greg at theschaubs.com
2021-Jun-15 20:19 UTC
[Samba] Joining Samba AD DC from Docker container fails - timeout
I have created a Docker container to support Samba Domain Controller
services. I am joining to an existing Samba DC that is running on a Debian
based image. I have successfully joined other DC's to this server in the
past and have a set created documentation to help ensure it works properly
in the future.
The new server container is based on Ubuntu 20.04 and I built it through the
distro packages. I have configured Bind DLZ, sshd, and ntp which all appear
to be working properly. I can share the specific packages if necessary, but
I would be surprised if I'm missing anything. I have tried this both with
and without smbd running.
I saw in a prior post blocked ports can lead to this type of behavior.
Therefore, I ran a port scan from the container to the source server and
verified that all needed ports are open. I also ran a port scan against the
container which shows that ports 22 and 53 are open. I also did this as the
join process was running and interestingly (at least to me) no other ports
were listening on the container at that time. I cannot find any helpful
logs except for the output here. I do see bind activity between the servers
in syslog while the join was running.
I'm out of ideas at this point. Not sure if this is a docker/container
issue or a Ubuntu one. For Ubuntu, this is the first time I have tried to
join a DC from that distribution. I have added the output of the latest
join attempt below.
Hope someone can point me in the right direction.
Regards.Greg
root at schaub-dc1:/var/lib/samba# samba-tool domain join home.theschaubs.com
DC -U"HOME\administrator" --dns-backend=BIND9_DLZ
--option='idmap_ldb:use
rfc2307 = yes' --verbose
INFO 2021-06-14 19:20:11,689 pid:273
/usr/lib/python3/dist-packages/samba/join.py #107: Finding a writeable DC
for domain 'home.theschaubs.com'
INFO 2021-06-14 19:20:11,744 pid:273
/usr/lib/python3/dist-packages/samba/join.py #109: Found DC
schaub-dc2.home.theschaubs.com
Password for [HOME\administrator]:
INFO 2021-06-14 19:20:27,668 pid:273
/usr/lib/python3/dist-packages/samba/join.py #1542: workgroup is HOME
INFO 2021-06-14 19:20:27,668 pid:273
/usr/lib/python3/dist-packages/samba/join.py #1545: realm is
home.theschaubs.com
Deleted CN=SCHAUB-DC1,OU=Domain Controllers,DC=home,DC=theschaubs,DC=com
Deleted CN=dns-SCHAUB-DC1,CN=Users,DC=home,DC=theschaubs,DC=com
Deleted CN=NTDS
Settings,CN=SCHAUB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Con
figuration,DC=home,DC=theschaubs,DC=com
Deleted
CN=SCHAUB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuratio
n,DC=home,DC=theschaubs,DC=com
Adding CN=SCHAUB-DC1,OU=Domain Controllers,DC=home,DC=theschaubs,DC=com
Adding
CN=SCHAUB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuratio
n,DC=home,DC=theschaubs,DC=com
Adding CN=NTDS
Settings,CN=SCHAUB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Con
figuration,DC=home,DC=theschaubs,DC=com
Adding SPNs to CN=SCHAUB-DC1,OU=Domain
Controllers,DC=home,DC=theschaubs,DC=com
Setting account password for SCHAUB-DC1$
Enabling account
Adding DNS account CN=dns-SCHAUB-DC1,CN=Users,DC=home,DC=theschaubs,DC=com
with dns/ SPN
Setting account password for dns-SCHAUB-DC1
Calling bare provision
INFO 2021-06-14 19:20:29,438 pid:273
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2128: Looking up
IPv4 addresses
INFO 2021-06-14 19:20:29,439 pid:273
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2145: Looking up
IPv6 addresses
WARNING 2021-06-14 19:20:29,440 pid:273
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2152: No IPv6
address will be assigned
INFO 2021-06-14 19:20:29,645 pid:273
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2319: Setting up
share.ldb
INFO 2021-06-14 19:20:29,656 pid:273
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2323: Setting up
secrets.ldb
INFO 2021-06-14 19:20:29,664 pid:273
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2329: Setting up
the registry
INFO 2021-06-14 19:20:29,696 pid:273
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2332: Setting up
the privileges database
INFO 2021-06-14 19:20:29,712 pid:273
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2335: Setting up
idmap db
INFO 2021-06-14 19:20:29,723 pid:273
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2342: Setting up
SAM db
INFO 2021-06-14 19:20:29,726 pid:273
/usr/lib/python3/dist-packages/samba/provision/__init__.py #898: Setting up
sam.ldb partitions and settings
INFO 2021-06-14 19:20:29,726 pid:273
/usr/lib/python3/dist-packages/samba/provision/__init__.py #910: Setting up
sam.ldb rootDSE
INFO 2021-06-14 19:20:29,729 pid:273
/usr/lib/python3/dist-packages/samba/provision/__init__.py #1339:
Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on
local domainSIDs
INFO 2021-06-14 19:20:29,745 pid:273
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2394: A Kerberos
configuration suitable for Samba AD has been generated at
/var/lib/samba/private/krb5.conf
INFO 2021-06-14 19:20:29,745 pid:273
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2396: Merge the
contents of this file with your system krb5.conf or replace it with this
one. Do not create a symlink!
Provision OK for domain DN DC=home,DC=theschaubs,DC=com
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=home,DC=theschaubs,DC=com]
objects[402/1739] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=home,DC=theschaubs,DC=com]
objects[804/1739] linked_values[0/0]
Join failed - cleaning up
Deleted CN=SCHAUB-DC1,OU=Domain Controllers,DC=home,DC=theschaubs,DC=com
Deleted CN=dns-SCHAUB-DC1,CN=Users,DC=home,DC=theschaubs,DC=com
Deleted CN=NTDS
Settings,CN=SCHAUB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Con
figuration,DC=home,DC=theschaubs,DC=com
Deleted
CN=SCHAUB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuratio
n,DC=home,DC=theschaubs,DC=com
ERROR(runtime): uncaught exception - (3221225653, '{Device Timeout} The
specified I/O operation on %hs was not completed before the time-out period
expired.')
File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
186,
in _run
return self.run(*args, **kwargs)
File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line
701, in
run
join_DC(logger=logger, server=server, creds=creds, lp=lp, domain=domain,
File "/usr/lib/python3/dist-packages/samba/join.py", line 1558, in
join_DC
ctx.do_join()
File "/usr/lib/python3/dist-packages/samba/join.py", line 1448, in
do_join
ctx.join_replicate()
File "/usr/lib/python3/dist-packages/samba/join.py", line 979, in
join_replicate
repl.replicate(ctx.schema_dn, source_dsa_invocation_id,
File "/usr/lib/python3/dist-packages/samba/drs_utils.py", line 338,
in
replicate
(level, ctr) = self.drs.DsGetNCChanges(self.drs_handle, req_level, req)
Rowland penny
2021-Jun-15 20:46 UTC
[Samba] Joining Samba AD DC from Docker container fails - timeout
On 15/06/2021 21:19, Greg Schaub via samba wrote:> I have created a Docker container to support Samba Domain Controller > services. I am joining to an existing Samba DC that is running on a Debian > based image. I have successfully joined other DC's to this server in the > past and have a set created documentation to help ensure it works properly > in the future. > > The new server container is based on Ubuntu 20.04 and I built it through the > distro packages. I have configured Bind DLZ, sshd, and ntp which all appear > to be working properly. I can share the specific packages if necessary, but > I would be surprised if I'm missing anything. I have tried this both with > and without smbd running. > > I saw in a prior post blocked ports can lead to this type of behavior. > Therefore, I ran a port scan from the container to the source server and > verified that all needed ports are open. I also ran a port scan against the > container which shows that ports 22 and 53 are open. I also did this as the > join process was running and interestingly (at least to me) no other ports > were listening on the container at that time. I cannot find any helpful > logs except for the output here. I do see bind activity between the servers > in syslog while the join was running. > > I'm out of ideas at this point. Not sure if this is a docker/container > issue or a Ubuntu one. For Ubuntu, this is the first time I have tried to > join a DC from that distribution. I have added the output of the latest > join attempt below. > > Hope someone can point me in the right direction. > > Regards.Greg > > root at schaub-dc1:/var/lib/samba# samba-tool domain join home.theschaubs.com > DC -U"HOME\administrator" --dns-backend=BIND9_DLZ --option='idmap_ldb:use > rfc2307 = yes' --verboseYou need a lot more ports than 22 and 53 open, see here for a full list: https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage Is your container privileged ? Rowland