Daniel Lopes de Carvalho
2020-Apr-07 13:51 UTC
[Samba] Join new DC to domain - advice to upgrade Samba 4.
Hi Rowland, thanks for your email. The working DC was installed around 2 years ago. It is the reason to stick in Stretch. But if I can upgrade the working DC to Buster and Samba 4.9.5 without any problem, it is OK to me. I'm not a Samba expert. How can I verify my database? Can you point me to some link, tutorial, etc? I have used the samba-tool dbcheck (with and without --cross-ncs), is this enough? Find below the output of samba-tool join command: samba-tool domain join test.example.domain.br DC -U"test/administrator" -d3 GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Finding a writeable DC for domain 'test.example.domain.br' resolve_lmhosts: Attempting lmhosts lookup for name _ldap._ tcp.test.example.domain.br<0x0> Found DC adc02.test.example.domain.br resolve_lmhosts: Attempting lmhosts lookup for name adc02.test.example.domain.br<0x20> Password for [test\administrator]: Cannot reach a KDC we require to contact ldap/adc02.test.example.domain.br@ : kinit for administrator at test failed (Cannot contact any KDC for requested realm) SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_NO_LOGON_SERVERS Got challenge flags: Got NTLMSSP neg_flags=0x62898235 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088235 workgroup is test realm is test.example.domain.br Adding CN=DCS01,OU=Domain Controllers,DC=test,DC=example,DC=domain,DC=br Adding CN=DCS01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=example,DC=domain,DC=br Adding CN=NTDS Settings,CN=DCS01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=example,DC=domain,DC=br Using binding ncacn_ip_tcp:adc02.test.example.domain.br[,seal] resolve_lmhosts: Attempting lmhosts lookup for name adc02.test.example.domain.br<0x20> resolve_lmhosts: Attempting lmhosts lookup for name adc02.test.example.domain.br<0x20> Cannot reach a KDC we require to contact ldap/ ADC02.test.example.domain.br at test.example.domain.br : kinit for administrator at test failed (Cannot contact any KDC for requested realm) SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_NO_LOGON_SERVERS Got challenge flags: Got NTLMSSP neg_flags=0x62898235 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088235 Adding SPNs to CN=DCS01,OU=Domain Controllers,DC=test,DC=example,DC=domain,DC=br Setting account password for DCS01$ Enabling account Calling bare provision lpcfg_load: refreshing parameters from /etc/samba/smb.conf lpcfg_load: refreshing parameters from /etc/samba/smb.conf Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up secrets.ldb Setting up the registry ldb_wrap open of hklm.ldb Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema partition_metadata: Migrating partition metadata: open of metadata.tdb gave: (null) A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf Provision OK for domain DN DC=test,DC=example,DC=domain,DC=br Starting replication Using binding ncacn_ip_tcp:adc02.test.example.domain.br[,seal] resolve_lmhosts: Attempting lmhosts lookup for name adc02.test.example.domain.br<0x20> resolve_lmhosts: Attempting lmhosts lookup for name adc02.test.example.domain.br<0x20> Cannot reach a KDC we require to contact ldap/ ADC02.test.example.domain.br at test.example.domain.br : kinit for administrator at test failed (Cannot contact any KDC for requested realm) SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_NO_LOGON_SERVERS Got challenge flags: Got NTLMSSP neg_flags=0x62898235 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088235 Schema-DN[CN=Schema,CN=Configuration,DC=test,DC=example,DC=domain,DC=br] objects[402/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=test,DC=example,DC=domain,DC=br] objects[804/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=test,DC=example,DC=domain,DC=br] objects[1206/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=test,DC=example,DC=domain,DC=br] objects[1550/1550] linked_values[0/0] Analyze and apply schema objects Replicated 1550 objects (0 linked attributes) for CN=Schema,CN=Configuration,DC=test,DC=example,DC=domain,DC=br Partition[CN=Configuration,DC=test,DC=example,DC=domain,DC=br] objects[402/1722] linked_values[0/0] Replicated 402 objects (0 linked attributes) for CN=Configuration,DC=test,DC=example,DC=domain,DC=br Partition[CN=Configuration,DC=test,DC=example,DC=domain,DC=br] objects[804/1722] linked_values[0/0] Replicated 402 objects (0 linked attributes) for CN=Configuration,DC=test,DC=example,DC=domain,DC=br Partition[CN=Configuration,DC=test,DC=example,DC=domain,DC=br] objects[1206/1722] linked_values[0/0] Replicated 402 objects (0 linked attributes) for CN=Configuration,DC=test,DC=example,DC=domain,DC=br Partition[CN=Configuration,DC=test,DC=example,DC=domain,DC=br] objects[1608/1722] linked_values[0/0] Replicated 402 objects (0 linked attributes) for CN=Configuration,DC=test,DC=example,DC=domain,DC=br Partition[CN=Configuration,DC=test,DC=example,DC=domain,DC=br] objects[1722/1722] linked_values[71/0] Replicated 114 objects (71 linked attributes) for CN=Configuration,DC=test,DC=example,DC=domain,DC=br Replicating critical objects from the base DN of the domain Partition[DC=test,DC=example,DC=domain,DC=br] objects[97/97] linked_values[117/0] Missing parent while attempting to apply records: No parent with GUID a5fc1728-6e72-46ec-81d3-4836f7cf445a found for object remotely known as CN=Administrator,OU=Privileged,OU=People,OU=Accounts,DC=test,DC=example,DC=domain,DC=br Failed to commit objects: WERR_DS_DRA_MISSING_PARENT Join failed - cleaning up ldb_wrap open of secrets.ldb Could not find machine account in secrets database: Failed to fetch machine account password for test from both secrets.ldb (Could not find entry to match filter: '(&(flatname=test)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4575) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO Deleted CN=DCS01,OU=Domain Controllers,DC=test,DC=example,DC=domain,DC=br Deleted CN=NTDS Settings,CN=DCS01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=example,DC=domain,DC=br Deleted CN=DCS01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=example,DC=domain,DC=br ERROR(runtime): uncaught exception - (8460, "Failed to process 'chunk' of DRS replicated objects: WERR_DS_DRA_MISSING_PARENT") File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 652, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1253, in join_DC ctx.do_join() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1153, in do_join ctx.join_replicate() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 890, in join_replicate replica_flags=ctx.domain_replica_flags) File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 258, in replicate schema=schema, req_level=req_level, req=req) PS: test.example.domain.br is a fake domain just to post the output here in te list. Thanks and best regards On Tue, Apr 7, 2020 at 9:14 AM Rowland penny via samba < samba at lists.samba.org> wrote:> On 07/04/2020 12:20, Daniel Lopes de Carvalho via samba wrote: > > Hello Guys, > > > > I have a working Samba 4 DC running on Debian Stretch 9.9 with samba > 4.5.16 > > and I would like to add a new Samba DC (on Debian Stretch 9.9 with the > same > > Samba version). > > Why stick with stretch ? > > From my understanding you will only get security updates from now on. > > I would use Buster (Debian 10) instead, this will get you Samba 4.9.5, > which, while it is still EOL as far as Samba is concerned, is a lot less > dead than 4.5.16 > > > > > During the joining process I get the error WERR_DS_DRA_MISSING_PARENT. > Can you post the output from the join command. > > I was wondering to first upgrade Samba on the new joining DC and if I get > > success and have a second working AD, then upgrade the Samba in the first > > working DC. > > You may have something wrong with your database and if so, you need to > fix this first. If you can upgrade in place, then this may be the way to > go, but not until you are sure that the database is okay. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Daniel Lopes de Carvalhohttp://www.unisim.cepetro.unicamp.brdaniel at cepetro.unicamp.br 19 3521-1221
Rowland penny
2020-Apr-07 14:07 UTC
[Samba] Join new DC to domain - advice to upgrade Samba 4.
On 07/04/2020 14:51, Daniel Lopes de Carvalho wrote:> Hi Rowland, thanks for your?email. > > The working DC was installed around 2 years ago. It is the reason to > stick in Stretch. But if I can upgrade the working DC to Buster and > Samba 4.9.5 without any problem, it is OK to me.I would upgrade Debian and once you get everything working correctly, you can use Louis's repo:? http://apt.van-belle.nl/> > > Find below the output of samba-tool join command: > > ?samba-tool domain join test.example.domain.br > <http://test.example.domain.br> DC -U"test/administrator" -d3 > > Finding a writeable DC for domain 'test.example.domain.br > <http://test.example.domain.br>' > resolve_lmhosts: Attempting lmhosts lookup for name > _ldap._tcp.test.example.domain.br <http://tcp.test.example.domain.br><0x0> > Found DC adc02.test.example.domain.br > <http://adc02.test.example.domain.br> > resolve_lmhosts: Attempting lmhosts lookup for name > adc02.test.example.domain.br <http://adc02.test.example.domain.br><0x20> > Password for [test\administrator]: > Cannot reach a KDC we require to contact > ldap/adc02.test.example.domain.br@ : kinit for administrator at test > failed (Cannot contact any KDC for requested realm)That looks like your problem, for some reason 'adc02.example.domain.br' cannot be found. Can you run the attached script on the machine you are trying to join as a DC and then post the output in a reply to the mailing list, do not attach it, this mailing list strips attachments. Rowland
Rowland penny
2020-Apr-07 14:12 UTC
[Samba] Join new DC to domain - advice to upgrade Samba 4.
On 07/04/2020 15:07, Rowland penny via samba wrote:> On 07/04/2020 14:51, Daniel Lopes de Carvalho wrote: >> Hi Rowland, thanks for your?email. >> >> The working DC was installed around 2 years ago. It is the reason to >> stick in Stretch. But if I can upgrade the working DC to Buster and >> Samba 4.9.5 without any problem, it is OK to me. > I would upgrade Debian and once you get everything working correctly, > you can use Louis's repo:? http://apt.van-belle.nl/ >> >> >> Find below the output of samba-tool join command: >> >> ?samba-tool domain join test.example.domain.br >> <http://test.example.domain.br> DC -U"test/administrator" -d3 >> >> Finding a writeable DC for domain 'test.example.domain.br >> <http://test.example.domain.br>' >> resolve_lmhosts: Attempting lmhosts lookup for name >> _ldap._tcp.test.example.domain.br >> <http://tcp.test.example.domain.br><0x0> >> Found DC adc02.test.example.domain.br >> <http://adc02.test.example.domain.br> >> resolve_lmhosts: Attempting lmhosts lookup for name >> adc02.test.example.domain.br <http://adc02.test.example.domain.br><0x20> >> Password for [test\administrator]: >> Cannot reach a KDC we require to contact >> ldap/adc02.test.example.domain.br@ : kinit for administrator at test >> failed (Cannot contact any KDC for requested realm) > > That looks like your problem, for some reason > 'adc02.example.domain.br' cannot be found. > > Can you run the attached script on the machine you are trying to join > as a DC and then post the output in a reply to the mailing list, do > not attach it, this mailing list strips attachments. > > Rowland > >and again, but this time to you, with the attachment ;-) Rowland
L.P.H. van Belle
2020-Apr-07 14:25 UTC
[Samba] Join new DC to domain - advice to upgrade Samba 4.
What i find the safes path in upgrading. This is how i upgrade my wheezy servers (samba 4.1.x), All the way up to now buster samba 4.11 and starting to roll out 4.12.1 (members only at the moment) So yes, first fix the problems, go through all logs and make sure you dont have any errors. Reboot the server. Check again, and repeat untill you server is error free. Remove (if needed) old packages. dpkg -l |grep -e "jessie|wheezy|deb[6-8]" Do check these before you remove any, if these are replaced with a stretch version. Samba, your now on 4.5.16. (debian stretch official). So before you upgrade, check if you smb.conf is compliant with the next samba version(s). For example these changes. 4.5.x => 4.6.0 : smb.conf changes https://www.samba.org/samba/history/samba-4.6.0.html =============== Parameter Name Description Default -------------- ----------- ------- kerberos encryption types New all inherit owner New option fruit:resource Spelling correction lsa over netlogon New (deprecated) no rpc server port New 0 https://www.samba.org/samba/history/samba-4.7.0.html 4.6.x => 4.7.0 : smb.conf changes =============== Parameter Name Description Default -------------- ----------- ------- allow unsafe cluster upgrade New parameter no auth event notification New parameter no auth methods Deprecated client max protocol Effective SMB3_11 default changed map untrusted to domain New value/ auto Default changed/ Deprecated mit kdc command New parameter profile acls Deprecated rpc server dynamic port range New parameter 49152-65535 strict sync Default changed yes password hash userPassword schemes New parameter ntlm auth New values ntlmv2-only https://www.samba.org/samba/history/samba-4.8.0.html 4.7.x => 4.8.0 : smb.conf changes ===============smb.conf changes =============== Parameter Name Description Default -------------- ----------- ------- apply group policies New no auth methods Removed binddns dir New client schannel Default changed/ yes Deprecated gpo update command New ldap ssl ads Deprecated map untrusted to domain Removed oplock contention limit Removed prefork children New 1 mdns name New netbios fruit:time machine New false profile acls Removed use spnego Removed server schannel Default changed/ yes Deprecated unicode Deprecated winbind scan trusted domains New yes winbind trusted domains only Removed ! DO READ THE 4.8.x changelogs complete, on the samba site its needed! https://www.samba.org/samba/history/samba-4.9.0.html 4.8.x => 4.9.0 : smb.conf changes As the most popular Samba install platforms (Linux and FreeBSD) both support extended attributes by default, the parameters "map readonly", "store dos attributes" and "ea support" have had their defaults changed to allow better Windows fileserver compatibility in a default install. Parameter Name Description Default -------------- ----------- ------- map readonly Default changed no store dos attributes Default changed yes ea support Default changed yes full_audit:success Default changed none full_audit:failure Default changed none When your sure samba is ready for the next version, now, enable my repo, wget -O - http://apt.van-belle.nl/louis-van-belle.gpg-key.asc | apt-key add - echo "# AptVanBelle repo for samba." | sudo tee /etc/apt/sources.list.d/van-belle.list # Samba 4.6.latest echo "deb http://apt.van-belle.nl/debian stretch-samba46 main contrib non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list With every samba upgrade use : apt-get update && apt-get dist-upgrade --autoremove --purge Repeat for 4.7 stretch-samba47 Repeat for 4.8 stretch-samba48 Now stop.. Now upgrade stretch to buster. Change the content in /etc/apt/sources.list file to buster apt-get update apt-get dist-upgrade -dy #download only , always do this if your upgrading because if internet drops your in problems. apt-get dist-upgrade --autoremove --purge And your automaticly back on the Debian Official 4.9.5. Which is outdated also, where i advice to upgrade to 4.10 at least better 4.11 but thats totaly up to you. Good luck, problems, mail the list.. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: dinsdag 7 april 2020 16:08 > Aan: sambalist > Onderwerp: Re: [Samba] Join new DC to domain - advice to > upgrade Samba 4. > > On 07/04/2020 14:51, Daniel Lopes de Carvalho wrote: > > Hi Rowland, thanks for your?email. > > > > The working DC was installed around 2 years ago. It is the > reason to > > stick in Stretch. But if I can upgrade the working DC to Buster and > > Samba 4.9.5 without any problem, it is OK to me. > I would upgrade Debian and once you get everything working correctly, > you can use Louis's repo:? http://apt.van-belle.nl/ > > > > > > Find below the output of samba-tool join command: > > > > ?samba-tool domain join test.example.domain.br > > <http://test.example.domain.br> DC -U"test/administrator" -d3 > > > > Finding a writeable DC for domain 'test.example.domain.br > > <http://test.example.domain.br>' > > resolve_lmhosts: Attempting lmhosts lookup for name > > _ldap._tcp.test.example.domain.br > <http://tcp.test.example.domain.br><0x0> > > Found DC adc02.test.example.domain.br > > <http://adc02.test.example.domain.br> > > resolve_lmhosts: Attempting lmhosts lookup for name > > adc02.test.example.domain.br > <http://adc02.test.example.domain.br><0x20> > > Password for [test\administrator]: > > Cannot reach a KDC we require to contact > > ldap/adc02.test.example.domain.br@ : kinit for administrator at test > > failed (Cannot contact any KDC for requested realm) > > That looks like your problem, for some reason > 'adc02.example.domain.br' > cannot be found. > > Can you run the attached script on the machine you are trying > to join as > a DC and then post the output in a reply to the mailing list, do not > attach it, this mailing list strips attachments. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Daniel Lopes de Carvalho
2020-Apr-07 14:59 UTC
[Samba] Join new DC to domain - advice to upgrade Samba 4.
Hi Rowland, I'll consider the update. But I need to backup this host (adc02) before, because it the only and the main DC on my network... =( Find attached below the output of the script: Config collected --- 2020-04-07-15:30 ----------- Hostname: dcs01 DNS Domain: test.example.domain.br Realm: TEST.EXAMPLE.DOMAIN.BR FQDN: dcs01.test.example.domain.br ipaddress: 177.X.X.3 ----------- Kerberos SRV _kerberos._tcp.test.example.domain.br record(s) verified ok, sample output: Server: 177.X.X.69 Address: 177.X.X.69#53 _kerberos._tcp.test.example.domain.br service = 0 100 88 adc02.test.example.domain.br. ----------- 'kinit Administrator' checked successfully. ----------- This computer is running Debian 9.12 x86_64 ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host 2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:0c:29:aa:cc:e2 brd ff:ff:ff:ff:ff:ff inet 177.X.X.3/25 brd 177.X.X.127 scope global ens192 inet6 fe80::20c:29ff:feaa:cce2/64 scope link ----------- Checking file: /etc/hosts 127.0.0.1 localhost 177.X.X.3 dcs01.test.example.domain.br dcs01 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters ----------- Checking file: /etc/resolv.conf search test.example.domain.br nameserver 177.X.X.69 ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = TEST.EXAMPLE.DOMAIN.BR dns_lookup_realm = false dns_lookup_kdc = true ----------- Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat group: compat shadow: compat gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ----------- Warning, does not exist ----------- Time on the DC with PDC Emulator role is: 2020-04-07T15:31:10 Time on this computer is: 2020-04-07T15:31:10 Time verified ok, within the allowed 300sec margin. Time offset is currently : 0 seconds ----------- Installed packages: ii attr 1:2.4.47-2+b2 amd64 Utilities for manipulating filesystem extended attributes ii krb5-config 2.6 all Configuration files for Kerberos Version 5 ii krb5-locales 1.15-1+deb9u1 all internationalization support for MIT Kerberos ii krb5-user 1.15-1+deb9u1 amd64 basic programs to authenticate using MIT Kerberos ii libacl1:amd64 2.2.52-3+b1 amd64 Access control list shared library ii libattr1:amd64 1:2.4.47-2+b2 amd64 Extended attribute shared library ii libgssapi-krb5-2:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-3:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries ii libkrb5support0:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries - Support library ii libnss-winbind:amd64 2:4.5.16+dfsg-1+deb9u2 amd64 Samba nameservice integration plugins ii libpam-winbind:amd64 2:4.5.16+dfsg-1+deb9u2 amd64 Windows domain authentication integration plugin ii libwbclient0:amd64 2:4.5.16+dfsg-1+deb9u2 amd64 Samba winbind client library ii python-samba 2:4.5.16+dfsg-1+deb9u2 amd64 Python bindings for Samba ii samba 2:4.5.16+dfsg-1+deb9u2 amd64 SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.5.16+dfsg-1+deb9u2 all common files used by both the Samba server and client ii samba-common-bin 2:4.5.16+dfsg-1+deb9u2 amd64 Samba common files used by both the server and the client ii samba-dsdb-modules 2:4.5.16+dfsg-1+deb9u2 amd64 Samba Directory Services Database ii samba-libs:amd64 2:4.5.16+dfsg-1+deb9u2 amd64 Samba core libraries ii samba-vfs-modules 2:4.5.16+dfsg-1+deb9u2 amd64 Samba Virtual FileSystem plugins ii winbind 2:4.5.16+dfsg-1+deb9u2 amd64 service to resolve user and group information from Windows NT servers ----------- Thanks again. On Tue, Apr 7, 2020 at 11:09 AM Rowland penny via samba < samba at lists.samba.org> wrote:> On 07/04/2020 14:51, Daniel Lopes de Carvalho wrote: > > Hi Rowland, thanks for your email. > > > > The working DC was installed around 2 years ago. It is the reason to > > stick in Stretch. But if I can upgrade the working DC to Buster and > > Samba 4.9.5 without any problem, it is OK to me. > I would upgrade Debian and once you get everything working correctly, > you can use Louis's repo: http://apt.van-belle.nl/ > > > > > > Find below the output of samba-tool join command: > > > > samba-tool domain join test.example.domain.br > > <http://test.example.domain.br> DC -U"test/administrator" -d3 > > > > Finding a writeable DC for domain 'test.example.domain.br > > <http://test.example.domain.br>' > > resolve_lmhosts: Attempting lmhosts lookup for name > > _ldap._tcp.test.example.domain.br <http://tcp.test.example.domain.br > ><0x0> > > Found DC adc02.test.example.domain.br > > <http://adc02.test.example.domain.br> > > resolve_lmhosts: Attempting lmhosts lookup for name > > adc02.test.example.domain.br <http://adc02.test.example.domain.br><0x20> > > Password for [test\administrator]: > > Cannot reach a KDC we require to contact > > ldap/adc02.test.example.domain.br@ : kinit for administrator at test > > failed (Cannot contact any KDC for requested realm) > > That looks like your problem, for some reason 'adc02.example.domain.br' > cannot be found. > > Can you run the attached script on the machine you are trying to join as > a DC and then post the output in a reply to the mailing list, do not > attach it, this mailing list strips attachments. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Daniel Lopes de Carvalhohttp://www.unisim.cepetro.unicamp.brdaniel at cepetro.unicamp.br 19 3521-1221