Vincent Sherwood
2019-Sep-11 20:29 UTC
[Samba] Joining Windows 2008 Domain as DC fails 4.10 (and 4.11rc3)
Hi, I am trying to add a samba DC to an existing Domain that has 2 Win2016 Domain Controllers but is still running at Domain Functional and Forest levels 2008R2. When I run the join command it goes most of the way through before eventually erring out, and backing out everything it had done. The command I used is samba-tool domain join MYDOMAIN DC -U"administrator at mydomain.ext" -d 5 --server=ExistingDC.mydomain.ext The error I get is below. Note that the line numbers are slightly out of line with the real code as I have added some debug messages to try to identify the issue . Join failed - cleaning up ldb_wrap open of secrets.ldb Could not find machine account in secrets database: Failed to fetch machine account password for MYDOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=MYDOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../../source4/dsdb/common/util.c:4715) and from /usr/local/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO Deleted .... (removed actual backout lines) ERROR(runtime): uncaught exception - (9003, 'WERR_DNS_ERROR_RCODE_NAME_ERROR') File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/__init__.py", line 186, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/domain.py", line 708, in run backend_store_size=backend_store_size) File "/usr/local/samba/lib64/python3.6/site-packages/samba/join.py", line 1579, in join_DC ctx.do_join() File "/usr/local/samba/lib64/python3.6/site-packages/samba/join.py", line 1473, in do_join ctx.join_add_dns_records() File "/usr/local/samba/lib64/python3.6/site-packages/samba/join.py", line 1209, in join_add_dns_records dns_partition=domaindns_zone_dn) File "/usr/local/samba/lib64/python3.6/site-packages/samba/samdb.py", line 1186, in dns_lookup dns_partition=dns_partition) To debug, in the function dns_lookup in samdb.py I added some debug messages as follows def dns_lookup(self, dns_name, dns_partition=None): print("DNS Lookup 3-1 self %s",self ); print("DNS Lookup 3-1 dns_name %s",dns_name ); print("DNS Lookup 3-1 dns_partition %s",dns_partition ); '''Do a DNS lookup in the database, returns the NDR database structures''' print("DNS Lookup 3-2 - no partition would return - %s",dsdb_dns.lookup(self, dns_name)); if dns_partition is None: print("DNS Lookup 3-2 dns_partition None" ); return dsdb_dns.lookup(self, dns_name) else: print("DNS Lookup 3-2 dns_partition Other" ); return dsdb_dns.lookup(self, dns_name, dns_partition=dns_partition) Below is the output DNS Lookup 3-1 self %s <ldb connection> DNS Lookup 3-1 dns_name %s DCSAMBA4A.mydomain.ext DNS Lookup 3-1 dns_partition %s DC=DomainDnsZones,DC=mydomain,DC=ext DNS Lookup 3-2 - no partition would return - %s (Dn('DC=DCSAMBA4A,DC=mydomain.ext,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=ext'), [<dnsp.DnssrvRpcRecord talloc based object at 0x3bd38e0>]) DNS Lookup 3-2 dns_partition Other Join failed - cleaning up ldb_wrap open of secrets.ldb Could not find machine account in secrets database:....... This domain was originally created under Windows 2000 and has been upgraded over the years. The most obvious thing I see is that the search is looking for a record in DomainDnsZones which is not found. But the output of running the search which would have been used if dns_partition=None finds that there is a record in MicrosoftDNS. Not sure if that might be a clue to where things started to go wrong at some earlier point in the process. Anybody got any suggestions? Thanks, Vincent
Rowland penny
2019-Sep-11 20:47 UTC
[Samba] Joining Windows 2008 Domain as DC fails 4.10 (and 4.11rc3)
