First of all, thanks to you all for bearing with me. To answer the questions: - Subnets: yes, different subnets, routing is fine, can connect to Windows DC via telnet (DNS), OpenSSL on 389 and 636 - Naming: I could not find any object in the existing AD with the same name of the Samba DC that I want to add - Join existing: I try to join an existing Windows AD, not Samba AD I wiped the installation (again) and here are the exact steps I did to set everything up. 1. Install from Debian 10 netinstall ISO with only SSH-server and system utils 2. apt update && apt install?curl ntp sudo vim dnsutils?open-vm-tools 3. add buster-backports 4. apt update &&?apt -t buster-backports install samba attr winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user smbclient 5.?find /var/run/samba /var/lib/samba /var/cache/samba /var/lib/samba/private -name '*.tdb' -name '*.ldb' -delete 6.?rm /etc/samba/smb.conf 7.?samba-tool domain provision --use-rfc2307 --interactive (with internal dns) 8.?cp /var/lib/samba/private/krb5.conf /etc/krb5.conf 9. unmask samba-ad-dc service 10. reboot 11. loads of DNS errors in the log like [2019/08/16 15:02:45.925528, ?0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) ? /usr/sbin/samba_dnsupdate: ? File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run [2019/08/16 15:02:45.925557, ?0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) ? /usr/sbin/samba_dnsupdate: ? ? return self.run(*args, **kwargs) [2019/08/16 15:02:45.925575, ?0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) ? /usr/sbin/samba_dnsupdate: ? File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 945, in run [2019/08/16 15:02:45.925594, ?0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) ? /usr/sbin/samba_dnsupdate: ? ? raise e [2019/08/16 15:02:45.958441, ?0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) ? /usr/sbin/samba_dnsupdate: ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') [2019/08/16 15:02:45.958512, ?0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) ? /usr/sbin/samba_dnsupdate: ? File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run [2019/08/16 15:02:45.958531, ?0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) ? /usr/sbin/samba_dnsupdate: ? ? return self.run(*args, **kwargs) [2019/08/16 15:02:45.958548, ?0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) ? /usr/sbin/samba_dnsupdate: ? File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 945, in run [2019/08/16 15:02:45.958567, ?0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) ? /usr/sbin/samba_dnsupdate: ? ? raise e [2019/08/16 15:02:45.987725, ?0] ../source4/dsdb/dns/dns_update.c:330(dnsupdate_nameupdate_done) ? ../source4/dsdb/dns/dns_update.c:330: Failed DNS update - with error code 29 [2019/08/16 15:02:46.489326, ?0] ../source4/lib/tls/tlscert.c:170(tls_cert_generate) ? TLS self-signed keys generated OK 12. changed /etc/resolv.conf to point to itself, restarted samba-ad-dc -> log fine 13. output of your debug script Collected config ?--- 2019-08-16-15:07 ----------- Hostname: ka-h9-dc01 DNS Domain: samdom.example.com FQDN: ka-h9-dc01.samdom.example.com ipaddress: 10.0.1.250 ----------- Kerberos SRV _kerberos._tcp.samdom.example.com record verified ok, sample output: Server: 10.0.1.250 Address: 10.0.1.250#53 _kerberos._tcp.samdom.example.com service = 0 100 88 ka-h9-dc01.samdom.example.com. Samba is running as an AD DC ----------- ? ? ? ?Checking file: /etc/os-release PRETTY_NAME="Debian GNU/Linux 10 (buster)" NAME="Debian GNU/Linux" VERSION_ID="10" VERSION="10 (buster)" VERSION_CODENAME=buster ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" ----------- This computer is running Debian 10.0 x86_64 ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 ? ? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 ? ? inet 127.0.0.1/8 scope host lo ? ? inet6 ::1/128 scope host 2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 ? ? link/ether 00:0c:29:35:9c:84 brd ff:ff:ff:ff:ff:ff ? ? inet 10.0.1.250/24 brd 10.0.1.255 scope global ens192 ? ? inet6 fe80::20c:29ff:fe35:9c84/64 scope link ----------- ? ? ? ?Checking file: /etc/hosts 127.0.0.1 localhost 10.0.1.250 ka-h9-dc01.samdom.example.com ka-h9-dc01 # The following lines are desirable for IPv6 capable hosts ::1 ? ? localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters ----------- ? ? ? ?Checking file: /etc/resolv.conf search samdom.example.com nameserver 10.0.1.250 ----------- ? ? ? ?Checking file: /etc/krb5.conf [libdefaults] default_realm = SAMDOM.EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = true ----------- ? ? ? ?Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: ? ? ? ? files systemd group: ? ? ? ? ?files systemd shadow: ? ? ? ? files gshadow: ? ? ? ?files hosts: ? ? ? ? ?files dns networks: ? ? ? files protocols: ? ? ?db files services: ? ? ? db files ethers: ? ? ? ? db files rpc: ? ? ? ? ? ?db files netgroup: ? ? ? nis ----------- ? ? ? ?Checking file: /etc/samba/smb.conf # Global parameters [global] dns forwarder = 10.0.1.100 netbios name = KA-H9-DC01 realm = SAMDOM.EXAMPLE.COM server role = active directory domain controller workgroup = COMPANYNAME idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/samdom.example.com/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No ----------- BIND_DLZ not detected in smb.conf ----------- Installed packages: ii ?attr ? ? ? ? ? ? ? ? ? ? ? ? ? 1:2.4.48-4 ? ? ? ? ? ? ? ? ?amd64 ? ? ? ?utilities for manipulating filesystem extended attributes ii ?krb5-config ? ? ? ? ? ? ? ? ? ?2.6 ? ? ? ? ? ? ? ? ? ? ? ? all ? ? ? ? ?Configuration files for Kerberos Version 5 ii ?krb5-locales ? ? ? ? ? ? ? ? ? 1.17-3 ? ? ? ? ? ? ? ? ? ? ?all ? ? ? ? ?internationalization support for MIT Kerberos ii ?krb5-user ? ? ? ? ? ? ? ? ? ? ?1.17-3 ? ? ? ? ? ? ? ? ? ? ?amd64 ? ? ? ?basic programs to authenticate using MIT Kerberos ii ?libacl1:amd64 ? ? ? ? ? ? ? ? ?2.2.53-4 ? ? ? ? ? ? ? ? ? ?amd64 ? ? ? ?access control list - shared library ii ?libattr1:amd64 ? ? ? ? ? ? ? ? 1:2.4.48-4 ? ? ? ? ? ? ? ? ?amd64 ? ? ? ?extended attribute handling - shared library ii ?libgssapi-krb5-2:amd64 ? ? ? ? 1.17-3 ? ? ? ? ? ? ? ? ? ? ?amd64 ? ? ? ?MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii ?libkrb5-3:amd64 ? ? ? ? ? ? ? ?1.17-3 ? ? ? ? ? ? ? ? ? ? ?amd64 ? ? ? ?MIT Kerberos runtime libraries ii ?libkrb5support0:amd64 ? ? ? ? ?1.17-3 ? ? ? ? ? ? ? ? ? ? ?amd64 ? ? ? ?MIT Kerberos runtime libraries - Support library ii ?libnss-winbind:amd64 ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ? ?Samba nameservice integration plugins ii ?libpam-krb5:amd64 ? ? ? ? ? ? ?4.8-2 ? ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?PAM module for MIT Kerberos ii ?libpam-winbind:amd64 ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ? ?Windows domain authentication integration plugin ii ?libsmbclient:amd64 ? ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ? ?shared library for communication with SMB/CIFS servers ii ?libwbclient0:amd64 ? ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ? ?Samba winbind client library ii ?python-samba ? ? ? ? ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ? ?Python bindings for Samba ii ?samba ? ? ? ? ? ? ? ? ? ? ? ? ?2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ? ?SMB/CIFS file, print, and login server for Unix ii ?samba-common ? ? ? ? ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?all ? ? ? ? ?common files used by both the Samba server and client ii ?samba-common-bin ? ? ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ? ?Samba common files used by both the server and the client ii ?samba-dsdb-modules:amd64 ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ? ?Samba Directory Services Database ii ?samba-libs:amd64 ? ? ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ? ?Samba core libraries ii ?samba-vfs-modules:amd64 ? ? ? ?2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ? ?Samba Virtual FileSystem plugins ii ?smbclient ? ? ? ? ? ? ? ? ? ? ?2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ? ?command-line SMB/CIFS clients for Unix ii ?winbind ? ? ? ? ? ? ? ? ? ? ? ?2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ? ?service to resolve user and group information from Windows NT servers ----------- 14.?samba-tool fsmo show -H ldap://$(hostname -d) SchemaMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com InfrastructureMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com RidAllocationMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com PdcEmulationMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com DomainNamingMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com 15.?samba-tool fsmo show -H?ldap://10.88.80.88?