Daniel Lopes de Carvalho
2020-Apr-07 11:20 UTC
[Samba] Join new DC to domain - advice to upgrade Samba 4.
Hello Guys, I have a working Samba 4 DC running on Debian Stretch 9.9 with samba 4.5.16 and I would like to add a new Samba DC (on Debian Stretch 9.9 with the same Samba version). During the joining process I get the error WERR_DS_DRA_MISSING_PARENT. I read this thread https://lists.samba.org/archive/samba/2017-December/212938.html and executed the samba_upgradedns on working DC as Rowland suggested, but the error persists. I saw some other threads on Samba's list suggesting to upgrade Samba version to 4.7.X. I would like to know what is the best way to do this upgrade. I was wondering to first upgrade Samba on the new joining DC and if I get success and have a second working AD, then upgrade the Samba in the first working DC. Can someone guide me to this issue? Thanks and best regards Daniel -- Daniel Lopes de Carvalhohttp://www.unisim.cepetro.unicamp.brdaniel at cepetro.unicamp.br 19 3521-1221
Rowland penny
2020-Apr-07 12:13 UTC
[Samba] Join new DC to domain - advice to upgrade Samba 4.
On 07/04/2020 12:20, Daniel Lopes de Carvalho via samba wrote:> Hello Guys, > > I have a working Samba 4 DC running on Debian Stretch 9.9 with samba 4.5.16 > and I would like to add a new Samba DC (on Debian Stretch 9.9 with the same > Samba version).Why stick with stretch ? From my understanding you will only get security updates from now on. I would use Buster (Debian 10) instead, this will get you Samba 4.9.5, which, while it is still EOL as far as Samba is concerned, is a lot less dead than 4.5.16> > During the joining process I get the error WERR_DS_DRA_MISSING_PARENT.Can you post the output from the join command.> I was wondering to first upgrade Samba on the new joining DC and if I get > success and have a second working AD, then upgrade the Samba in the first > working DC.You may have something wrong with your database and if so, you need to fix this first. If you can upgrade in place, then this may be the way to go, but not until you are sure that the database is okay. Rowland
Daniel Lopes de Carvalho
2020-Apr-07 13:51 UTC
[Samba] Join new DC to domain - advice to upgrade Samba 4.
Hi Rowland, thanks for your email. The working DC was installed around 2 years ago. It is the reason to stick in Stretch. But if I can upgrade the working DC to Buster and Samba 4.9.5 without any problem, it is OK to me. I'm not a Samba expert. How can I verify my database? Can you point me to some link, tutorial, etc? I have used the samba-tool dbcheck (with and without --cross-ncs), is this enough? Find below the output of samba-tool join command: samba-tool domain join test.example.domain.br DC -U"test/administrator" -d3 GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Finding a writeable DC for domain 'test.example.domain.br' resolve_lmhosts: Attempting lmhosts lookup for name _ldap._ tcp.test.example.domain.br<0x0> Found DC adc02.test.example.domain.br resolve_lmhosts: Attempting lmhosts lookup for name adc02.test.example.domain.br<0x20> Password for [test\administrator]: Cannot reach a KDC we require to contact ldap/adc02.test.example.domain.br@ : kinit for administrator at test failed (Cannot contact any KDC for requested realm) SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_NO_LOGON_SERVERS Got challenge flags: Got NTLMSSP neg_flags=0x62898235 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088235 workgroup is test realm is test.example.domain.br Adding CN=DCS01,OU=Domain Controllers,DC=test,DC=example,DC=domain,DC=br Adding CN=DCS01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=example,DC=domain,DC=br Adding CN=NTDS Settings,CN=DCS01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=example,DC=domain,DC=br Using binding ncacn_ip_tcp:adc02.test.example.domain.br[,seal] resolve_lmhosts: Attempting lmhosts lookup for name adc02.test.example.domain.br<0x20> resolve_lmhosts: Attempting lmhosts lookup for name adc02.test.example.domain.br<0x20> Cannot reach a KDC we require to contact ldap/ ADC02.test.example.domain.br at test.example.domain.br : kinit for administrator at test failed (Cannot contact any KDC for requested realm) SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_NO_LOGON_SERVERS Got challenge flags: Got NTLMSSP neg_flags=0x62898235 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088235 Adding SPNs to CN=DCS01,OU=Domain Controllers,DC=test,DC=example,DC=domain,DC=br Setting account password for DCS01$ Enabling account Calling bare provision lpcfg_load: refreshing parameters from /etc/samba/smb.conf lpcfg_load: refreshing parameters from /etc/samba/smb.conf Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up secrets.ldb Setting up the registry ldb_wrap open of hklm.ldb Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema partition_metadata: Migrating partition metadata: open of metadata.tdb gave: (null) A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf Provision OK for domain DN DC=test,DC=example,DC=domain,DC=br Starting replication Using binding ncacn_ip_tcp:adc02.test.example.domain.br[,seal] resolve_lmhosts: Attempting lmhosts lookup for name adc02.test.example.domain.br<0x20> resolve_lmhosts: Attempting lmhosts lookup for name adc02.test.example.domain.br<0x20> Cannot reach a KDC we require to contact ldap/ ADC02.test.example.domain.br at test.example.domain.br : kinit for administrator at test failed (Cannot contact any KDC for requested realm) SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_NO_LOGON_SERVERS Got challenge flags: Got NTLMSSP neg_flags=0x62898235 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088235 Schema-DN[CN=Schema,CN=Configuration,DC=test,DC=example,DC=domain,DC=br] objects[402/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=test,DC=example,DC=domain,DC=br] objects[804/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=test,DC=example,DC=domain,DC=br] objects[1206/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=test,DC=example,DC=domain,DC=br] objects[1550/1550] linked_values[0/0] Analyze and apply schema objects Replicated 1550 objects (0 linked attributes) for CN=Schema,CN=Configuration,DC=test,DC=example,DC=domain,DC=br Partition[CN=Configuration,DC=test,DC=example,DC=domain,DC=br] objects[402/1722] linked_values[0/0] Replicated 402 objects (0 linked attributes) for CN=Configuration,DC=test,DC=example,DC=domain,DC=br Partition[CN=Configuration,DC=test,DC=example,DC=domain,DC=br] objects[804/1722] linked_values[0/0] Replicated 402 objects (0 linked attributes) for CN=Configuration,DC=test,DC=example,DC=domain,DC=br Partition[CN=Configuration,DC=test,DC=example,DC=domain,DC=br] objects[1206/1722] linked_values[0/0] Replicated 402 objects (0 linked attributes) for CN=Configuration,DC=test,DC=example,DC=domain,DC=br Partition[CN=Configuration,DC=test,DC=example,DC=domain,DC=br] objects[1608/1722] linked_values[0/0] Replicated 402 objects (0 linked attributes) for CN=Configuration,DC=test,DC=example,DC=domain,DC=br Partition[CN=Configuration,DC=test,DC=example,DC=domain,DC=br] objects[1722/1722] linked_values[71/0] Replicated 114 objects (71 linked attributes) for CN=Configuration,DC=test,DC=example,DC=domain,DC=br Replicating critical objects from the base DN of the domain Partition[DC=test,DC=example,DC=domain,DC=br] objects[97/97] linked_values[117/0] Missing parent while attempting to apply records: No parent with GUID a5fc1728-6e72-46ec-81d3-4836f7cf445a found for object remotely known as CN=Administrator,OU=Privileged,OU=People,OU=Accounts,DC=test,DC=example,DC=domain,DC=br Failed to commit objects: WERR_DS_DRA_MISSING_PARENT Join failed - cleaning up ldb_wrap open of secrets.ldb Could not find machine account in secrets database: Failed to fetch machine account password for test from both secrets.ldb (Could not find entry to match filter: '(&(flatname=test)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4575) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO Deleted CN=DCS01,OU=Domain Controllers,DC=test,DC=example,DC=domain,DC=br Deleted CN=NTDS Settings,CN=DCS01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=example,DC=domain,DC=br Deleted CN=DCS01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=example,DC=domain,DC=br ERROR(runtime): uncaught exception - (8460, "Failed to process 'chunk' of DRS replicated objects: WERR_DS_DRA_MISSING_PARENT") File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 652, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1253, in join_DC ctx.do_join() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1153, in do_join ctx.join_replicate() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 890, in join_replicate replica_flags=ctx.domain_replica_flags) File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 258, in replicate schema=schema, req_level=req_level, req=req) PS: test.example.domain.br is a fake domain just to post the output here in te list. Thanks and best regards On Tue, Apr 7, 2020 at 9:14 AM Rowland penny via samba < samba at lists.samba.org> wrote:> On 07/04/2020 12:20, Daniel Lopes de Carvalho via samba wrote: > > Hello Guys, > > > > I have a working Samba 4 DC running on Debian Stretch 9.9 with samba > 4.5.16 > > and I would like to add a new Samba DC (on Debian Stretch 9.9 with the > same > > Samba version). > > Why stick with stretch ? > > From my understanding you will only get security updates from now on. > > I would use Buster (Debian 10) instead, this will get you Samba 4.9.5, > which, while it is still EOL as far as Samba is concerned, is a lot less > dead than 4.5.16 > > > > > During the joining process I get the error WERR_DS_DRA_MISSING_PARENT. > Can you post the output from the join command. > > I was wondering to first upgrade Samba on the new joining DC and if I get > > success and have a second working AD, then upgrade the Samba in the first > > working DC. > > You may have something wrong with your database and if so, you need to > fix this first. If you can upgrade in place, then this may be the way to > go, but not until you are sure that the database is okay. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Daniel Lopes de Carvalhohttp://www.unisim.cepetro.unicamp.brdaniel at cepetro.unicamp.br 19 3521-1221