Hello, I'm trying to promote samba4 as a 3rd DC in Windows 2008 R2 AD domain (to get rid of Windows Servers in future). It's joined well, but failing on samba_kcc run (it's happened when I launched samba after joining the domain, so for debugging purposes I then started samba_kcc manually): # /usr/local/samba/sbin/samba_kcc Traceback (most recent call last): File "/usr/local/samba/lib64/python3.6/site-packages/samba/kcc/kcc_utils.py", line 87, in load_nc scope=ldb.SCOPE_BASE, attrs=attrs) _ldb.LdbError: (32, 'No such Base DN: DC=DomainDnsZones,DC=domain,DC=com') ... File "/usr/local/samba/lib64/python3.6/site-packages/samba/kcc/kcc_utils.py", line 92, in load_nc (self.nc_dnstr, estr)) samba.kcc.kcc_utils.KCCError: Unable to find naming context (DC=DomainDnsZones,DC=domain,DC=com) - (No such Base DN: DC=DomainDnsZones,DC=domain,DC=com) I joined the domain with the following command: samba-tool domain join domain.com DC -k yes --dns-backend NONE --server=vm-dc1.domain.com vm-dc1 does have the mentioned context b/c it's a domain naming master. Wondering why samba tries to find it - it's not a domain naming master.. Any ideas are highly appreciated! -- Best regards, Alex
Rowland penny
2020-Feb-10 13:26 UTC
[Samba] samba_kcc issue after joining the domain as a DC
On 10/02/2020 12:36, Alex via samba wrote:> Hello, > > I'm trying to promote samba4 as a 3rd DC in Windows 2008 R2 AD domain (to get > rid of Windows Servers in future). It's joined well, but failing on samba_kcc > run (it's happened when I launched samba after joining the domain, so for > debugging purposes I then started samba_kcc manually): > # /usr/local/samba/sbin/samba_kcc > Traceback (most recent call last): > File "/usr/local/samba/lib64/python3.6/site-packages/samba/kcc/kcc_utils.py", line 87, in load_ncHmm, 'lib64', is this on Fedora ? If so, are you using the Fedora Samba packages ? If so, then are you aware that using MIT kerberos with a Samba AD DC is experimental and shouldn't be used in production. If non of the above applies, can you provide more info, what OS, What Samba packages ? etc Rowland> scope=ldb.SCOPE_BASE, attrs=attrs) > _ldb.LdbError: (32, 'No such Base DN: DC=DomainDnsZones,DC=domain,DC=com') > ... > File "/usr/local/samba/lib64/python3.6/site-packages/samba/kcc/kcc_utils.py", line 92, in load_nc > (self.nc_dnstr, estr)) > samba.kcc.kcc_utils.KCCError: Unable to find naming context (DC=DomainDnsZones,DC=domain,DC=com) - (No such Base DN: DC=DomainDnsZones,DC=domain,DC=com) > > I joined the domain with the following command: > samba-tool domain join domain.com DC -k yes --dns-backend NONE --server=vm-dc1.domain.com > > vm-dc1 does have the mentioned context b/c it's a domain naming master. > Wondering why samba tries to find it - it's not a domain naming master.. > > Any ideas are highly appreciated! >
L.P.H. van Belle
2020-Feb-10 13:36 UTC
[Samba] samba_kcc issue after joining the domain as a DC
Hai, Im betting this is a Windows 2000/2003 upgraded domain.. And since he is still running the windows domain. https://support.microsoft.com/en-gb/help/817470/how-to-reconfigure-an-msdcs-subdomain-to-a-forest-wide-dns-application Should help if thats done before the samba DC join. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: maandag 10 februari 2020 14:26 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] samba_kcc issue after joining the > domain as a DC > > On 10/02/2020 12:36, Alex via samba wrote: > > Hello, > > > > I'm trying to promote samba4 as a 3rd DC in Windows 2008 > R2 AD domain (to get > > rid of Windows Servers in future). It's joined well, but > failing on samba_kcc > > run (it's happened when I launched samba after joining the > domain, so for > > debugging purposes I then started samba_kcc manually): > > # /usr/local/samba/sbin/samba_kcc > > Traceback (most recent call last): > > File > "/usr/local/samba/lib64/python3.6/site-packages/samba/kcc/kcc_ > utils.py", line 87, in load_nc > > Hmm, 'lib64', is this on Fedora ? > > If so, are you using the Fedora Samba packages ? > > If so, then are you aware that using MIT kerberos with a > Samba AD DC is > experimental and shouldn't be used in production. > > If non of the above applies, can you provide more info, what OS, What > Samba packages ? etc > > Rowland > > > > scope=ldb.SCOPE_BASE, attrs=attrs) > > _ldb.LdbError: (32, 'No such Base DN: > DC=DomainDnsZones,DC=domain,DC=com') > > ... > > File > "/usr/local/samba/lib64/python3.6/site-packages/samba/kcc/kcc_ > utils.py", line 92, in load_nc > > (self.nc_dnstr, estr)) > > samba.kcc.kcc_utils.KCCError: Unable to find naming context > (DC=DomainDnsZones,DC=domain,DC=com) - (No such Base DN: > DC=DomainDnsZones,DC=domain,DC=com) > > > > I joined the domain with the following command: > > samba-tool domain join domain.com DC -k yes --dns-backend > NONE --server=vm-dc1.domain.com > > > > vm-dc1 does have the mentioned context b/c it's a domain > naming master. > > Wondering why samba tries to find it - it's not a domain > naming master.. > > > > Any ideas are highly appreciated! > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Rowland penny
2020-Feb-10 14:30 UTC
[Samba] samba_kcc issue after joining the domain as a DC
On 10/02/2020 13:51, Alex wrote:> Hello Rowland, > > Thank you for such a quick reply! > > It's Centos 7. Samba 4.11.6 was built from sources.Where did the domain start from ? 2008R2 or earlier ? Are the existing DCs DNS servers ? It seems to be having problems finding the 'DomainDnsZones' object. Rowland
>> It's Centos 7. Samba 4.11.6 was built from sources.> Where did the domain start from ? 2008R2 or earlier ?Earlier. I guess it was since Windows Server 2000.> Are the existing DCs DNS servers ?At this moment I've created the DNS server on the primary DC, b/c I had issues joining Samba to the domain before and now decided to test this type of setup.> It seems to be having problems finding the 'DomainDnsZones' object.After creating DNS server on the DC, this object does exist in the AD. -- Best regards, Alex Alex