).
Last success @ Mon Aug 12 14:30:49 2019 -03

DC=ForestDnsZones,DC=empresa,DC=com,DC=br
Default-First-Site-Name\SAMBA4-NEW-DC via RPC
DSA object GUID: 10292cde-6888-43a7-a067-26b95873f5a7
Last attempt @ Mon Aug 12 14:30:49 2019 -03 failed, result 2 (WERR_BADFILE)
5 consecutive failure(s).
Last success @ NTTIME(0)

CN=Configuration,DC=empresa,DC=com,DC=br
Default-First-Site-Name\WIN-DC2 via RPC
DSA object GUID: d580939f-a8b9-43ea-84e9-be0f9bd29468
Last attempt @ Mon Aug 12 14:30:49 2019 -03 was successful
0 consecutive failure(s).
Last success @ Mon Aug 12 14:30:49 2019 -03

CN=Configuration,DC=empresa,DC=com,DC=br
Default-First-Site-Name\SAMBA4-NEW-DC via RPC
DSA object GUID: 10292cde-6888-43a7-a067-26b95873f5a7
Last attempt @ Mon Aug 12 14:30:49 2019 -03 failed, result 2 (WERR_BADFILE)
5 consecutive failure(s).
Last success @ NTTIME(0)

DC=DomainDnsZones,DC=empresa,DC=com,DC=br
Default-First-Site-Name\WIN-DC2 via RPC
DSA object GUID: d580939f-a8b9-43ea-84e9-be0f9bd29468
Last attempt @ Mon Aug 12 14:33:04 2019 -03 was successful
0 consecutive failure(s).
Last success @ Mon Aug 12 14:33:04 2019 -03

DC=DomainDnsZones,DC=empresa,DC=com,DC=br
Default-First-Site-Name\SAMBA4-NEW-DC via RPC
DSA object GUID: 10292cde-6888-43a7-a067-26b95873f5a7
Last attempt @ Mon Aug 12 14:30:49 2019 -03 failed, result 2 (WERR_BADFILE)
5 consecutive failure(s).
Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br
Default-First-Site-Name\WIN-DC2 via RPC
DSA object GUID: d580939f-a8b9-43ea-84e9-be0f9bd29468
Last attempt @ Mon Aug 12 14:30:49 2019 -03 was successful
0 consecutive failure(s).
Last success @ Mon Aug 12 14:30:49 2019 -03

CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br
Default-First-Site-Name\SAMBA4-NEW-DC via RPC
DSA object GUID: 10292cde-6888-43a7-a067-26b95873f5a7
Last attempt @ Mon Aug 12 14:30:49 2019 -03 failed, result 2 (WERR_BADFILE)
5 consecutive failure(s).
Last success @ NTTIME(0)

DC=empresa,DC=com,DC=br
Default-First-Site-Name\WIN-DC2 via RPC
DSA object GUID: d580939f-a8b9-43ea-84e9-be0f9bd29468
Last attempt @ Mon Aug 12 14:33:26 2019 -03 was successful
0 consecutive failure(s).
Last success @ Mon Aug 12 14:33:26 2019 -03

DC=empresa,DC=com,DC=br
Default-First-Site-Name\SAMBA4-NEW-DC via RPC
DSA object GUID: 10292cde-6888-43a7-a067-26b95873f5a7
Last attempt @ Mon Aug 12 14:30:49 2019 -03 failed, result 2 (WERR_BADFILE)
5 consecutive failure(s).
Last success @ NTTIME(0)

==== OUTBOUND NEIGHBORS ===
DC=ForestDnsZones,DC=empresa,DC=com,DC=br
Default-First-Site-Name\WIN-DC2 via RPC
DSA object GUID: d580939f-a8b9-43ea-84e9-be0f9bd29468
Last attempt @ Mon Aug 12 14:00:39 2019 -03 was successful
0 consecutive failure(s).
Last success @ Mon Aug 12 14:00:39 2019 -03