-U dcadmin SchemaMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com InfrastructureMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com RidAllocationMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com PdcEmulationMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com DomainNamingMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com 16. Notice I don't have "Administrator" as user in my Windows domain if that is an issue So far everything looks fine to me, should I now point resolv.conf to Windows DC and attempt the join again? On 16. August 2019 at 14:34:55, Rowland penny via samba (samba at lists.samba.org) wrote: On 16/08/2019 12:52, Rowland penny via samba wrote:> On 16/08/2019 12:05, L.P.H. van Belle via samba wrote: >> It's windows that is not allowing samba to join. >> >> This should make thing more clear in my opinion. >> >> samba-tool fsmo show -H ldap://$(hostname -d) >> And >> samba-tool fsmo show -H ldap://10.88.80.88 -U Administrator >> >> These both work agains my Samba AD-DC's (ldap://$(hostname -d)) >> And my windows DC -H ldap://10.88.80.88 -U "NTDOM\Administrator" >> >> > It may be windows that is not allowing the join, but he is going > nowhere until 'kinit Administrator' works ;-) > > Rowland > > >Andrew may have a point here, we have only been supplied with the 'join' command and a portion of the resulting join output and anything after 'join failed' is an artefact of the failure and is meaningless. We need to see everything between the 'join' command and 'join failed'. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On 16/08/2019 14:14, Alexander Harm via samba wrote:> > > > > > 4. apt update &&?apt -t buster-backports install samba attr winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user smbclientYou are missing the 'acl' package> > 5.?find /var/run/samba /var/lib/samba /var/cache/samba /var/lib/samba/private -name '*.tdb' -name '*.ldb' -delete > > 6.?rm /etc/samba/smb.conf > > 7.?samba-tool domain provision --use-rfc2307 --interactive (with internal dns)I thought you were trying to 'join' another DC to an existing domain, not create a new domain ?> 11. loads of DNS errors in the log like > > [2019/08/16 15:02:45.925528, ?0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) > ? /usr/sbin/samba_dnsupdate: ? File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run > [2019/08/16 15:02:45.925557, ?0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) > ? /usr/sbin/samba_dnsupdate: ? ? return self.run(*args, **kwargs) > [2019/08/16 15:02:45.925575, ?0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) > ? /usr/sbin/samba_dnsupdate: ? File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 945, in run > [2019/08/16 15:02:45.925594, ?0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) > ? /usr/sbin/samba_dnsupdate: ? ? raise e > [2019/08/16 15:02:45.958441, ?0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) > ? /usr/sbin/samba_dnsupdate: ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') > [2019/08/16 15:02:45.958512, ?0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) > ? /usr/sbin/samba_dnsupdate: ? File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run > [2019/08/16 15:02:45.958531, ?0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) > ? /usr/sbin/samba_dnsupdate: ? ? return self.run(*args, **kwargs) > [2019/08/16 15:02:45.958548, ?0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) > ? /usr/sbin/samba_dnsupdate: ? File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 945, in run > [2019/08/16 15:02:45.958567, ?0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) > ? /usr/sbin/samba_dnsupdate: ? ? raise e > [2019/08/16 15:02:45.987725, ?0] ../source4/dsdb/dns/dns_update.c:330(dnsupdate_nameupdate_done) > ? ../source4/dsdb/dns/dns_update.c:330: Failed DNS update - with error code 29 > [2019/08/16 15:02:46.489326, ?0] ../source4/lib/tls/tlscert.c:170(tls_cert_generate) > ? TLS self-signed keys generated OKThey are the records that samba_dnsupdate tries to create if they do not exist, but from the error message 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS' it looks like they already exists.> 12. changed /etc/resolv.conf to point to itself, restarted samba-ad-dc -> log fine > > 13. output of your debug script > > Collected config ?