On 11/09/2019 21:29, Vincent Sherwood via samba wrote:> Hi, > > I am trying to add a samba DC to an existing Domain that has 2 Win2016 > Domain Controllers but is still running at Domain Functional and Forest > levels 2008R2. > > When I run the join command it goes most of the way through before > eventually erring out, and backing out everything it had done. > > The command I used is > samba-tool domain join MYDOMAIN DC -U"administrator at mydomain.ext" -d 5 > --server=ExistingDC.mydomain.ext > > The error I get is below. Note that the line numbers are slightly out of > line with the real code as I have added some debug messages to try to > identify the issue . > > Join failed - cleaning upCan we see the ouput BEFORE where the join failed, anything after the failure is an artefact of the failure and can be ignored. The problem is likely to be the schema version on the Windows 2016 DC. Rowland
Rowland penny
2019-Sep-11 21:14 UTC
[Samba] Joining Windows 2008 Domain as DC fails 4.10 (and 4.11rc3)
On 11/09/2019 21:59, Vincent Sherwood wrote:> Here is the full output > > [user at DCSAMBA4A ~]# ?samba-tool domain join MYDOMAIN ?DC > -U"administrator at mydomain.ext" ?--server=DC2016A.mydomain.ext > Password for [administrator at mydomain.ext]: > INFO 2019-09-11 21:55:09,790 pid:20279 > /usr/local/samba/lib64/python3.6/site-packages/samba/join.py #1563: > workgroup is MYDOMAIN > INFO 2019-09-11 21:55:09,791 pid:20279 > /usr/local/samba/lib64/python3.6/site-packages/samba/join.py #1566: > realm is mydomain.ext > Adding CN=DCSAMBA4A,OU=Domain Controllers,DC=mydomain,DC=ext > Adding > CN=DCSAMBA4A,CN=Servers,CN=IT-Solutions,CN=Sites,CN=Configuration,DC=mydomain,DC=ext > Adding CN=NTDS > Settings,CN=DCSAMBA4A,CN=Servers,CN=IT-Solutions,CN=Sites,CN=Configuration,DC=mydomain,DC=ext > Adding SPNs to CN=DCSAMBA4A,OU=Domain Controllers,DC=mydomain,DC=ext > Setting account password for DCSAMBA4A$ > Enabling account > Calling bare provision > INFO 2019-09-11 21:55:10,594 pid:20279 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py > #2128: Looking up IPv4 addresses > INFO 2019-09-11 21:55:10,595 pid:20279 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py > #2145: Looking up IPv6 addresses > WARNING 2019-09-11 21:55:10,596 pid:20279 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py > #2152: No IPv6 address will be assigned > INFO 2019-09-11 21:55:11,097 pid:20279 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py > #2323: Setting up secrets.ldb > INFO 2019-09-11 21:55:11,829 pid:20279 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py > #2329: Setting up the registry > INFO 2019-09-11 21:55:12,144 pid:20279 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py > #2332: Setting up the privileges database > INFO 2019-09-11 21:55:13,010 pid:20279 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py > #2335: Setting up idmap db > INFO 2019-09-11 21:55:13,626 pid:20279 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py > #2342: Setting up SAM db > INFO 2019-09-11 21:55:13,852 pid:20279 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py > #898: Setting up sam.ldb partitions and settings > INFO 2019-09-11 21:55:13,853 pid:20279 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py > #910: Setting up sam.ldb rootDSE > INFO 2019-09-11 21:55:14,036 pid:20279 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py > #1339: Pre-loading the Samba 4 and AD schema > Unable to determine the DomainSID, can not enforce uniqueness > constraint on local domainSIDs > > INFO 2019-09-11 21:55:14,502 pid:20279 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py > #2395: A Kerberos configuration suitable for Samba AD has been > generated at /usr/local/samba/private/krb5.conf > INFO 2019-09-11 21:55:14,503 pid:20279 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py > #2396: Merge the contents of this file with your system krb5.conf or > replace it with this one. Do not create a symlink! > Provision OK for domain DN DC=mydomain,DC=ext > Starting replication > Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=ext] > objects[402/1473] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=ext] > objects[804/1473] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=ext] > objects[1206/1473] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=ext] > objects[1608/1473] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=ext] > objects[1816/1473] linked_values[0/0] > Analyze and apply schema objects > Partition[CN=Configuration,DC=mydomain,DC=ext] objects[402/2926] > linked_values[0/84] > Partition[CN=Configuration,DC=mydomain,DC=ext] objects[804/2926] > linked_values[0/84] > Partition[CN=Configuration,DC=mydomain,DC=ext] objects[1206/2926] > linked_values[0/84] > Partition[CN=Configuration,DC=mydomain,DC=ext] objects[1608/2926] > linked_values[0/84] > Partition[CN=Configuration,DC=mydomain,DC=ext] objects[1905/2926] > linked_values[72/84] > dsdb_replicated_objects_convert: Ignoring object outside partition > 5a8bd8f9-8944-4361-980b-75f6d05a6d27 > CN=Schema,CN=Configuration,DC=mydomain,DC=ext: > WERR_DS_ADD_REPLICA_INHIBITED > Partition[CN=Configuration,DC=mydomain,DC=ext] objects[2215/2926] > linked_values[84/84] > Replicating critical objects from the base DN of the domain > Partition[DC=mydomain,DC=ext] objects[113/174] linked_values[9/65] > Partition[DC=mydomain,DC=ext] objects[368/6057] linked_values[0/65] > Partition[DC=mydomain,DC=ext] objects[770/6057] linked_values[0/65] > Partition[DC=mydomain,DC=ext] objects[1014/6057] linked_values[51/65] > dsdb_replicated_objects_convert: Ignoring object outside partition > 142e2e12-1e0b-4d96-acdd-a90523eaaea2 > CN=Configuration,DC=mydomain,DC=ext: WERR_DS_ADD_REPLICA_INHIBITED > dsdb_replicated_objects_convert: Ignoring object outside partition > 2831226b-bd83-4e23-931f-9907170dff39 > DC=DomainDnsZones,DC=mydomain,DC=ext: WERR_DS_ADD_REPLICA_INHIBITED > dsdb_replicated_objects_convert: Ignoring object outside partition > 820b5cf3-4b83-408f-aa65-7ffded9c0379 > DC=ForestDnsZones,DC=mydomain,DC=ext: WERR_DS_ADD_REPLICA_INHIBITED > Partition[DC=mydomain,DC=ext] objects[1259/6057] linked_values[65/65] > Done with always replicated NC (base, config, schema) > Replicating DC=DomainDnsZones,DC=mydomain,DC=ext > Partition[DC=DomainDnsZones,DC=mydomain,DC=ext] objects[9/9] > linked_values[0/0] > Replicating DC=ForestDnsZones,DC=mydomain,DC=ext > Partition[DC=ForestDnsZones,DC=mydomain,DC=ext] objects[21/21] > linked_values[0/0] > Exop on[CN=RID Manager$,CN=System,DC=mydomain,DC=ext] objects[3] > linked_values[0] > Committing SAM database > Repacking database from v1 to v2 format (first record > CN=msSFU-30-Member-Of-Nis-Netgroup,CN=Schema,CN=Configuration,DC=mydomain,DC=ext) > Repack: re-packed 10000 records so far > Repacking database from v1 to v2 format (first record > CN=site-Display,CN=401,CN=DisplaySpecifiers,CN=Configuration,DC=mydomain,DC=ext) > Repack: re-packed 10000 records so far > Repacking database from v1 to v2 format (first record > DC=@,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=mydomain,DC=ext) > Repacking database from v1 to v2 format (first record > DC=@,DC=..TrustAnchors,CN=MicrosoftDNS,DC=ForestDnsZones,DC=mydomain,DC=ext) > Repacking database from v1 to v2 format (first record CN=RID > Set\0ADEL:943f4350-d597-46f3-a3fb-7be0d67d15fa,CN=Deleted > Objects,DC=mydomain,DC=ext) > Join test 2 > INFO 2019-09-11 21:55:31,259 pid:20279 > /usr/local/samba/lib64/python3.6/site-packages/samba/join.py #1116: > Adding 1 remote DNS records for DCSAMBA4A.mydomain.ext > Join test 2-1 > Join test 2-1 > Join test 2-2 > Join test 2-3 > Join test 2-4 > INFO 2019-09-11 21:55:31,435 pid:20279 > /usr/local/samba/lib64/python3.6/site-packages/samba/join.py #1184: > Adding DNS A record DCSAMBA4A.mydomain.ext for IPv4 IP: 192.168.200.252 > Join test 2-5 > Join test 2-6 > Join test 2-7 > Join test 2-8 > Join test 2-8 DomainDNSzone %s DC=DomainDnsZones,DC=mydomain,DC=ext > Join test 2-8 name %s DCSAMBA4A > Join test 2-8 zone %s mydomain.ext > DNS Lookup 3-1 self %s <ldb connection> > DNS Lookup 3-1 dns_name %s DCSAMBA4A.mydomain.ext > DNS Lookup 3-1 dns_partition %s DC=DomainDnsZones,DC=mydomain,DC=ext > DNS Lookup 3-2 - no partition - %s > (Dn('DC=DCSAMBA4A,DC=mydomain.ext,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=ext'), > [<dnsp.DnssrvRpcRecord talloc based object at 0x490bc20>]) > DNS Lookup 3-2 dns_partition Other > DNS Lookup 3-2 dns_partition Other - %s > (Dn('DC=DCSAMBA4A,DC=mydomain.ext,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=ext'), > [<dnsp.DnssrvRpcRecord talloc based object at 0x490bc20>]) > Join failed - cleaning upI think you need to upgrade your DNS in AD, 'DC=mydomain.ext,CN=MicrosoftDNS,CN=System' should be 'DC=mydomain.ext,CN=MicrosoftDNS,DC=DomainDnsZones' Rowland
Vincent Sherwood
2019-Sep-12 00:29 UTC
[Samba] Joining Windows 2008 Domain as DC fails 4.10 (and 4.11rc3)
Rowland, Thanks for the suggestion. To help anyone else who might run into this same issue and find this thread, I will detail what I found. After much searching I finally found an article on the web that talked about how the Replication options for the Microsoft DNS server changed in Windows 2003. Since our DNS is around since Windows 2000, the data was still stored in AD in the old Windows 2000 compatible location. The samba-tool clearly does not handle this situation. It expects to find the DNS data in the new Windows 2003 and later storage location. The recommendation in the article was to have the _msdcs.mydomain.ext zone replicated to all DNS servers in this FOREST. mydomain.ext zone replicated to all DNS servers in this DOMAIN. To change the storage location of the DNS storage to the location samba-tool expects to find the data in, I did the following Open the Microsoft DNS manager Expand the existing master Domain Controller Expand the Forward Lookup Zones folder Right-click on the domain, mydomain.ext, and select Properties On the General tab the DNS showed as Type: Active Directory-Integrated Replication: All domain controllers in this domain (for Windows 2000 compatibility) I clicked on the Change... button beside Replication and selected the option ( ) To all DNS servers running on domain controllers in this domain: mydomain.ext I clicked OK, and then clicked Apply on the Properties dialog to save the change. I waited for the change to be replicated to the DNS server on the second Windows DC, and then re-ran the samba-tool join command. This time the samba-tool join succeeded. Thanks for your help Vincent On Wed, 11 Sep 2019 at 22:15, Rowland penny via samba <samba at lists.samba.org> wrote:> > Join failed - cleaning up > > I think you need to upgrade your DNS in AD, > 'DC=mydomain.ext,CN=MicrosoftDNS,CN=System' should be > 'DC=mydomain.ext,CN=MicrosoftDNS,DC=DomainDnsZones' > > Rowland > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >