Daniel Lopes de Carvalho
2020-Apr-07 11:20 UTC
[Samba] Join new DC to domain - advice to upgrade Samba 4.
Hello Guys, I have a working Samba 4 DC running on Debian Stretch 9.9 with samba 4.5.16 and I would like to add a new Samba DC (on Debian Stretch 9.9 with the same Samba version). During the joining process I get the error WERR_DS_DRA_MISSING_PARENT. I read this thread https://lists.samba.org/archive/samba/2017-December/212938.html and executed the samba_upgradedns on working DC as Rowland suggested, but the error persists. I saw some other threads on Samba's list suggesting to upgrade Samba version to 4.7.X. I would like to know what is the best way to do this upgrade. I was wondering to first upgrade Samba on the new joining DC and if I get success and have a second working AD, then upgrade the Samba in the first working DC. Can someone guide me to this issue? Thanks and best regards Daniel -- Daniel Lopes de Carvalhohttp://www.unisim.cepetro.unicamp.brdaniel at cepetro.unicamp.br 19 3521-1221
Rowland penny
2020-Apr-07 12:13 UTC
[Samba] Join new DC to domain - advice to upgrade Samba 4.
On 07/04/2020 12:20, Daniel Lopes de Carvalho via samba wrote:> Hello Guys, > > I have a working Samba 4 DC running on Debian Stretch 9.9 with samba 4.5.16 > and I would like to add a new Samba DC (on Debian Stretch 9.9 with the same > Samba version).Why stick with stretch ? From my understanding you will only get security updates from now on. I would use Buster (Debian 10) instead, this will get you Samba 4.9.5, which, while it is still EOL as far as Samba is concerned, is a lot less dead than 4.5.16> > During the joining process I get the error WERR_DS_DRA_MISSING_PARENT.Can you post the output from the join command.> I was wondering to first upgrade Samba on the new joining DC and if I get > success and have a second working AD, then upgrade the Samba in the first > working DC.You may have something wrong with your database and if so, you need to fix this first. If you can upgrade in place, then this may be the way to go, but not until you are sure that the database is okay. Rowland
Daniel Lopes de Carvalho
2020-Apr-07 13:51 UTC
[Samba] Join new DC to domain - advice to upgrade Samba 4.
Hi Rowland, thanks for your email.
The working DC was installed around 2 years ago. It is the reason to stick
in Stretch. But if I can upgrade the working DC to Buster and Samba 4.9.5
without any problem, it is OK to me.
I'm not a Samba expert. How can I verify my database? Can you point me to
some link, tutorial, etc? I have used the samba-tool dbcheck (with and
without --cross-ncs), is this enough?
Find below the output of samba-tool join command:
samba-tool domain join test.example.domain.br DC
-U"test/administrator" -d3
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Finding a writeable DC for domain 'test.example.domain.br'
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._
tcp.test.example.domain.br<0x0>
Found DC adc02.test.example.domain.br
resolve_lmhosts: Attempting lmhosts lookup for name
adc02.test.example.domain.br<0x20>
Password for [test\administrator]:
Cannot reach a KDC we require to contact ldap/adc02.test.example.domain.br@
: kinit for administrator at test failed (Cannot contact any KDC for requested
realm)
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed:
NT_STATUS_NO_LOGON_SERVERS
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
workgroup is test
realm is test.example.domain.br
Adding CN=DCS01,OU=Domain Controllers,DC=test,DC=example,DC=domain,DC=br
Adding
CN=DCS01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=example,DC=domain,DC=br
Adding CN=NTDS
Settings,CN=DCS01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=example,DC=domain,DC=br
Using binding ncacn_ip_tcp:adc02.test.example.domain.br[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name
adc02.test.example.domain.br<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
adc02.test.example.domain.br<0x20>
Cannot reach a KDC we require to contact ldap/
ADC02.test.example.domain.br at test.example.domain.br : kinit for
administrator at test failed (Cannot contact any KDC for requested realm)
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed:
NT_STATUS_NO_LOGON_SERVERS
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
Adding SPNs to CN=DCS01,OU=Domain
Controllers,DC=test,DC=example,DC=domain,DC=br
Setting account password for DCS01$
Enabling account
Calling bare provision
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
ldb_wrap open of hklm.ldb
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
partition_metadata: Migrating partition metadata: open of metadata.tdb
gave: (null)
A Kerberos configuration suitable for Samba 4 has been generated at
/var/lib/samba/private/krb5.conf
Provision OK for domain DN DC=test,DC=example,DC=domain,DC=br
Starting replication
Using binding ncacn_ip_tcp:adc02.test.example.domain.br[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name
adc02.test.example.domain.br<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
adc02.test.example.domain.br<0x20>
Cannot reach a KDC we require to contact ldap/
ADC02.test.example.domain.br at test.example.domain.br : kinit for
administrator at test failed (Cannot contact any KDC for requested realm)
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed:
NT_STATUS_NO_LOGON_SERVERS
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
Schema-DN[CN=Schema,CN=Configuration,DC=test,DC=example,DC=domain,DC=br]
objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=test,DC=example,DC=domain,DC=br]
objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=test,DC=example,DC=domain,DC=br]
objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=test,DC=example,DC=domain,DC=br]
objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Replicated 1550 objects (0 linked attributes) for
CN=Schema,CN=Configuration,DC=test,DC=example,DC=domain,DC=br
Partition[CN=Configuration,DC=test,DC=example,DC=domain,DC=br]
objects[402/1722] linked_values[0/0]
Replicated 402 objects (0 linked attributes) for
CN=Configuration,DC=test,DC=example,DC=domain,DC=br
Partition[CN=Configuration,DC=test,DC=example,DC=domain,DC=br]
objects[804/1722] linked_values[0/0]
Replicated 402 objects (0 linked attributes) for
CN=Configuration,DC=test,DC=example,DC=domain,DC=br
Partition[CN=Configuration,DC=test,DC=example,DC=domain,DC=br]
objects[1206/1722] linked_values[0/0]
Replicated 402 objects (0 linked attributes) for
CN=Configuration,DC=test,DC=example,DC=domain,DC=br
Partition[CN=Configuration,DC=test,DC=example,DC=domain,DC=br]
objects[1608/1722] linked_values[0/0]
Replicated 402 objects (0 linked attributes) for
CN=Configuration,DC=test,DC=example,DC=domain,DC=br
Partition[CN=Configuration,DC=test,DC=example,DC=domain,DC=br]
objects[1722/1722] linked_values[71/0]
Replicated 114 objects (71 linked attributes) for
CN=Configuration,DC=test,DC=example,DC=domain,DC=br
Replicating critical objects from the base DN of the domain
Partition[DC=test,DC=example,DC=domain,DC=br] objects[97/97]
linked_values[117/0]
Missing parent while attempting to apply records: No parent with GUID
a5fc1728-6e72-46ec-81d3-4836f7cf445a found for object remotely known as
CN=Administrator,OU=Privileged,OU=People,OU=Accounts,DC=test,DC=example,DC=domain,DC=br
Failed to commit objects: WERR_DS_DRA_MISSING_PARENT
Join failed - cleaning up
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch machine
account password for test from both secrets.ldb (Could not find entry to
match filter: '(&(flatname=test)(objectclass=primaryDomain))' base:
'cn=Primary Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4575) and from
/var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Deleted CN=DCS01,OU=Domain Controllers,DC=test,DC=example,DC=domain,DC=br
Deleted CN=NTDS
Settings,CN=DCS01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=example,DC=domain,DC=br
Deleted
CN=DCS01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=example,DC=domain,DC=br
ERROR(runtime): uncaught exception - (8460, "Failed to process
'chunk' of
DRS replicated objects: WERR_DS_DRA_MISSING_PARENT")
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line
176, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
652,
in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1253, in
join_DC
ctx.do_join()
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1153, in
do_join
ctx.join_replicate()
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 890, in
join_replicate
replica_flags=ctx.domain_replica_flags)
File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line
258, in
replicate
schema=schema, req_level=req_level, req=req)
PS: test.example.domain.br is a fake domain just to post the output here in
te list.
Thanks and best regards
On Tue, Apr 7, 2020 at 9:14 AM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 07/04/2020 12:20, Daniel Lopes de Carvalho via samba wrote:
> > Hello Guys,
> >
> > I have a working Samba 4 DC running on Debian Stretch 9.9 with samba
> 4.5.16
> > and I would like to add a new Samba DC (on Debian Stretch 9.9 with the
> same
> > Samba version).
>
> Why stick with stretch ?
>
> From my understanding you will only get security updates from now on.
>
> I would use Buster (Debian 10) instead, this will get you Samba 4.9.5,
> which, while it is still EOL as far as Samba is concerned, is a lot less
> dead than 4.5.16
>
> >
> > During the joining process I get the error WERR_DS_DRA_MISSING_PARENT.
> Can you post the output from the join command.
> > I was wondering to first upgrade Samba on the new joining DC and if I
get
> > success and have a second working AD, then upgrade the Samba in the
first
> > working DC.
>
> You may have something wrong with your database and if so, you need to
> fix this first. If you can upgrade in place, then this may be the way to
> go, but not until you are sure that the database is okay.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
Daniel Lopes de
Carvalhohttp://www.unisim.cepetro.unicamp.brdaniel at cepetro.unicamp.br
19 3521-1221