samba - Aug 2019 - Failing to join existing AD as DC

Ah, OK. Thought that I read this somewhere to first create a DC and then join.

So I demote and just try to join straight away?




On 16. August 2019 at 15:38:56, Rowland penny via samba (samba at
lists.samba.org) wrote:

On 16/08/2019 14:14, Alexander Harm via samba wrote:  
>  
>  
>  
>  
>  
> 4. apt update &&?apt -t buster-backports install samba attr winbind
libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user smbclient
You are missing the 'acl' package  
>  
> 5.?find /var/run/samba /var/lib/samba /var/cache/samba
/var/lib/samba/private -name '*.tdb' -name '*.ldb' -delete
>  
> 6.?rm /etc/samba/smb.conf  
>  
> 7.?samba-tool domain provision --use-rfc2307 --interactive (with internal
dns)
I thought you were trying to 'join' another DC to an existing domain,  
not create a new domain ?  
> 11. loads of DNS errors in the log like  
>  
> [2019/08/16 15:02:45.925528, ?0]
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
> ? /usr/sbin/samba_dnsupdate: ? File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177,
in _run
> [2019/08/16 15:02:45.925557, ?0]
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
> ? /usr/sbin/samba_dnsupdate: ? ? return self.run(*args, **kwargs)  
> [2019/08/16 15:02:45.925575, ?0]
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
> ? /usr/sbin/samba_dnsupdate: ? File
"/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 945, in
run
> [2019/08/16 15:02:45.925594, ?0]
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
> ? /usr/sbin/samba_dnsupdate: ? ? raise e  
> [2019/08/16 15:02:45.958441, ?0]
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
> ? /usr/sbin/samba_dnsupdate: ERROR(runtime): uncaught exception - (9711,
'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
> [2019/08/16 15:02:45.958512, ?0]
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
> ? /usr/sbin/samba_dnsupdate: ? File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177,
in _run
> [2019/08/16 15:02:45.958531, ?0]
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
> ? /usr/sbin/samba_dnsupdate: ? ? return self.run(*args, **kwargs)  
> [2019/08/16 15:02:45.958548, ?0]
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
> ? /usr/sbin/samba_dnsupdate: ? File
"/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 945, in
run
> [2019/08/16 15:02:45.958567, ?0]
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
> ? /usr/sbin/samba_dnsupdate: ? ? raise e  
> [2019/08/16 15:02:45.987725, ?0]
../source4/dsdb/dns/dns_update.c:330(dnsupdate_nameupdate_done)
> ? ../source4/dsdb/dns/dns_update.c:330: Failed DNS update - with error code
29
> [2019/08/16 15:02:46.489326, ?0]
../source4/lib/tls/tlscert.c:170(tls_cert_generate)
> ? TLS self-signed keys generated OK  
They are the records that samba_dnsupdate tries to create if they do not  
exist, but from the error message 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS'
it looks like they already exists.  
> 12. changed /etc/resolv.conf to point to itself, restarted samba-ad-dc
-> log fine
>  
> 13. output of your debug script  
>  
> Collected config ?--- 2019-08-16-15:07 -----------  
>  
> Hostname: ka-h9-dc01  
> DNS Domain: samdom.example.com  
> FQDN: ka-h9-dc01.samdom.example.com  
> ipaddress: 10.0.1.250  
>  
> -----------  
>  
> Kerberos SRV _kerberos._tcp.samdom.example.com record verified ok, sample
output:
> Server:	10.0.1.250  
> Address:	10.0.1.250#53  
>  
> _kerberos._tcp.samdom.example.com	service = 0 100 88
ka-h9-dc01.samdom.example.com.
> Samba is running as an AD DC  
>  
> -----------  
> ? ? ? ?Checking file: /etc/os-release  
>  
> PRETTY_NAME="Debian GNU/Linux 10 (buster)"  
> NAME="Debian GNU/Linux"  
> VERSION_ID="10"  
> VERSION="10 (buster)"  
> VERSION_CODENAME=buster  
> ID=debian  
> HOME_URL="https://www.debian.org/"  
> SUPPORT_URL="https://www.debian.org/support"  
> BUG_REPORT_URL="https://bugs.debian.org/"  
>  
> -----------  
>  
>  
> This computer is running Debian 10.0 x86_64  
>  
> -----------  
> running command : ip a  
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
> ? ? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00  
> ? ? inet 127.0.0.1/8 scope host lo  
> ? ? inet6 ::1/128 scope host  
> 2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast state UP group default qlen 1000
> ? ? link/ether 00:0c:29:35:9c:84 brd ff:ff:ff:ff:ff:ff  
> ? ? inet 10.0.1.250/24 brd 10.0.1.255 scope global ens192  
> ? ? inet6 fe80::20c:29ff:fe35:9c84/64 scope link  
>  
> -----------  
> ? ? ? ?Checking file: /etc/hosts  
>  
> 127.0.0.1	localhost  
> 10.0.1.250	ka-h9-dc01.samdom.example.com	ka-h9-dc01  
>  
> # The following lines are desirable for IPv6 capable hosts  
> ::1 ? ? localhost ip6-localhost ip6-loopback  
> ff02::1 ip6-allnodes  
> ff02::2 ip6-allrouters  
>  
> -----------  
>  
> ? ? ? ?Checking file: /etc/resolv.conf  
>  
> search samdom.example.com  
> nameserver 10.0.1.250  
>  
> -----------  
>  
> ? ? ? ?Checking file: /etc/krb5.conf  
>  
> [libdefaults]  
> default_realm = SAMDOM.EXAMPLE.COM  
> dns_lookup_realm = false  
> dns_lookup_kdc = true  
>  
> -----------  
>  
> ? ? ? ?Checking file: /etc/nsswitch.conf  
>  
> # /etc/nsswitch.conf  
> #  
> # Example configuration of GNU Name Service Switch functionality.  
> # If you have the `glibc-doc-reference' and `info' packages
installed, try:
> # `info libc "Name Service Switch"' for information about
this file.
>  
> passwd: ? ? ? ? files systemd  
> group: ? ? ? ? ?files systemd  
> shadow: ? ? ? ? files  
> gshadow: ? ? ? ?files  
>  
> hosts: ? ? ? ? ?files dns  
> networks: ? ? ? files  
>  
> protocols: ? ? ?db files  
> services: ? ? ? db files  
> ethers: ? ? ? ? db files  
> rpc: ? ? ? ? ? ?db files  
>  
> netgroup: ? ? ? nis  
>  
> -----------  
>  
> ? ? ? ?Checking file: /etc/samba/smb.conf  
>  
> # Global parameters  
> [global]  
> dns forwarder = 10.0.1.100  
> netbios name = KA-H9-DC01  
> realm = SAMDOM.EXAMPLE.COM  
> server role = active directory domain controller  
> workgroup = COMPANYNAME  
> idmap_ldb:use rfc2307 = yes  
>  
> [netlogon]  
> path = /var/lib/samba/sysvol/samdom.example.com/scripts  
> read only = No  
>  
> [sysvol]  
> path = /var/lib/samba/sysvol  
> read only = No  
>  
> -----------  
>  
> BIND_DLZ not detected in smb.conf  
>  
> -----------  
>  
> Installed packages:  
> ii ?attr ? ? ? ? ? ? ? ? ? ? ? ? ? 1:2.4.48-4 ? ? ? ? ? ? ? ? ?amd64 ? ? ?
?utilities for manipulating filesystem extended attributes
> ii ?krb5-config ? ? ? ? ? ? ? ? ? ?2.6 ? ? ? ? ? ? ? ? ? ? ? ? all ? ? ? ?
?Configuration files for Kerberos Version 5
> ii ?krb5-locales ? ? ? ? ? ? ? ? ? 1.17-3 ? ? ? ? ? ? ? ? ? ? ?all ? ? ? ?
?internationalization support for MIT Kerberos
> ii ?krb5-user ? ? ? ? ? ? ? ? ? ? ?1.17-3 ? ? ? ? ? ? ? ? ? ? ?amd64 ? ? ?
?basic programs to authenticate using MIT Kerberos
> ii ?libacl1:amd64 ? ? ? ? ? ? ? ? ?2.2.53-4 ? ? ? ? ? ? ? ? ? ?amd64 ? ? ?
?access control list - shared library
> ii ?libattr1:amd64 ? ? ? ? ? ? ? ? 1:2.4.48-4 ? ? ? ? ? ? ? ? ?amd64 ? ? ?
?extended attribute handling - shared library
> ii ?libgssapi-krb5-2:amd64 ? ? ? ? 1.17-3 ? ? ? ? ? ? ? ? ? ? ?amd64 ? ? ?
?MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
> ii ?libkrb5-3:amd64 ? ? ? ? ? ? ? ?1.17-3 ? ? ? ? ? ? ? ? ? ? ?amd64 ? ? ?
?MIT Kerberos runtime libraries
> ii ?libkrb5support0:amd64 ? ? ? ? ?1.17-3 ? ? ? ? ? ? ? ? ? ? ?amd64 ? ? ?
?MIT Kerberos runtime libraries - Support library
> ii ?libnss-winbind:amd64 ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ?
?Samba nameservice integration plugins
> ii ?libpam-krb5:amd64 ? ? ? ? ? ? ?4.8-2 ? ? ? ? ? ? ? ? ? ? ? amd64 ? ? ?
?PAM module for MIT Kerberos
> ii ?libpam-winbind:amd64 ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ?
?Windows domain authentication integration plugin
> ii ?libsmbclient:amd64 ? ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ?
?shared library for communication with SMB/CIFS servers
> ii ?libwbclient0:amd64 ? ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ?
?Samba winbind client library
> ii ?python-samba ? ? ? ? ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ?
?Python bindings for Samba
> ii ?samba ? ? ? ? ? ? ? ? ? ? ? ? ?2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ?
?SMB/CIFS file, print, and login server for Unix
> ii ?samba-common ? ? ? ? ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?all ? ? ? ?
?common files used by both the Samba server and client
> ii ?samba-common-bin ? ? ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ?
?Samba common files used by both the server and the client
> ii ?samba-dsdb-modules:amd64 ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ?
?Samba Directory Services Database
> ii ?samba-libs:amd64 ? ? ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ?
?Samba core libraries
> ii ?samba-vfs-modules:amd64 ? ? ? ?2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ?
?Samba Virtual FileSystem plugins
> ii ?smbclient ? ? ? ? ? ? ? ? ? ? ?2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ?
?command-line SMB/CIFS clients for Unix
> ii ?winbind ? ? ? ? ? ? ? ? ? ? ? ?2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ?
?service to resolve user and group information from Windows NT servers
>  
> -----------  
>  
> 14.?samba-tool fsmo show -H ldap://$(hostname -d)  
>  
> SchemaMasterRole owner: CN=NTDS
Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> InfrastructureMasterRole owner: CN=NTDS
Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> RidAllocationMasterRole owner: CN=NTDS
Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> PdcEmulationMasterRole owner: CN=NTDS
Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> DomainNamingMasterRole owner: CN=NTDS
Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> DomainDnsZonesMasterRole owner: CN=NTDS
Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> ForestDnsZonesMasterRole owner: CN=NTDS
Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
>  
> 15.?samba-tool fsmo show -H?ldap://10.88.80.88?-U dcadmin  
>  
> SchemaMasterRole owner: CN=NTDS
Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> InfrastructureMasterRole owner: CN=NTDS
Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> RidAllocationMasterRole owner: CN=NTDS
Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> PdcEmulationMasterRole owner: CN=NTDS
Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> DomainNamingMasterRole owner: CN=NTDS
Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> DomainDnsZonesMasterRole owner: CN=NTDS
Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> ForestDnsZonesMasterRole owner: CN=NTDS
Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
>  
> 16. Notice I don't have "Administrator" as user in my Windows
domain if that is an issue
Then who do you have ? Not that it makes much difference 'KA-H9-DC01'  
isn't a member of your Windows domain, even if? does appear to have the  
same dns domain.  
>  
> So far everything looks fine to me, should I now point resolv.conf to
Windows DC and attempt the join again?
Not until you kill the Samba domain and remove all traces of it from  
'KA-H9-DC01'  

Rowland  



--  
To unsubscribe from this list go to the following URL and read the  
instructions: https://lists.samba.org/mailman/options/samba

On 16/08/2019 14:43, Alexander Harm via samba wrote:
> Ah, OK. Thought that I read this somewhere to first create a DC and then
join.
>
> So I demote and just try to join straight away?
No, you either create a new domain with 'samba-tool domain provision' or
you join as a DC to an existing domain with 'samba-tool domain join', 
you do not run both on the same machine.

I would start again, re-install the OS and required packages and then 
attempt the JOIN again.

Rowland

Naa.. Not needed to reinstall. 

His setup is better then most i see here. 
He could do. 

apt-get remove --autoremove --purge samba winbind

And reinstall samba, that should be sufficient. 
But stopping samba-ad-dc and removing the files for the /var/{lib,cache}/samba 
is suffient.

I do that on every test server. 

Greetz, 

Louis

 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: vrijdag 16 augustus 2019 16:00
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Failing to join existing AD as DC
> 
> On 16/08/2019 14:43, Alexander Harm via samba wrote:
> > Ah, OK. Thought that I read this somewhere to first create 
> a DC and then join.
> >
> > So I demote and just try to join straight away?
> 
> No, you either create a new domain with 'samba-tool domain 
> provision' or 
> you join as a DC to an existing domain with 'samba-tool domain
join',
> you do not run both on the same machine.
> 
> I would start again, re-install the OS and required packages and then 
> attempt the JOIN again.
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On 16/08/2019 15:02, L.P.H. van Belle via samba wrote:
> Naa.. Not needed to reinstall.
>
> His setup is better then most i see here.
> He could do.
>
> apt-get remove --autoremove --purge samba winbind
>
> And reinstall samba, that should be sufficient.
> But stopping samba-ad-dc and removing the files for the
/var/{lib,cache}/samba  is suffient.
>
> I do that on every test server.
I was just making sure ;-)

I am going now to the Samba 'join' wiki page to ensure it says 'do
not
provision before attempting a join' ;-)

Rowland