--- 2019-08-16-15:07 ----------- > > Hostname: ka-h9-dc01 > DNS Domain: samdom.example.com > FQDN: ka-h9-dc01.samdom.example.com > ipaddress: 10.0.1.250 > > ----------- > > Kerberos SRV _kerberos._tcp.samdom.example.com record verified ok, sample output: > Server: 10.0.1.250 > Address: 10.0.1.250#53 > > _kerberos._tcp.samdom.example.com service = 0 100 88 ka-h9-dc01.samdom.example.com. > Samba is running as an AD DC > > ----------- > ? ? ? ?Checking file: /etc/os-release > > PRETTY_NAME="Debian GNU/Linux 10 (buster)" > NAME="Debian GNU/Linux" > VERSION_ID="10" > VERSION="10 (buster)" > VERSION_CODENAME=buster > ID=debian > HOME_URL="https://www.debian.org/" > SUPPORT_URL="https://www.debian.org/support" > BUG_REPORT_URL="https://bugs.debian.org/" > > ----------- > > > This computer is running Debian 10.0 x86_64 > > ----------- > running command : ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 > ? ? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > ? ? inet 127.0.0.1/8 scope host lo > ? ? inet6 ::1/128 scope host > 2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 > ? ? link/ether 00:0c:29:35:9c:84 brd ff:ff:ff:ff:ff:ff > ? ? inet 10.0.1.250/24 brd 10.0.1.255 scope global ens192 > ? ? inet6 fe80::20c:29ff:fe35:9c84/64 scope link > > ----------- > ? ? ? ?Checking file: /etc/hosts > > 127.0.0.1 localhost > 10.0.1.250 ka-h9-dc01.samdom.example.com ka-h9-dc01 > > # The following lines are desirable for IPv6 capable hosts > ::1 ? ? localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > ----------- > > ? ? ? ?Checking file: /etc/resolv.conf > > search samdom.example.com > nameserver 10.0.1.250 > > ----------- > > ? ? ? ?Checking file: /etc/krb5.conf > > [libdefaults] > default_realm = SAMDOM.EXAMPLE.COM > dns_lookup_realm = false > dns_lookup_kdc = true > > ----------- > > ? ? ? ?Checking file: /etc/nsswitch.conf > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: ? ? ? ? files systemd > group: ? ? ? ? ?files systemd > shadow: ? ? ? ? files > gshadow: ? ? ? ?files > > hosts: ? ? ? ? ?files dns > networks: ? ? ? files > > protocols: ? ? ?db files > services: ? ? ? db files > ethers: ? ? ? ? db files > rpc: ? ? ? ? ? ?db files > > netgroup: ? ? ? nis > > ----------- > > ? ? ? ?Checking file: /etc/samba/smb.conf > > # Global parameters > [global] > dns forwarder = 10.0.1.100 > netbios name = KA-H9-DC01 > realm = SAMDOM.EXAMPLE.COM > server role = active directory domain controller > workgroup = COMPANYNAME > idmap_ldb:use rfc2307 = yes > > [netlogon] > path = /var/lib/samba/sysvol/samdom.example.com/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > ----------- > > BIND_DLZ not detected in smb.conf > > ----------- > > Installed packages: > ii ?attr ? ? ? ? ? ? ? ? ? ? ? ? ? 1:2.4.48-4 ? ? ? ? ? ? ? ? ?amd64 ? ? ? ?utilities for manipulating filesystem extended attributes > ii ?krb5-config ? ? ? ? ? ? ? ? ? ?2.6 ? ? ? ? ? ? ? ? ? ? ? ? all ? ? ? ? ?Configuration files for Kerberos Version 5 > ii ?krb5-locales ? ? ? ? ? ? ? ? ? 1.17-3 ? ? ? ? ? ? ? ? ? ? ?all ? ? ? ? ?internationalization support for MIT Kerberos > ii ?krb5-user ? ? ? ? ? ? ? ? ? ? ?1.17-3 ? ? ? ? ? ? ? ? ? ? ?amd64 ? ? ? ?basic programs to authenticate using MIT Kerberos > ii ?libacl1:amd64 ? ? ? ? ? ? ? ? ?2.2.53-4 ? ? ? ? ? ? ? ? ? ?amd64 ? ? ? ?access control list - shared library > ii ?libattr1:amd64 ? ? ? ? ? ? ? ? 1:2.4.48-4 ? ? ? ? ? ? ? ? ?amd64 ? ? ? ?extended attribute handling - shared library > ii ?libgssapi-krb5-2:amd64 ? ? ? ? 1.17-3 ? ? ? ? ? ? ? ? ? ? ?amd64 ? ? ? ?MIT Kerberos runtime libraries - krb5 GSS-API Mechanism > ii ?libkrb5-3:amd64 ? ? ? ? ? ? ? ?1.17-3 ? ? ? ? ? ? ? ? ? ? ?amd64 ? ? ? ?MIT Kerberos runtime libraries > ii ?libkrb5support0:amd64 ? ? ? ? ?1.17-3 ? ? ? ? ? ? ? ? ? ? ?amd64 ? ? ? ?MIT Kerberos runtime libraries - Support library > ii ?libnss-winbind:amd64 ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ? ?Samba nameservice integration plugins > ii ?libpam-krb5:amd64 ? ? ? ? ? ? ?4.8-2 ? ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?PAM module for MIT Kerberos > ii ?libpam-winbind:amd64 ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ? ?Windows domain authentication integration plugin > ii ?libsmbclient:amd64 ? ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ? ?shared library for communication with SMB/CIFS servers > ii ?libwbclient0:amd64 ? ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ? ?Samba winbind client library > ii ?python-samba ? ? ? ? ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ? ?Python bindings for Samba > ii ?samba ? ? ? ? ? ? ? ? ? ? ? ? ?2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ? ?SMB/CIFS file, print, and login server for Unix > ii ?samba-common ? ? ? ? ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?all ? ? ? ? ?common files used by both the Samba server and client > ii ?samba-common-bin ? ? ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ? ?Samba common files used by both the server and the client > ii ?samba-dsdb-modules:amd64 ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ? ?Samba Directory Services Database > ii ?samba-libs:amd64 ? ? ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ? ?Samba core libraries > ii ?samba-vfs-modules:amd64 ? ? ? ?2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ? ?Samba Virtual FileSystem plugins > ii ?smbclient ? ? ? ? ? ? ? ? ? ? ?2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ? ?command-line SMB/CIFS clients for Unix > ii ?winbind ? ? ? ? ? ? ? ? ? ? ? ?2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ? ?service to resolve user and group information from Windows NT servers > > ----------- > > 14.?samba-tool fsmo show -H ldap://$(hostname -d) > > SchemaMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com > InfrastructureMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com > RidAllocationMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com > PdcEmulationMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com > DomainNamingMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com > DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com > ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com > > 15.?samba-tool fsmo show -H?ldap://10.88.80.88?-U dcadmin > > SchemaMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com > InfrastructureMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com > RidAllocationMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com > PdcEmulationMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com > DomainNamingMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com > DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com > ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com > > 16. Notice I don't have "Administrator" as user in my Windows domain if that is an issueThen who do you have ? Not that it makes much difference 'KA-H9-DC01' isn't a member of your Windows domain, even if? does appear to have the same dns domain.> > So far everything looks fine to me, should I now point resolv.conf to Windows DC and attempt the join again?Not until you kill the Samba domain and remove all traces of it from 'KA-H9-DC01' Rowland
Ah, OK. Thought that I read this somewhere to first create a DC and then join. So I demote and just try to join straight away? On 16. August 2019 at 15:38:56, Rowland penny via samba (samba at lists.samba.org) wrote: On 16/08/2019 14:14, Alexander Harm via samba wrote:> > > > > > 4. apt update &&?apt -t buster-backports install samba attr winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user smbclientYou are missing the 'acl' package> > 5.?find /var/run/samba /var/lib/samba /var/cache/samba /var/lib/samba/private -name '*.tdb' -name '*.ldb' -delete > > 6.?rm /etc/samba/smb.conf > > 7.?samba-tool domain provision --use-rfc2307 --interactive (with internal dns)I thought you were trying to 'join' another DC to an existing domain, not create a new domain ?> 11. loads of DNS errors in the log like > > [2019/08/16 15:02:45.925528, ?0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) > ? /usr/sbin/samba_dnsupdate: ? File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run > [2019/08/16 15:02:45.925557, ?0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) > ? /usr/sbin/samba_dnsupdate: ? ? return self.run(*args, **kwargs) > [2019/08/16 15:02:45.925575, ?0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) > ? /usr/sbin/samba_dnsupdate: ? File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 945, in run > [2019/08/16 15:02:45.925594, ?0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) > ? /usr/sbin/samba_dnsupdate: ? ? raise e > [2019/08/16 15:02:45.958441, ?0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) > ? /usr/sbin/samba_dnsupdate: ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') > [2019/08/16 15:02:45.958512, ?0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) > ? /usr/sbin/samba_dnsupdate: ? File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run > [2019/08/16 15:02:45.958531, ?0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) > ? /usr/sbin/samba_dnsupdate: ? ? return self.run(*args, **kwargs) > [2019/08/16 15:02:45.958548, ?0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) > ? /usr/sbin/samba_dnsupdate: ? File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 945, in run > [2019/08/16 15:02:45.958567, ?0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) > ? /usr/sbin/samba_dnsupdate: ? ? raise e > [2019/08/16 15:02:45.987725, ?0] ../source4/dsdb/dns/dns_update.c:330(dnsupdate_nameupdate_done) > ? ../source4/dsdb/dns/dns_update.c:330: Failed DNS update - with error code 29 > [2019/08/16 15:02:46.489326, ?0] ../source4/lib/tls/tlscert.c:170(tls_cert_generate) > ? TLS self-signed keys generated OKThey are the records that samba_dnsupdate tries to create if they do not exist, but from the error message 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS' it looks like they already exists.> 12. changed /etc/resolv.conf to point to itself, restarted samba-ad-dc -> log fine > > 13. output of your debug script > > Collected config ?--- 2019-08-16-15:07 ----------- > > Hostname: ka-h9-dc01 > DNS Domain: samdom.example.com > FQDN: ka-h9-dc01.samdom.example.com > ipaddress: 10.0.1.250 > > ----------- > > Kerberos SRV _kerberos._tcp.samdom.example.com record verified ok, sample output: > Server: 10.0.1.250 > Address: 10.0.1.250#53 > > _kerberos._tcp.samdom.example.com service = 0 100 88 ka-h9-dc01.samdom.example.com. > Samba is running as an AD DC > > ----------- > ? ? ? ?Checking file: /etc/os-release > > PRETTY_NAME="Debian GNU/Linux 10 (buster)" > NAME="Debian GNU/Linux" > VERSION_ID="10" > VERSION="10 (buster)" > VERSION_CODENAME=buster > ID=debian > HOME_URL="https://www.debian.org/" > SUPPORT_URL="https://www.debian.org/support" > BUG_REPORT_URL="https://bugs.debian.org/" > > ----------- > > > This computer is running Debian 10.0 x86_64 > > ----------- > running command : ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 > ? ? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > ? ? inet 127.0.0.1/8 scope host lo > ? ? inet6 ::1/128 scope host > 2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 > ? ? link/ether 00:0c:29:35:9c:84 brd ff:ff:ff:ff:ff:ff > ? ? inet 10.0.1.250/24 brd 10.0.1.255 scope global ens192 > ? ? inet6 fe80::20c:29ff:fe35:9c84/64 scope link > > ----------- > ? ? ? ?Checking file: /etc/hosts > > 127.0.0.1 localhost > 10.0.1.250 ka-h9-dc01.samdom.example.com ka-h9-dc01 > > # The following lines are desirable for IPv6 capable hosts > ::1 ? ? localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > ----------- > > ? ? ? ?Checking file: /etc/resolv.conf > > search samdom.example.com > nameserver 10.0.1.250 > > ----------- > > ? ? ? ?Checking file: /etc/krb5.conf > > [libdefaults] > default_realm = SAMDOM.EXAMPLE.COM > dns_lookup_realm = false > dns_lookup_kdc = true > > ----------- > > ? ? ? ?Checking file: /etc/nsswitch.conf > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: ? ? ? ? files systemd > group: ? ? ? ? ?files systemd > shadow: ? ? ? ? files > gshadow: ? ? ? ?files > > hosts: ? ? ? ? ?files dns > networks: ? ? ? files > > protocols: ? ? ?db files > services: ? ? ? db files > ethers: ? ? ? ? db files > rpc: ? ? ? ? ? ?db files > > netgroup: ? ? ? nis > > ----------- > > ? ? ? ?Checking file: /etc/samba/smb.conf > > # Global parameters > [global] > dns forwarder = 10.0.1.100 > netbios name = KA-H9-DC01 > realm = SAMDOM.EXAMPLE.COM > server role = active directory domain controller > workgroup = COMPANYNAME > idmap_ldb:use rfc2307 = yes > > [netlogon] > path = /var/lib/samba/sysvol/samdom.example.com/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > ----------- > > BIND_DLZ not detected in smb.conf > > ----------- > > Installed packages: > ii ?attr ? ? ? ? ? ? ? ? ? ? ? ? ? 1:2.4.48-4 ? ? ? ? ? ? ? ? ?amd64 ? ? ? ?utilities for manipulating filesystem extended attributes > ii ?krb5-config ? ? ? ? ? ? ? ? ? ?2.6 ? ? ? ? ? ? ? ? ? ? ? ? all ? ? ? ? ?Configuration files for Kerberos Version 5 > ii ?krb5-locales ? ? ? ? ? ? ? ? ? 1.17-3 ? ? ? ? ? ? ? ? ? ? ?all ? ? ? ? ?internationalization support for MIT Kerberos > ii ?krb5-user ? ? ? ? ? ? ? ? ? ? ?1.17-3 ? ? ? ? ? ? ? ? ? ? ?amd64 ? ? ? ?basic programs to authenticate using MIT Kerberos > ii ?libacl1:amd64 ? ? ? ? ? ? ? ? ?2.2.53-4 ? ? ? ? ? ? ? ? ? ?amd64 ? ? ? ?access control list - shared library > ii ?libattr1:amd64 ? ? ? ? ? ? ? ? 1:2.4.48-4 ? ? ? ? ? ? ? ? ?amd64 ? ? ? ?extended attribute handling - shared library > ii ?libgssapi-krb5-2:amd64 ? ? ? ? 1.17-3 ? ? ? ? ? ? ? ? ? ? ?amd64 ? ? ? ?MIT Kerberos runtime libraries - krb5 GSS-API Mechanism > ii ?libkrb5-3:amd64 ? ? ? ? ? ? ? ?1.17-3 ? ? ? ? ? ? ? ? ? ? ?amd64 ? ? ? ?MIT Kerberos runtime libraries > ii ?libkrb5support0:amd64 ? ? ? ? ?1.17-3 ? ? ? ? ? ? ? ? ? ? ?amd64 ? ? ? ?MIT Kerberos runtime libraries - Support library > ii ?libnss-winbind:amd64 ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ? ?Samba nameservice integration plugins > ii ?libpam-krb5:amd64 ? ? ? ? ? ? ?4.8-2 ? ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?PAM module for MIT Kerberos > ii ?libpam-winbind:amd64 ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ? ?Windows domain authentication integration plugin > ii ?libsmbclient:amd64 ? ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ? ?shared library for communication with SMB/CIFS servers > ii ?libwbclient0:amd64 ? ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ? ?Samba winbind client library > ii ?python-samba ? ? ? ? ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ? ?Python bindings for Samba > ii ?samba ? ? ? ? ? ? ? ? ? ? ? ? ?2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ? ?SMB/CIFS file, print, and login server for Unix > ii ?samba-common ? ? ? ? ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?all ? ? ? ? ?common files used by both the Samba server and client > ii ?samba-common-bin ? ? ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ? ?Samba common files used by both the server and the client > ii ?samba-dsdb-modules:amd64 ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ? ?Samba Directory Services Database > ii ?samba-libs:amd64 ? ? ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ? ?Samba core libraries > ii ?samba-vfs-modules:amd64 ? ? ? ?2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ? ?Samba Virtual FileSystem plugins > ii ?smbclient ? ? ? ? ? ? ? ? ? ? ?2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ? ?command-line SMB/CIFS clients for Unix > ii ?winbind ? ? ? ? ? ? ? ? ? ? ? ?2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ? ?service to resolve user and group information from Windows NT servers > > ----------- > > 14.?samba-tool fsmo show -H ldap://$(hostname -d) > > SchemaMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com > InfrastructureMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com > RidAllocationMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com > PdcEmulationMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com > DomainNamingMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com > DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com > ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com > > 15.?samba-tool fsmo show -H?ldap://10.88.80.88?-U dcadmin > > SchemaMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com > InfrastructureMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com > RidAllocationMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com > PdcEmulationMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com > DomainNamingMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com > DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com > ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com > > 16. Notice I don't have "Administrator" as user in my Windows domain if that is an issueThen who do you have ? Not that it makes much difference 'KA-H9-DC01' isn't a member of your Windows domain, even if? does appear to have the same dns domain.> > So far everything looks fine to me, should I now point resolv.conf to Windows DC and attempt the join again?Not until you kill the Samba domain and remove all traces of it from 'KA-H9-DC01' Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba