On Fri, 2019-08-16 at 11:18 +0200, L.P.H. van Belle via samba wrote:> Good point Roy, > > So we can add the question. > > I tried joining the same AD before and succeeded, > > Your other DC, is that in the same subnet? > > And is the windows firewall allowing the other subnet? > telnet the DNS port from the samba server to the windows server. >I'm quite confused, why are you folks chasing down routing issues for an operations error on a valid LDAP connection? This seems a very odd and increasingly tortured set of diagnostics. Alexander, I think the invalid credentials bit is a red herring, during the cleanup, the main backtrace shown looks like it doesn't like one of the objects being modified over LDAP. Examination of the source code shows that the only way a modify occurs is if we are in 'promote_existing' mode, so perhaps ensure any accounts of the same name are first deleted, or choose an unused name for the DC. I hope this helps, Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
On 16/08/2019 11:10, Andrew Bartlett via samba wrote:> On Fri, 2019-08-16 at 11:18 +0200, L.P.H. van Belle via samba wrote: >> Good point Roy, >> >> So we can add the question. >>> I tried joining the same AD before and succeeded, >> Your other DC, is that in the same subnet? >> >> And is the windows firewall allowing the other subnet? >> telnet the DNS port from the samba server to the windows server. >> > I'm quite confused, why are you folks chasing down routing issues for > an operations error on a valid LDAP connection?I am not and I am not sure everything is valid, for instance, the OP cannot kinit as Administrator> > This seems a very odd and increasingly tortured set of diagnostics.They have helped in the past ;-)> > Alexander, > > I think the invalid credentials bit is a red herring, during the > cleanup, the main backtrace shown looks like it doesn't like one of the > objects being modified over LDAP. > > Examination of the source code shows that the only way a modify occurs > is if we are in 'promote_existing' mode, so perhaps ensure any accounts > of the same name are first deleted, or choose an unused name for the > DC. > > I hope this helps, > > Andrew BartlettI can confirm that 4.9.5 on Debian Buster will join as a DC to an existing Samba AD domain, we now need to find out what is the difference between my test DC and his. Rowland
It's windows that is not allowing samba to join. This should make thing more clear in my opinion. samba-tool fsmo show -H ldap://$(hostname -d) And samba-tool fsmo show -H ldap://10.88.80.88 -U Administrator These both work agains my Samba AD-DC's (ldap://$(hostname -d)) And my windows DC -H ldap://10.88.80.88 -U "NTDOM\Administrator" Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: vrijdag 16 augustus 2019 12:54 > Aan: samba at lists.samba.org > CC: Andrew Bartlett > Onderwerp: Re: [Samba] Failing to join existing AD as DC > > On 16/08/2019 11:10, Andrew Bartlett via samba wrote: > > On Fri, 2019-08-16 at 11:18 +0200, L.P.H. van Belle via samba wrote: > >> Good point Roy, > >> > >> So we can add the question. > >>> I tried joining the same AD before and succeeded, > >> Your other DC, is that in the same subnet? > >> > >> And is the windows firewall allowing the other subnet? > >> telnet the DNS port from the samba server to the windows server. > >> > > I'm quite confused, why are you folks chasing down routing > issues for > > an operations error on a valid LDAP connection? > I am not and I am not sure everything is valid, for instance, the OP > cannot kinit as Administrator > > > > This seems a very odd and increasingly tortured set of diagnostics. > They have helped in the past ;-) > > > > Alexander, > > > > I think the invalid credentials bit is a red herring, during the > > cleanup, the main backtrace shown looks like it doesn't > like one of the > > objects being modified over LDAP. > > > > Examination of the source code shows that the only way a > modify occurs > > is if we are in 'promote_existing' mode, so perhaps ensure > any accounts > > of the same name are first deleted, or choose an unused name for the > > DC. > > > > I hope this helps, > > > > Andrew Bartlett > > I can confirm that 4.9.5 on Debian Buster will join as a DC to an > existing Samba AD domain, we now need to find out what is the > difference > between my test DC and his. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On 16/08/2019 12:05, L.P.H. van Belle via samba wrote:> It's windows that is not allowing samba to join. > > This should make thing more clear in my opinion. > > samba-tool fsmo show -H ldap://$(hostname -d) > And > samba-tool fsmo show -H ldap://10.88.80.88 -U Administrator > > These both work agains my Samba AD-DC's (ldap://$(hostname -d)) > And my windows DC -H ldap://10.88.80.88 -U "NTDOM\Administrator" > >It may be windows that is not allowing the join, but he is going nowhere until 'kinit Administrator' works ;-) Rowland