samba - Feb 2020 - Samba 4.11.6 cannot JOIN - 'Could not find machine account'

Thanks for the help with this, Rowland.
> Where these 2008 DCs upgraded from an earlier version ? (2000, 2003)
Yes, the two Windows servers were migrated over the years to Server 2008 (one is
2008
R2).
I've now moved the _msdcs folder and made it a zone in the forest, restarted
NETLOGON,
and set the functionality of the forest to Server 2008, then rebooted both
windows servers.
This seems to be working fine, on the windows servers and with other Windows
client PC's.

BTW, this same Samba join error was happening before I did all that, though, and
it didn't
seem to help to raise functionality.

But it does seem like some permission on the Windows side might be missing for
the new
Samba DC to join the domain.
I would think that the administrator paswd provided to samba-tool would be
enough, though.

This issue is similar:
https://bugzilla.samba.org/show_bug.cgi?id=13298

Here is how I am attempting the join (my bash script):
-----
echo "Stopping Samba services..."
service samba stop  >/dev/null || true
service samba-ad-dc stop  >/dev/null || true
service smbd stop  >/dev/null || true
service nmbd stop  >/dev/null || true

echo "Deleting Samba configuration file..."
rm  -f /etc/samba/smb.conf
echo "Deleting Kerberos configuration file..."
rm -f /etc/krb5.conf

echo "Clean up *.tdb and *.ldb files (samba DBs)..."
DIRS=$(smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR" | cut
-d: -f2)
for dir in $DIRS; do
 echo " Clearing $dir ..."
 find $dir \( -name "*.tdb" -or -name "*.ldb" \) -delete ||
true
done

rm -f Sambajoin.log
samba-tool domain join OFFICE.EXAMPLE.COM DC --server=SERVI.OFFICE.EXAMPLE.COM
-U"OFFICE\\administrator" --password=TheActualPassword
--dns-backend=BIND9_DLZ -d3 >Sambajoin.log 2>&1
samba-tool user setexpiry administrator --noexpiry
samba-tool domain exportkeytab /etc/krb5.keytab
------
> Also, can we see more of the join output, what you posted is usually the 
> fallout from a failed join and is usually meaningless, I think there 
> will be a line similar to 'join failed', we need to see what is
above this.
There were several "Cannot reach a KDC" message prior to the 
WERR_DNS_ERROR_RCODE_NAME_ERROR in the log.
(Not sure if these are relevant.)

Start of JOIN log...
--------
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
resolve_lmhosts: Attempting lmhosts lookup for name
SERVI.OFFICE.EXAMPLE.COM<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
SERVI.OFFICE.EXAMPLE.COM<0x20>
Cannot reach a KDC we require to contact (null) : kinit for administrator at
OFFICE failed (Cannot contact any KDC for requested realm)

gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating NEG_TOKEN_INIT for
ldap/SERVI.OFFICE.EXAMPLE.COM failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:

...ETC.
-------------

Eventually the fatal WERR_DNS_ERROR_RCODE_NAME_ERROR occurs later when 
adding the A record for the new server is attempted.

Either something very subtle (or very obvious) is going on here!

On 08/02/2020 20:25, Rick Hollinbeck via samba wrote:
> Thanks for the help with this, Rowland.
>
>> Where these 2008 DCs upgraded from an earlier version ? (2000, 2003)
> Yes, the two Windows servers were migrated over the years to Server 2008
(one is 2008
> R2).
> I've now moved the _msdcs folder and made it a zone in the forest,
restarted NETLOGON,
> and set the functionality of the forest to Server 2008, then rebooted both
windows servers.
> This seems to be working fine, on the windows servers and with other
Windows client PC's.
Have you read this:

https://support.microsoft.com/en-gb/help/817470/how-to-reconfigure-an-msdcs-subdomain-to-a-forest-wide-dns-application

Is this what you have done ?
>
> BTW, this same Samba join error was happening before I did all that,
though, and it didn't
> seem to help to raise functionality.
>
> But it does seem like some permission on the Windows side might be missing
for the new
> Samba DC to join the domain.
> I would think that the administrator paswd provided to samba-tool would be
enough, though.
>
> This issue is similar:
> https://bugzilla.samba.org/show_bug.cgi?id=13298
>
> Here is how I am attempting the join (my bash script):
> -----
> echo "Stopping Samba services..."
> service samba stop  >/dev/null || true
> service samba-ad-dc stop  >/dev/null || true
> service smbd stop  >/dev/null || true
> service nmbd stop  >/dev/null || true
>
> echo "Deleting Samba configuration file..."
> rm  -f /etc/samba/smb.conf
> echo "Deleting Kerberos configuration file..."
> rm -f /etc/krb5.conf
>
> echo "Clean up *.tdb and *.ldb files (samba DBs)..."
> DIRS=$(smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR" |
cut -d: -f2)
> for dir in $DIRS; do
>   echo " Clearing $dir ..."
>   find $dir \( -name "*.tdb" -or -name "*.ldb" \)
-delete || true
> done
>
> rm -f Sambajoin.log
> samba-tool domain join OFFICE.EXAMPLE.COM DC
--server=SERVI.OFFICE.EXAMPLE.COM -U"OFFICE\\administrator"
--password=TheActualPassword --dns-backend=BIND9_DLZ -d3 >Sambajoin.log
2>&1
Can you send me a copy of Sambajoin.log ?

Rowland