I have a running AD-DC I just built, version 4.16.8 on a fresh Rocky Linux 8.7 install, that seems to be working fine, I even got smartcard login working using the walkthrough on the wiki. When I try to add a second DC installed the same way, it fails in the following way: [root at shp-dc2 ~]# kinit administrator Password for administrator at PRIVATEDOMAIN.COM: Warning: Your password will expire in 32 days on Mon 27 Mar 2023 05:22:33 PM EDT [root at shp-dc2 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator at PRIVATEDOMAIN.COM Valid starting?????? Expires????????????? Service principal 02/23/2023 11:27:40? 02/23/2023 21:27:40 krbtgt/PRIVATEDOMAIN.COM at PRIVATEDOMAIN.COM renew until 02/24/2023 11:27:37 [root at shp-dc2 ~]# samba-tool domain join privatedomain.com DC --use-krb5-ccache=/tmp/krb5cc_0 --option='idmap_ldb:use rfc2307 = yes' --option="interfaces=lo enp2s0" --option="bind interfaces only=yes" INFO 2023-02-23 11:33:33,211 pid:1759 /usr/local/samba/lib64/python3.6/site-packages/samba/join.py #105: Finding a writeable DC for domain 'privatedomain.com' INFO 2023-02-23 11:33:33,219 pid:1759 /usr/local/samba/lib64/python3.6/site-packages/samba/join.py #107: Found DC shp-dc1.privatedomain.com INFO 2023-02-23 11:33:33,342 pid:1759 /usr/local/samba/lib64/python3.6/site-packages/samba/join.py #1563: workgroup is privatedomain INFO 2023-02-23 11:33:33,342 pid:1759 /usr/local/samba/lib64/python3.6/site-packages/samba/join.py #1566: realm is privatedomain.com Adding CN=SHP-DC2,OU=Domain Controllers,DC=privatedomain,DC=com Adding CN=SHP-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=privatedomain,DC=com Adding CN=NTDS Settings,CN=SHP-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=privatedomain,DC=com Adding SPNs to CN=SHP-DC2,OU=Domain Controllers,DC=privatedomain,DC=com Setting account password for SHP-DC2$ Enabling account Calling bare provision INFO 2023-02-23 11:33:34,031 pid:1759 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2108: Looking up IPv4 addresses INFO 2023-02-23 11:33:34,032 pid:1759 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2125: Looking up IPv6 addresses WARNING 2023-02-23 11:33:34,032 pid:1759 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2132: No IPv6 address will be assigned INFO 2023-02-23 11:33:34,320 pid:1759 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2274: Setting up share.ldb INFO 2023-02-23 11:33:34,351 pid:1759 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2278: Setting up secrets.ldb INFO 2023-02-23 11:33:34,368 pid:1759 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2283: Setting up the registry INFO 2023-02-23 11:33:34,431 pid:1759 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2286: Setting up the privileges database INFO 2023-02-23 11:33:34,462 pid:1759 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2289: Setting up idmap db INFO 2023-02-23 11:33:34,483 pid:1759 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2296: Setting up SAM db INFO 2023-02-23 11:33:34,489 pid:1759 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #880: Setting up sam.ldb partitions and settings INFO 2023-02-23 11:33:34,490 pid:1759 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #892: Setting up sam.ldb rootDSE INFO 2023-02-23 11:33:34,494 pid:1759 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1305: Pre-loading the Samba 4 and AD schema Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs INFO 2023-02-23 11:33:34,523 pid:1759 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2349: A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba/private/krb5.conf INFO 2023-02-23 11:33:34,523 pid:1759 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2350: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink! Provision OK for domain DN DC=privatedomain,DC=com Starting replication Schema-DN[CN=Schema,CN=Configuration,DC=privatedomain,DC=com] objects[402/1739] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=privatedomain,DC=com] objects[804/1739] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=privatedomain,DC=com] objects[1206/1739] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=privatedomain,DC=com] objects[1608/1739] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=privatedomain,DC=com] objects[1739/1739] linked_values[0/0] Analyze and apply schema objects Partition[CN=Configuration,DC=privatedomain,DC=com] objects[402/1635] linked_values[0/1] Partition[CN=Configuration,DC=privatedomain,DC=com] objects[804/1635] linked_values[0/1] Partition[CN=Configuration,DC=privatedomain,DC=com] objects[1206/1635] linked_values[0/1] Partition[CN=Configuration,DC=privatedomain,DC=com] objects[1608/1635] linked_values[0/1] Partition[CN=Configuration,DC=privatedomain,DC=com] objects[1635/1635] linked_values[40/40] Failed to commit objects: DOS code 0x000021bf Missing target object - retrying with DRS_GET_TGT Partition[CN=Configuration,DC=privatedomain,DC=com] objects[2037/1635] linked_values[41/1] Partition[CN=Configuration,DC=privatedomain,DC=com] objects[2439/1635] linked_values[41/1] Partition[CN=Configuration,DC=privatedomain,DC=com] objects[2841/1635] linked_values[41/1] Partition[CN=Configuration,DC=privatedomain,DC=com] objects[3243/1635] linked_values[41/1] Partition[CN=Configuration,DC=privatedomain,DC=com] objects[3270/1635] linked_values[80/40] Replicating critical objects from the base DN of the domain Join failed - cleaning up Deleted CN=SHP-DC2,OU=Domain Controllers,DC=privatedomain,DC=com Deleted CN=NTDS Settings,CN=SHP-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=privatedomain,DC=com Deleted CN=SHP-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=privatedomain,DC=com ERROR(runtime): uncaught exception - (1359, 'WERR_INTERNAL_ERROR') ? File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/__init__.py", line 186, in _run ??? return self.run(*args, **kwargs) ? File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/domain.py", line 709, in run ??? backend_store_size=backend_store_size) ? File "/usr/local/samba/lib64/python3.6/site-packages/samba/join.py", line 1579, in join_DC ??? ctx.do_join() ? File "/usr/local/samba/lib64/python3.6/site-packages/samba/join.py", line 1469, in do_join ??? ctx.join_replicate() ? File "/usr/local/samba/lib64/python3.6/site-packages/samba/join.py", line 981, in join_replicate ??? replica_flags=ctx.domain_replica_flags | drsuapi.DRSUAPI_DRS_CRITICAL_ONLY) ? File "/usr/local/samba/lib64/python3.6/site-packages/samba/drs_utils.py", line 361, in replicate ??? (level, ctr) = self.drs.DsGetNCChanges(self.drs_handle, req_level, req) Not really sure where I should go from here... the working DC doesn't have any live data besides a single user I created to test the smartcard login, so I won't be too upset if I have to take it down.
On 23/02/2023 18:40, Stephen Vose via samba wrote:> I have a running AD-DC I just built, version 4.16.8 on a fresh Rocky > Linux 8.7 install, that seems to be working fine, I even got smartcard > login working using the walkthrough on the wiki. When I try to add a > second DC installed the same way, it fails in the following way: > > [root at shp-dc2 ~]# kinit administrator > Password for administrator at PRIVATEDOMAIN.COM: > Warning: Your password will expire in 32 days on Mon 27 Mar 2023 > 05:22:33 PM EDT > [root at shp-dc2 ~]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: administrator at PRIVATEDOMAIN.COM > > Valid starting?????? Expires????????????? Service principal > 02/23/2023 11:27:40? 02/23/2023 21:27:40 > krbtgt/PRIVATEDOMAIN.COM at PRIVATEDOMAIN.COM > renew until 02/24/2023 11:27:37 > > [root at shp-dc2 ~]# samba-tool domain join privatedomain.com DC > --use-krb5-ccache=/tmp/krb5cc_0 --option='idmap_ldb:use rfc2307 = yes' > --option="interfaces=lo enp2s0" --option="bind interfaces only=yes" > INFO 2023-02-23 11:33:33,211 pid:1759 > /usr/local/samba/lib64/python3.6/site-packages/samba/join.py #105: > Finding a writeable DC for domain 'privatedomain.com' > INFO 2023-02-23 11:33:33,219 pid:1759 > /usr/local/samba/lib64/python3.6/site-packages/samba/join.py #107: Found > DC shp-dc1.privatedomain.com > INFO 2023-02-23 11:33:33,342 pid:1759 > /usr/local/samba/lib64/python3.6/site-packages/samba/join.py #1563: > workgroup is privatedomain > INFO 2023-02-23 11:33:33,342 pid:1759 > /usr/local/samba/lib64/python3.6/site-packages/samba/join.py #1566: > realm is privatedomain.com > Adding CN=SHP-DC2,OU=Domain Controllers,DC=privatedomain,DC=com > Adding > CN=SHP-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=privatedomain,DC=com > Adding CN=NTDS > Settings,CN=SHP-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=privatedomain,DC=com > Adding SPNs to CN=SHP-DC2,OU=Domain Controllers,DC=privatedomain,DC=com > Setting account password for SHP-DC2$ > Enabling account > Calling bare provision > INFO 2023-02-23 11:33:34,031 pid:1759 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2108: Looking up IPv4 addresses > INFO 2023-02-23 11:33:34,032 pid:1759 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2125: Looking up IPv6 addresses > WARNING 2023-02-23 11:33:34,032 pid:1759 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2132: No IPv6 address will be assigned > INFO 2023-02-23 11:33:34,320 pid:1759 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2274: Setting up share.ldb > INFO 2023-02-23 11:33:34,351 pid:1759 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2278: Setting up secrets.ldb > INFO 2023-02-23 11:33:34,368 pid:1759 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2283: Setting up the registry > INFO 2023-02-23 11:33:34,431 pid:1759 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2286: Setting up the privileges database > INFO 2023-02-23 11:33:34,462 pid:1759 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2289: Setting up idmap db > INFO 2023-02-23 11:33:34,483 pid:1759 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2296: Setting up SAM db > INFO 2023-02-23 11:33:34,489 pid:1759 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #880: Setting up sam.ldb partitions and settings > INFO 2023-02-23 11:33:34,490 pid:1759 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #892: Setting up sam.ldb rootDSE > INFO 2023-02-23 11:33:34,494 pid:1759 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1305: Pre-loading the Samba 4 and AD schema > Unable to determine the DomainSID, can not enforce uniqueness constraint > on local domainSIDs > > INFO 2023-02-23 11:33:34,523 pid:1759 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2349: A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba/private/krb5.conf > INFO 2023-02-23 11:33:34,523 pid:1759 > /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2350: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink! > Provision OK for domain DN DC=privatedomain,DC=com > Starting replication > Schema-DN[CN=Schema,CN=Configuration,DC=privatedomain,DC=com] > objects[402/1739] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=privatedomain,DC=com] > objects[804/1739] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=privatedomain,DC=com] > objects[1206/1739] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=privatedomain,DC=com] > objects[1608/1739] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=privatedomain,DC=com] > objects[1739/1739] linked_values[0/0] > Analyze and apply schema objects > Partition[CN=Configuration,DC=privatedomain,DC=com] objects[402/1635] > linked_values[0/1] > Partition[CN=Configuration,DC=privatedomain,DC=com] objects[804/1635] > linked_values[0/1] > Partition[CN=Configuration,DC=privatedomain,DC=com] objects[1206/1635] > linked_values[0/1] > Partition[CN=Configuration,DC=privatedomain,DC=com] objects[1608/1635] > linked_values[0/1] > Partition[CN=Configuration,DC=privatedomain,DC=com] objects[1635/1635] > linked_values[40/40] > Failed to commit objects: DOS code 0x000021bf > Missing target object - retrying with DRS_GET_TGT > Partition[CN=Configuration,DC=privatedomain,DC=com] objects[2037/1635] > linked_values[41/1] > Partition[CN=Configuration,DC=privatedomain,DC=com] objects[2439/1635] > linked_values[41/1] > Partition[CN=Configuration,DC=privatedomain,DC=com] objects[2841/1635] > linked_values[41/1] > Partition[CN=Configuration,DC=privatedomain,DC=com] objects[3243/1635] > linked_values[41/1] > Partition[CN=Configuration,DC=privatedomain,DC=com] objects[3270/1635] > linked_values[80/40] > Replicating critical objects from the base DN of the domain > Join failed - cleaning up >You can ignore anything after 'Join failed', the join error has already happened and it looks like a replication problem. Does the first Nameserver in /etc/resolv.conf point to the first DC ? How is /etc/hosts setup ? Rowland
Andrew Bartlett
2023-Feb-23 21:33 UTC
[Samba] WERR_INTERNAL_ERROR on samba-tool domain join
On Thu, 2023-02-23 at 13:40 -0500, Stephen Vose via samba wrote:> I have a running AD-DC I just built, version 4.16.8 on a fresh Rocky > Linux 8.7 install, that seems to be working fine, I even got > smartcard login working using the walkthrough on the wiki. When I try > to add a second DC installed the same way, it fails in the following > way: > ERROR(runtime): uncaught exception - (1359, 'WERR_INTERNAL_ERROR') > File "/usr/local/samba/lib64/python3.6/site- > packages/samba/netcmd/__init__.py", line 186, in _run return > self.run(*args, **kwargs) File > "/usr/local/samba/lib64/python3.6/site- > packages/samba/netcmd/domain.py", line 709, in run > backend_store_size=backend_store_size) File > "/usr/local/samba/lib64/python3.6/site-packages/samba/join.py", line > 1579, in join_DC ctx.do_join() File > "/usr/local/samba/lib64/python3.6/site-packages/samba/join.py", line > 1469, in do_join ctx.join_replicate() File > "/usr/local/samba/lib64/python3.6/site-packages/samba/join.py", line > 981, in join_replicate replica_flags=ctx.domain_replica_flags | > drsuapi.DRSUAPI_DRS_CRITICAL_ONLY) File > "/usr/local/samba/lib64/python3.6/site-packages/samba/drs_utils.py", > line 361, in replicate (level, ctr) > self.drs.DsGetNCChanges(self.drs_handle, req_level, req) > Not really sure where I should go from here... the working DC doesn't > have any live data besides a single user I created to test the > smartcard login, so I won't be too upset if I have to take it down.Turn up the log level on the server and work out why it is failing from that end. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions