Daniel Lopes de Carvalho
2020-Apr-07 13:51 UTC
[Samba] Join new DC to domain - advice to upgrade Samba 4.
Hi Rowland, thanks for your email.
The working DC was installed around 2 years ago. It is the reason to stick
in Stretch. But if I can upgrade the working DC to Buster and Samba 4.9.5
without any problem, it is OK to me.
I'm not a Samba expert. How can I verify my database? Can you point me to
some link, tutorial, etc? I have used the samba-tool dbcheck (with and
without --cross-ncs), is this enough?
Find below the output of samba-tool join command:
samba-tool domain join test.example.domain.br DC
-U"test/administrator" -d3
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Finding a writeable DC for domain 'test.example.domain.br'
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._
tcp.test.example.domain.br<0x0>
Found DC adc02.test.example.domain.br
resolve_lmhosts: Attempting lmhosts lookup for name
adc02.test.example.domain.br<0x20>
Password for [test\administrator]:
Cannot reach a KDC we require to contact ldap/adc02.test.example.domain.br@
: kinit for administrator at test failed (Cannot contact any KDC for requested
realm)
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed:
NT_STATUS_NO_LOGON_SERVERS
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
workgroup is test
realm is test.example.domain.br
Adding CN=DCS01,OU=Domain Controllers,DC=test,DC=example,DC=domain,DC=br
Adding
CN=DCS01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=example,DC=domain,DC=br
Adding CN=NTDS
Settings,CN=DCS01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=example,DC=domain,DC=br
Using binding ncacn_ip_tcp:adc02.test.example.domain.br[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name
adc02.test.example.domain.br<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
adc02.test.example.domain.br<0x20>
Cannot reach a KDC we require to contact ldap/
ADC02.test.example.domain.br at test.example.domain.br : kinit for
administrator at test failed (Cannot contact any KDC for requested realm)
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed:
NT_STATUS_NO_LOGON_SERVERS
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
Adding SPNs to CN=DCS01,OU=Domain
Controllers,DC=test,DC=example,DC=domain,DC=br
Setting account password for DCS01$
Enabling account
Calling bare provision
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
ldb_wrap open of hklm.ldb
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
partition_metadata: Migrating partition metadata: open of metadata.tdb
gave: (null)
A Kerberos configuration suitable for Samba 4 has been generated at
/var/lib/samba/private/krb5.conf
Provision OK for domain DN DC=test,DC=example,DC=domain,DC=br
Starting replication
Using binding ncacn_ip_tcp:adc02.test.example.domain.br[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name
adc02.test.example.domain.br<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
adc02.test.example.domain.br<0x20>
Cannot reach a KDC we require to contact ldap/
ADC02.test.example.domain.br at test.example.domain.br : kinit for
administrator at test failed (Cannot contact any KDC for requested realm)
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed:
NT_STATUS_NO_LOGON_SERVERS
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
Schema-DN[CN=Schema,CN=Configuration,DC=test,DC=example,DC=domain,DC=br]
objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=test,DC=example,DC=domain,DC=br]
objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=test,DC=example,DC=domain,DC=br]
objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=test,DC=example,DC=domain,DC=br]
objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Replicated 1550 objects (0 linked attributes) for
CN=Schema,CN=Configuration,DC=test,DC=example,DC=domain,DC=br
Partition[CN=Configuration,DC=test,DC=example,DC=domain,DC=br]
objects[402/1722] linked_values[0/0]
Replicated 402 objects (0 linked attributes) for
CN=Configuration,DC=test,DC=example,DC=domain,DC=br
Partition[CN=Configuration,DC=test,DC=example,DC=domain,DC=br]
objects[804/1722] linked_values[0/0]
Replicated 402 objects (0 linked attributes) for
CN=Configuration,DC=test,DC=example,DC=domain,DC=br
Partition[CN=Configuration,DC=test,DC=example,DC=domain,DC=br]
objects[1206/1722] linked_values[0/0]
Replicated 402 objects (0 linked attributes) for
CN=Configuration,DC=test,DC=example,DC=domain,DC=br
Partition[CN=Configuration,DC=test,DC=example,DC=domain,DC=br]
objects[1608/1722] linked_values[0/0]
Replicated 402 objects (0 linked attributes) for
CN=Configuration,DC=test,DC=example,DC=domain,DC=br
Partition[CN=Configuration,DC=test,DC=example,DC=domain,DC=br]
objects[1722/1722] linked_values[71/0]
Replicated 114 objects (71 linked attributes) for
CN=Configuration,DC=test,DC=example,DC=domain,DC=br
Replicating critical objects from the base DN of the domain
Partition[DC=test,DC=example,DC=domain,DC=br] objects[97/97]
linked_values[117/0]
Missing parent while attempting to apply records: No parent with GUID
a5fc1728-6e72-46ec-81d3-4836f7cf445a found for object remotely known as
CN=Administrator,OU=Privileged,OU=People,OU=Accounts,DC=test,DC=example,DC=domain,DC=br
Failed to commit objects: WERR_DS_DRA_MISSING_PARENT
Join failed - cleaning up
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch machine
account password for test from both secrets.ldb (Could not find entry to
match filter: '(&(flatname=test)(objectclass=primaryDomain))' base:
'cn=Primary Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4575) and from
/var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Deleted CN=DCS01,OU=Domain Controllers,DC=test,DC=example,DC=domain,DC=br
Deleted CN=NTDS
Settings,CN=DCS01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=example,DC=domain,DC=br
Deleted
CN=DCS01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=example,DC=domain,DC=br
ERROR(runtime): uncaught exception - (8460, "Failed to process
'chunk' of
DRS replicated objects: WERR_DS_DRA_MISSING_PARENT")
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line
176, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
652,
in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1253, in
join_DC
ctx.do_join()
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1153, in
do_join
ctx.join_replicate()
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 890, in
join_replicate
replica_flags=ctx.domain_replica_flags)
File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line
258, in
replicate
schema=schema, req_level=req_level, req=req)
PS: test.example.domain.br is a fake domain just to post the output here in
te list.
Thanks and best regards
On Tue, Apr 7, 2020 at 9:14 AM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 07/04/2020 12:20, Daniel Lopes de Carvalho via samba wrote:
> > Hello Guys,
> >
> > I have a working Samba 4 DC running on Debian Stretch 9.9 with samba
> 4.5.16
> > and I would like to add a new Samba DC (on Debian Stretch 9.9 with the
> same
> > Samba version).
>
> Why stick with stretch ?
>
> From my understanding you will only get security updates from now on.
>
> I would use Buster (Debian 10) instead, this will get you Samba 4.9.5,
> which, while it is still EOL as far as Samba is concerned, is a lot less
> dead than 4.5.16
>
> >
> > During the joining process I get the error WERR_DS_DRA_MISSING_PARENT.
> Can you post the output from the join command.
> > I was wondering to first upgrade Samba on the new joining DC and if I
get
> > success and have a second working AD, then upgrade the Samba in the
first
> > working DC.
>
> You may have something wrong with your database and if so, you need to
> fix this first. If you can upgrade in place, then this may be the way to
> go, but not until you are sure that the database is okay.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
Daniel Lopes de
Carvalhohttp://www.unisim.cepetro.unicamp.brdaniel at cepetro.unicamp.br
19 3521-1221
Rowland penny
2020-Apr-07 14:07 UTC
[Samba] Join new DC to domain - advice to upgrade Samba 4.
On 07/04/2020 14:51, Daniel Lopes de Carvalho wrote:> Hi Rowland, thanks for your?email. > > The working DC was installed around 2 years ago. It is the reason to > stick in Stretch. But if I can upgrade the working DC to Buster and > Samba 4.9.5 without any problem, it is OK to me.I would upgrade Debian and once you get everything working correctly, you can use Louis's repo:? http://apt.van-belle.nl/> > > Find below the output of samba-tool join command: > > ?samba-tool domain join test.example.domain.br > <http://test.example.domain.br> DC -U"test/administrator" -d3 > > Finding a writeable DC for domain 'test.example.domain.br > <http://test.example.domain.br>' > resolve_lmhosts: Attempting lmhosts lookup for name > _ldap._tcp.test.example.domain.br <http://tcp.test.example.domain.br><0x0> > Found DC adc02.test.example.domain.br > <http://adc02.test.example.domain.br> > resolve_lmhosts: Attempting lmhosts lookup for name > adc02.test.example.domain.br <http://adc02.test.example.domain.br><0x20> > Password for [test\administrator]: > Cannot reach a KDC we require to contact > ldap/adc02.test.example.domain.br@ : kinit for administrator at test > failed (Cannot contact any KDC for requested realm)That looks like your problem, for some reason 'adc02.example.domain.br' cannot be found. Can you run the attached script on the machine you are trying to join as a DC and then post the output in a reply to the mailing list, do not attach it, this mailing list strips attachments. Rowland
Rowland penny
2020-Apr-07 14:12 UTC
[Samba] Join new DC to domain - advice to upgrade Samba 4.
On 07/04/2020 15:07, Rowland penny via samba wrote:> On 07/04/2020 14:51, Daniel Lopes de Carvalho wrote: >> Hi Rowland, thanks for your?email. >> >> The working DC was installed around 2 years ago. It is the reason to >> stick in Stretch. But if I can upgrade the working DC to Buster and >> Samba 4.9.5 without any problem, it is OK to me. > I would upgrade Debian and once you get everything working correctly, > you can use Louis's repo:? http://apt.van-belle.nl/ >> >> >> Find below the output of samba-tool join command: >> >> ?samba-tool domain join test.example.domain.br >> <http://test.example.domain.br> DC -U"test/administrator" -d3 >> >> Finding a writeable DC for domain 'test.example.domain.br >> <http://test.example.domain.br>' >> resolve_lmhosts: Attempting lmhosts lookup for name >> _ldap._tcp.test.example.domain.br >> <http://tcp.test.example.domain.br><0x0> >> Found DC adc02.test.example.domain.br >> <http://adc02.test.example.domain.br> >> resolve_lmhosts: Attempting lmhosts lookup for name >> adc02.test.example.domain.br <http://adc02.test.example.domain.br><0x20> >> Password for [test\administrator]: >> Cannot reach a KDC we require to contact >> ldap/adc02.test.example.domain.br@ : kinit for administrator at test >> failed (Cannot contact any KDC for requested realm) > > That looks like your problem, for some reason > 'adc02.example.domain.br' cannot be found. > > Can you run the attached script on the machine you are trying to join > as a DC and then post the output in a reply to the mailing list, do > not attach it, this mailing list strips attachments. > > Rowland > >and again, but this time to you, with the attachment ;-) Rowland
L.P.H. van Belle
2020-Apr-07 14:25 UTC
[Samba] Join new DC to domain - advice to upgrade Samba 4.
What i find the safes path in upgrading.
This is how i upgrade my wheezy servers (samba 4.1.x),
All the way up to now buster samba 4.11 and starting to roll out 4.12.1 (members
only at the moment)
So yes, first fix the problems, go through all logs and make sure you dont have
any errors.
Reboot the server. Check again, and repeat untill you server is error free.
Remove (if needed) old packages. dpkg -l |grep -e
"jessie|wheezy|deb[6-8]"
Do check these before you remove any, if these are replaced with a stretch
version.
Samba, your now on 4.5.16. (debian stretch official).
So before you upgrade, check if you smb.conf is compliant with the next samba
version(s).
For example these changes.
4.5.x => 4.6.0 : smb.conf changes
https://www.samba.org/samba/history/samba-4.6.0.html
=============== Parameter Name Description Default
-------------- ----------- -------
kerberos encryption types New all
inherit owner New option
fruit:resource Spelling correction
lsa over netlogon New (deprecated) no
rpc server port New 0
https://www.samba.org/samba/history/samba-4.7.0.html
4.6.x => 4.7.0 : smb.conf changes
=============== Parameter Name Description
Default
-------------- ----------- -------
allow unsafe cluster upgrade New parameter no
auth event notification New parameter no
auth methods Deprecated
client max protocol Effective SMB3_11
default changed
map untrusted to domain New value/ auto
Default changed/
Deprecated
mit kdc command New parameter
profile acls Deprecated
rpc server dynamic port range New parameter 49152-65535
strict sync Default changed yes
password hash userPassword schemes New parameter
ntlm auth New values ntlmv2-only
https://www.samba.org/samba/history/samba-4.8.0.html
4.7.x => 4.8.0 : smb.conf changes
===============smb.conf changes
=============== Parameter Name Description
Default
-------------- ----------- -------
apply group policies New no
auth methods Removed
binddns dir New
client schannel Default changed/ yes
Deprecated
gpo update command New
ldap ssl ads Deprecated
map untrusted to domain Removed
oplock contention limit Removed
prefork children New 1
mdns name New netbios
fruit:time machine New false
profile acls Removed
use spnego Removed
server schannel Default changed/ yes
Deprecated
unicode Deprecated
winbind scan trusted domains New yes
winbind trusted domains only Removed
! DO READ THE 4.8.x changelogs complete, on the samba site its needed!
https://www.samba.org/samba/history/samba-4.9.0.html
4.8.x => 4.9.0 : smb.conf changes
As the most popular Samba install platforms (Linux and FreeBSD) both
support extended attributes by default, the parameters "map readonly",
"store dos attributes" and "ea support" have had their
defaults changed
to allow better Windows fileserver compatibility in a default install.
Parameter Name Description Default
-------------- ----------- -------
map readonly Default changed no
store dos attributes Default changed yes
ea support Default changed yes
full_audit:success Default changed none
full_audit:failure Default changed none
When your sure samba is ready for the next version, now, enable my repo,
wget -O - http://apt.van-belle.nl/louis-van-belle.gpg-key.asc | apt-key add -
echo "# AptVanBelle repo for samba." | sudo tee
/etc/apt/sources.list.d/van-belle.list
# Samba 4.6.latest
echo "deb http://apt.van-belle.nl/debian stretch-samba46 main contrib
non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list
With every samba upgrade use : apt-get update && apt-get dist-upgrade
--autoremove --purge
Repeat for 4.7 stretch-samba47
Repeat for 4.8 stretch-samba48
Now stop..
Now upgrade stretch to buster.
Change the content in /etc/apt/sources.list file to buster
apt-get update
apt-get dist-upgrade -dy #download only , always do this if your upgrading
because if internet drops your in problems.
apt-get dist-upgrade --autoremove --purge
And your automaticly back on the Debian Official 4.9.5.
Which is outdated also, where i advice to upgrade to 4.10 at least better 4.11
but thats totaly up to you.
Good luck, problems, mail the list..
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland penny via samba
> Verzonden: dinsdag 7 april 2020 16:08
> Aan: sambalist
> Onderwerp: Re: [Samba] Join new DC to domain - advice to
> upgrade Samba 4.
>
> On 07/04/2020 14:51, Daniel Lopes de Carvalho wrote:
> > Hi Rowland, thanks for your?email.
> >
> > The working DC was installed around 2 years ago. It is the
> reason to
> > stick in Stretch. But if I can upgrade the working DC to Buster and
> > Samba 4.9.5 without any problem, it is OK to me.
> I would upgrade Debian and once you get everything working correctly,
> you can use Louis's repo:? http://apt.van-belle.nl/
> >
> >
> > Find below the output of samba-tool join command:
> >
> > ?samba-tool domain join test.example.domain.br
> > <http://test.example.domain.br> DC
-U"test/administrator" -d3
> >
> > Finding a writeable DC for domain 'test.example.domain.br
> > <http://test.example.domain.br>'
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > _ldap._tcp.test.example.domain.br
> <http://tcp.test.example.domain.br><0x0>
> > Found DC adc02.test.example.domain.br
> > <http://adc02.test.example.domain.br>
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > adc02.test.example.domain.br
> <http://adc02.test.example.domain.br><0x20>
> > Password for [test\administrator]:
> > Cannot reach a KDC we require to contact
> > ldap/adc02.test.example.domain.br@ : kinit for administrator at test
> > failed (Cannot contact any KDC for requested realm)
>
> That looks like your problem, for some reason
> 'adc02.example.domain.br'
> cannot be found.
>
> Can you run the attached script on the machine you are trying
> to join as
> a DC and then post the output in a reply to the mailing list, do not
> attach it, this mailing list strips attachments.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
Daniel Lopes de Carvalho
2020-Apr-07 14:59 UTC
[Samba] Join new DC to domain - advice to upgrade Samba 4.
Hi Rowland,
I'll consider the update. But I need to backup this host (adc02) before,
because it the only and the main DC on my network... =(
Find attached below the output of the script:
Config collected --- 2020-04-07-15:30 -----------
Hostname: dcs01
DNS Domain: test.example.domain.br
Realm: TEST.EXAMPLE.DOMAIN.BR
FQDN: dcs01.test.example.domain.br
ipaddress: 177.X.X.3
-----------
Kerberos SRV _kerberos._tcp.test.example.domain.br record(s) verified ok,
sample output:
Server: 177.X.X.69
Address: 177.X.X.69#53
_kerberos._tcp.test.example.domain.br service = 0 100 88
adc02.test.example.domain.br.
-----------
'kinit Administrator' checked successfully.
-----------
This computer is running Debian 9.12 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
link/ether 00:0c:29:aa:cc:e2 brd ff:ff:ff:ff:ff:ff
inet 177.X.X.3/25 brd 177.X.X.127 scope global ens192
inet6 fe80::20c:29ff:feaa:cce2/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
177.X.X.3 dcs01.test.example.domain.br dcs01
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
search test.example.domain.br
nameserver 177.X.X.69
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = TEST.EXAMPLE.DOMAIN.BR
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: compat
group: compat
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Warning, does not exist
-----------
Time on the DC with PDC Emulator role is: 2020-04-07T15:31:10
Time on this computer is: 2020-04-07T15:31:10
Time verified ok, within the allowed 300sec margin.
Time offset is currently : 0 seconds
-----------
Installed packages:
ii attr 1:2.4.47-2+b2 amd64
Utilities for manipulating filesystem extended attributes
ii krb5-config 2.6 all
Configuration files for Kerberos Version 5
ii krb5-locales 1.15-1+deb9u1 all
internationalization support for MIT Kerberos
ii krb5-user 1.15-1+deb9u1 amd64
basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.52-3+b1 amd64
Access control list shared library
ii libattr1:amd64 1:2.4.47-2+b2 amd64
Extended attribute shared library
ii libgssapi-krb5-2:amd64 1.15-1+deb9u1 amd64
MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.15-1+deb9u1 amd64
MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.15-1+deb9u1 amd64
MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.5.16+dfsg-1+deb9u2 amd64
Samba nameservice integration plugins
ii libpam-winbind:amd64 2:4.5.16+dfsg-1+deb9u2 amd64
Windows domain authentication integration plugin
ii libwbclient0:amd64 2:4.5.16+dfsg-1+deb9u2 amd64
Samba winbind client library
ii python-samba 2:4.5.16+dfsg-1+deb9u2 amd64
Python bindings for Samba
ii samba 2:4.5.16+dfsg-1+deb9u2 amd64
SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.5.16+dfsg-1+deb9u2 all
common files used by both the Samba server and client
ii samba-common-bin 2:4.5.16+dfsg-1+deb9u2 amd64
Samba common files used by both the server and the client
ii samba-dsdb-modules 2:4.5.16+dfsg-1+deb9u2 amd64
Samba Directory Services Database
ii samba-libs:amd64 2:4.5.16+dfsg-1+deb9u2 amd64
Samba core libraries
ii samba-vfs-modules 2:4.5.16+dfsg-1+deb9u2 amd64
Samba Virtual FileSystem plugins
ii winbind 2:4.5.16+dfsg-1+deb9u2 amd64
service to resolve user and group information from Windows NT servers
-----------
Thanks again.
On Tue, Apr 7, 2020 at 11:09 AM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 07/04/2020 14:51, Daniel Lopes de Carvalho wrote:
> > Hi Rowland, thanks for your email.
> >
> > The working DC was installed around 2 years ago. It is the reason to
> > stick in Stretch. But if I can upgrade the working DC to Buster and
> > Samba 4.9.5 without any problem, it is OK to me.
> I would upgrade Debian and once you get everything working correctly,
> you can use Louis's repo: http://apt.van-belle.nl/
> >
> >
> > Find below the output of samba-tool join command:
> >
> > samba-tool domain join test.example.domain.br
> > <http://test.example.domain.br> DC
-U"test/administrator" -d3
> >
> > Finding a writeable DC for domain 'test.example.domain.br
> > <http://test.example.domain.br>'
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > _ldap._tcp.test.example.domain.br
<http://tcp.test.example.domain.br
> ><0x0>
> > Found DC adc02.test.example.domain.br
> > <http://adc02.test.example.domain.br>
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > adc02.test.example.domain.br
<http://adc02.test.example.domain.br><0x20>
> > Password for [test\administrator]:
> > Cannot reach a KDC we require to contact
> > ldap/adc02.test.example.domain.br@ : kinit for administrator at test
> > failed (Cannot contact any KDC for requested realm)
>
> That looks like your problem, for some reason
'adc02.example.domain.br'
> cannot be found.
>
> Can you run the attached script on the machine you are trying to join as
> a DC and then post the output in a reply to the mailing list, do not
> attach it, this mailing list strips attachments.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
Daniel Lopes de
Carvalhohttp://www.unisim.cepetro.unicamp.brdaniel at cepetro.unicamp.br
19 3521-1221