DC=ForestDnsZones,DC=empresa,DC=com,DC=br
Default-First-Site-Name\SAMBA4-NEW-DC via RPC
DSA object GUID: 10292cde-6888-43a7-a067-26b95873f5a7
Last attempt @ Mon Aug 12 14:34:32 2019 -03 failed, result 2 (WERR_BADFILE)
9 consecutive failure(s).
Last success @ NTTIME(0)

CN=Configuration,DC=empresa,DC=com,DC=br
Default-First-Site-Name\WIN-DC2 via RPC
DSA object GUID: d580939f-a8b9-43ea-84e9-be0f9bd29468
Last attempt @ Mon Aug 12 14:15:55 2019 -03 was successful
0 consecutive failure(s).
Last success @ Mon Aug 12 14:15:55 2019 -03

CN=Configuration,DC=empresa,DC=com,DC=br
Default-First-Site-Name\SAMBA4-NEW-DC via RPC
DSA object GUID: 10292cde-6888-43a7-a067-26b95873f5a7
Last attempt @ Mon Aug 12 14:34:32 2019 -03 failed, result 2 (WERR_BADFILE)
9 consecutive failure(s).
Last success @ NTTIME(0)

DC=DomainDnsZones,DC=empresa,DC=com,DC=br
Default-First-Site-Name\WIN-DC2 via RPC
DSA object GUID: d580939f-a8b9-43ea-84e9-be0f9bd29468
Last attempt @ Mon Aug 12 14:32:47 2019 -03 was successful
0 consecutive failure(s).
Last success @ Mon Aug 12 14:32:47 2019 -03

DC=DomainDnsZones,DC=empresa,DC=com,DC=br
Default-First-Site-Name\SAMBA4-NEW-DC via RPC
DSA object GUID: 10292cde-6888-43a7-a067-26b95873f5a7
Last attempt @ Mon Aug 12 14:34:32 2019 -03 failed, result 2 (WERR_BADFILE)
9 consecutive failure(s).
Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br
Default-First-Site-Name\WIN-DC2 via RPC
DSA object GUID: d580939f-a8b9-43ea-84e9-be0f9bd29468
Last attempt @ Mon Aug 12 14:00:39 2019 -03 was successful
0 consecutive failure(s).
Last success @ Mon Aug 12 14:00:39 2019 -03

CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br
Default-First-Site-Name\SAMBA4-NEW-DC via RPC
DSA object GUID: 10292cde-6888-43a7-a067-26b95873f5a7
Last attempt @ Mon Aug 12 14:34:32 2019 -03 failed, result 2 (WERR_BADFILE)
9 consecutive failure(s).
Last success @ NTTIME(0)

DC=empresa,DC=com,DC=br
Default-First-Site-Name\WIN-DC2 via RPC
DSA object GUID: d580939f-a8b9-43ea-84e9-be0f9bd29468
Last attempt @ Mon Aug 12 14:14:45 2019 -03 was successful
0 consecutive failure(s).
Last success @ Mon Aug 12 14:14:45 2019 -03

DC=empresa,DC=com,DC=br
Default-First-Site-Name\SAMBA4-NEW-DC via RPC
DSA object GUID: 10292cde-6888-43a7-a067-26b95873f5a7
Last attempt @ Mon Aug 12 14:34:32 2019 -03 failed, result 2 (WERR_BADFILE)
9 consecutive failure(s).
Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ===
Connection --
Connection name: c6393fbd-461c-4fd7-ac62-4801a3de43d2
Enabled        : TRUE
Server DNS name : win-dc2.empresa.com.br
Server DN name  : CN=NTDS
Settings,CN=WIN-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: 3d74773c-19d4-4220-84b1-edc605f74633
Enabled        : TRUE
Server DNS name : samba4-new-dc.empresa.com.br
Server DN name  : CN=NTDS
Settings,CN=SAMBA4-NEW-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!

samba-tool ldapcmp ldap://SAMBA4-DC1 ldap://SAMBA4-NEW-DC -UAdministrator
...
Comparing:
'CN=SAMBA4-NEW-DC,OU=Domain Controllers,DC=empresa,DC=com,DC=br'
[ldap://SAMBA4-DC1]
'CN=SAMBA4-NEW-DC,OU=Domain Controllers,DC=empresa,DC=com,DC=br'
[ldap://SAMBA4-NEW-DC]
    Difference in attribute values:
        servicePrincipalName =>
['E3514235-4B06-11D1-AB04-00C04FC2DCD2/10292cde-6888-43a7-a067-26b95873f5a7/
empresa.com.br', 'GC/samba4-new-dc.empresa.com.br/empresa.com.br',
'HOST/SAMBA4-NEW-DC', 'HOST/samba4-new-dc.empresa.com.br']
['E3514235-4B06-11D1-AB04-00C04FC2DCD2/10292cde-6888-43a7-a067-26b95873f5a7/
empresa.com.br', 'GC/samba4-new-dc.empresa.com.br/empresa.com.br',
'HOST/SAMBA4-NEW-DC', 'HOST/samba4-new-dc.empresa.com.br',
'HOST/
samba4-new-dc.empresa.com.br/EMPRESA', 'HOST/
samba4-new-dc.empresa.com.br/empresa.com.br',
'RestrictedKrbHost/SAMBA4-NEW-DC', 'RestrictedKrbHost/
samba4-new-dc.empresa.com.br',
'ldap/10292cde-6888-43a7-a067-26b95873f5a7._
msdcs.empresa.com.br', 'ldap/SAMBA4-NEW-DC', 'ldap/
samba4-new-dc.empresa.com.br', 'ldap/
samba4-new-dc.empresa.com.br/DomainDnsZones.empresa.com.br', 'ldap/
samba4-new-dc.empresa.com.br/ForestDnsZones.empresa.com.br', 'ldap/
samba4-new-dc.empresa.com.br/EMPRESA', 'ldap/
samba4-new-dc.empresa.com.br/empresa.com.br']
    FAILED
...

* DN lists have different size: 1644 != 1646
    CN=52063d3d-86a8-4066-9fbb-7e62b245716a,CN=NTDS
Settings,CN=SAMBA4-NEW-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
    CN=a1d84f32-fe3a-4b54-8ff7-db309a4cf735,CN=NTDS
Settings,CN=SAMBA4-NEW-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
...

To solve these problems, can I add the records manually in DNS?

Example:

_ldap Local de servi?o (SRV) [0][100][389] samba4-dc1.empresa.com.br.
static
_ldap Local de servi?o (SRV) [0][100][389] win-dc2.empresa.com.br.   static
_ldap Local de servi?o (SRV) [0][100][389] samba4-new-dc.empresa.com.br.


Regards,

M?rcio Bacci


Em seg, 12 de ago de 2019 ?s 12:41, Rowland penny via samba <
samba at lists.samba.org> escreveu:
> On 12/08/2019 16:01, L.P.H. van Belle via samba wrote:
> > Ah, so the error changed..
> >
> > Can you try
> >
> > samba-tool domain join empresa.com.br DC -k yes -d 3 --server>
samba4-dc01.empresa.com.br
> > so we try to join through samba4-dc1 and not the windows DC.
> You beat me to it Louis
> >
> > Looking at below again.
> > (objectclass=primaryDomain))' base: 'cn=Primary Domains':
No such
> object: dsdb_search at ../source4/dsdb/common/util.c:4691) and from
> /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> > This looks familuar..  i have to look this up.. ( tomorrow, office is
> closing here.. sorry )
>
> Yes, it is familiar, but misleading ;-)
>
> You can ignore anything after:  'Join failed - cleaning up'
>
> The error occurred before this point.
>
> Rowland
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

samba - Aug 2019 - Problems joining Samba 4 in the domain

[Samba] Problems joining Samba 4 in the domain

[Samba] Problems joining Samba 4 in the domain

[Samba] Problems joining Samba 4 in the domain