Josep Maria Gorro
2024-Jun-15 10:52 UTC
[Samba] Users appears as SID instead of their own name.
Helo Rowland.
I think I won't be able to thank you enough for everything you are doing
for me.
I've tried and seems to run fine. But finally it throws an error and
performs a rollback for all changes on AD.
This is the transcript for the messages.
root at montsec:/usr/local/samba/etc# samba-tool domain join DOMAINNAME
DC -U"administrator"
INFO 2024-06-15 10:28:20,881 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/join.py #104:
Finding a writeable DC for domain 'DOMAINNAME'
INFO 2024-06-15 10:28:20,966 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/join.py #106:
Found DC tibidabo.domainname.lan
Password for [DOMAINNAME\administrator]:
INFO 2024-06-15 10:28:33,460 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/join.py #1605:
workgroup is DOMAINNAME
INFO 2024-06-15 10:28:33,460 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/join.py #1608:
realm is domainname.lan
Adding CN=MONTSEC,OU=Domain Controllers,DC=domainname,DC=lan
Adding
CN=MONTSEC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domainname,DC=lan
Adding CN=NTDS
Settings,CN=MONTSEC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domainname,DC=lan
Adding SPNs to CN=MONTSEC,OU=Domain Controllers,DC=domainname,DC=lan
Setting account password for MONTSEC$
Enabling account
Calling bare provision
INFO 2024-06-15 10:28:34,333 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py
#2110: Looking up IPv4 addresses
INFO 2024-06-15 10:28:34,333 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py
#2127: Looking up IPv6 addresses
WARNING 2024-06-15 10:28:34,334 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py
#2134: No IPv6 address will be assigned
INFO 2024-06-15 10:28:34,641 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py
#2300: Setting up share.ldb
INFO 2024-06-15 10:28:34,668 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py
#2304: Setting up secrets.ldb
INFO 2024-06-15 10:28:34,680 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py
#2309: Setting up the registry
INFO 2024-06-15 10:28:34,702 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py
#2312: Setting up the privileges database
INFO 2024-06-15 10:28:34,715 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py
#2315: Setting up idmap db
INFO 2024-06-15 10:28:34,725 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py
#2322: Setting up SAM db
INFO 2024-06-15 10:28:34,729 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py
#882: Setting up sam.ldb partitions and settings
INFO 2024-06-15 10:28:34,730 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py
#894: Setting up sam.ldb rootDSE
INFO 2024-06-15 10:28:34,732 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py
#1310: Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness
constraint on local domainSIDs
INFO 2024-06-15 10:28:34,767 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py
#2412: A Kerberos configuration suitable for Samba AD has been
generated at /usr/local/samba/private/krb5.conf
INFO 2024-06-15 10:28:34,767 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py
#2414: Merge the contents of this file with your system krb5.conf or
replace it with this one. Do not create a symlink!
Provision OK for domain DN DC=domainname,DC=lan
INFO 2024-06-15 10:28:34,769 pid:27560
/usr/local/samba/lib/python3.10/site-packages/samba/join.py #964:
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=domainname,DC=lan]
objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=domainname,DC=lan]
objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=domainname,DC=lan]
objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=domainname,DC=lan]
objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=domainname,DC=lan] objects[402/1648]
linked_values[0/1]
Partition[CN=Configuration,DC=domainname,DC=lan] objects[804/1648]
linked_values[0/1]
Partition[CN=Configuration,DC=domainname,DC=lan] objects[1206/1648]
linked_values[0/1]
Partition[CN=Configuration,DC=domainname,DC=lan] objects[1608/1648]
linked_values[0/1]
Partition[CN=Configuration,DC=domainname,DC=lan] objects[1648/1648]
linked_values[64/64]
Failed to commit objects: WERR_DS_DRA_RECYCLED_TARGET
Missing target object - retrying with DRS_GET_TGT
Partition[CN=Configuration,DC=domainname,DC=lan] objects[2050/1648]
linked_values[64/1]
Partition[CN=Configuration,DC=domainname,DC=lan] objects[2452/1648]
linked_values[64/1]
Partition[CN=Configuration,DC=domainname,DC=lan] objects[2854/1648]
linked_values[64/1]
Partition[CN=Configuration,DC=domainname,DC=lan] objects[3256/1648]
linked_values[64/1]
Partition[CN=Configuration,DC=domainname,DC=lan] objects[3296/1648]
linked_values[128/64]
Replicating critical objects from the base DN of the domain
Partition[DC=domainname,DC=lan] objects[97/97] linked_values[29/29]
Partition[DC=domainname,DC=lan] objects[402/484] linked_values[0/290]
Partition[DC=domainname,DC=lan] objects[484/484] linked_values[338/338]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=domainname,DC=lan
Join failed - cleaning up
Deleted CN=MONTSEC,OU=Domain Controllers,DC=domainname,DC=lan
Deleted CN=NTDS
Settings,CN=MONTSEC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domainname,DC=lan
Deleted
CN=MONTSEC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domainname,DC=lan
ERROR(runtime): uncaught exception - (8442,
'WERR_DS_DRA_INTERNAL_ERROR')
? File
"/usr/local/samba/lib/python3.10/site-packages/samba/netcmd/__init__.py",
line 285, in _run
??? return self.run(*args, **kwargs)
? File
"/usr/local/samba/lib/python3.10/site-packages/samba/netcmd/domain/join.py",
line 128, in run
??? join_DC(logger=logger, server=server, creds=creds, lp=lp,
domain=domain,
? File
"/usr/local/samba/lib/python3.10/site-packages/samba/join.py",
line
1621, in join_DC
??? ctx.do_join()
? File
"/usr/local/samba/lib/python3.10/site-packages/samba/join.py",
line
1511, in do_join
??? ctx.join_replicate()
? File
"/usr/local/samba/lib/python3.10/site-packages/samba/join.py",
line
1055, in join_replicate
??? repl.replicate(nc, source_dsa_invocation_id,
? File
"/usr/local/samba/lib/python3.10/site-packages/samba/drs_utils.py",
line 358, in replicate
??? (level, ctr) = self.drs.DsGetNCChanges(self.drs_handle,
req_level, req)
The /usr/local/samba/etc/smb.conf file contents is like this:
# Global parameters
[global]
??????? netbios name = MONTSEC
??????? realm = DOMAINNAME.LAN
??????? workgroup = DOMAINNAME
??????? dns forwarder = 80.58.61.250 80.58.61.250
??????? server role = active directory domain controller
??????? idmap_ldb:use rfc2307 = yes
#?????? ldap server require strong auth = no
[netlogon]
??????? path = /usr/local/samba/var/locks/sysvol/domainname.lan/scripts
??????? read only = No
[sysvol]
??????? path = /usr/local/samba/var/locks/sysvol
??????? read only = No
Only I can see a possible issue. The new server is running at UTC, while
current AD server runs at CEST. For this I changed TZ properly and
launched again the samba-tool joining. Same result.
Also I can see some krb5 messages. For your info, the current AD server
is using this krb5.conf file
[libdefaults]
??????? default_realm = DOMAINNAME.LAN
??????? dns_lookup_realm = false
??????? dns_lookup_kdc = true
And the new one, that has been created automatically, is this one:
[libdefaults]
??????? default_realm = DOMAINNAME.LAN
??????? dns_lookup_realm = false
??????? dns_lookup_kdc = true
[realms]
DOMAINNAME.LAN = {
??????? default_domain = domainname.lan
}
[domain_realm]
??????? MONTSEC = DOMAINNAME.LAN
Regarding European support you're right. I'm waiting for a Sernet
response. I sent them a mail requesting support.
Thanks a lot.
El 15/06/2024 a las 11:53, Rowland Penny via samba
escribi?:> On Sat, 15 Jun 2024 11:11:09 +0200
> Josep Maria Gorro via samba<samba at lists.samba.org> wrote:
>
>> Helo Rowland
>>
>> Thanks for your response.
>>
>> I'm using Centos7 as AD server.
>> At this time I'm trying to compile another server with Ubuntu 22.04
>> and Samba 4.20.1.
> Can I suggest Debian bookworm with Samba from backports instead, this
> will get you a very recent version of Samba.
>
>> I'm thinking to merge it as an AD on current
>> domain. If this runs I'll try to move FSMO from old to new.
>> Finally I'll demote old one.
>> Hope this will run and solve the issue.
> Worth trying, but if it does fail, then we need any and all error
> messages to try and help you.
>
>> Regarding support, I checked samba.org page for companies in Spain.
>> As anyone gives me reply, I started to locate other companies
>> worldwide. At this time I sent a request to another one (waiting for
>> reply). It will be useful if you can give me some choices. Better to
>> be on a similar time zone to be available at same time.
>>
> All I can suggest is that you try some of the local countries, perhaps
> Sernet in Germany.
>
> Rowland
>
--
------------------------------------------------------------------------
Josep M. Gorro <mailto:jmgorro at gmail.com>
*Systems engineer*
--
Este correo electr?nico ha sido analizado en busca de virus por el software
antivirus de Avast.
www.avast.com
Rowland Penny
2024-Jun-15 11:12 UTC
[Samba] Users appears as SID instead of their own name.
On Sat, 15 Jun 2024 12:52:10 +0200 Josep Maria Gorro via samba <samba at lists.samba.org> wrote:> Helo Rowland. > > I think I won't be able to thank you enough for everything you are > doing for me. > > I've tried and seems to run fine. But finally it throws an error and > performs a rollback for all changes on AD. > This is the transcript for the messages. > > root at montsec:/usr/local/samba/etc# samba-tool domain join > DOMAINNAME DC -U"administrator" > INFO 2024-06-15 10:28:20,881 pid:27560 > /usr/local/samba/lib/python3.10/site-packages/samba/join.py #104: > Finding a writeable DC for domain 'DOMAINNAME' > INFO 2024-06-15 10:28:20,966 pid:27560 > /usr/local/samba/lib/python3.10/site-packages/samba/join.py #106: > Found DC tibidabo.domainname.lan > Password for [DOMAINNAME\administrator]: > INFO 2024-06-15 10:28:33,460 pid:27560 > /usr/local/samba/lib/python3.10/site-packages/samba/join.py #1605: > workgroup is DOMAINNAME > INFO 2024-06-15 10:28:33,460 pid:27560 > /usr/local/samba/lib/python3.10/site-packages/samba/join.py #1608: > realm is domainname.lan > Adding CN=MONTSEC,OU=Domain Controllers,DC=domainname,DC=lan > Adding > CN=MONTSEC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domainname,DC=lan > Adding CN=NTDS > Settings,CN=MONTSEC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domainname,DC=lan > Adding SPNs to CN=MONTSEC,OU=Domain > Controllers,DC=domainname,DC=lan Setting account password for MONTSEC$ > Enabling account > Calling bare provision > INFO 2024-06-15 10:28:34,333 pid:27560 > /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py > #2110: Looking up IPv4 addresses > INFO 2024-06-15 10:28:34,333 pid:27560 > /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py > #2127: Looking up IPv6 addresses > WARNING 2024-06-15 10:28:34,334 pid:27560 > /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py > #2134: No IPv6 address will be assigned > INFO 2024-06-15 10:28:34,641 pid:27560 > /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py > #2300: Setting up share.ldb > INFO 2024-06-15 10:28:34,668 pid:27560 > /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py > #2304: Setting up secrets.ldb > INFO 2024-06-15 10:28:34,680 pid:27560 > /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py > #2309: Setting up the registry > INFO 2024-06-15 10:28:34,702 pid:27560 > /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py > #2312: Setting up the privileges database > INFO 2024-06-15 10:28:34,715 pid:27560 > /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py > #2315: Setting up idmap db > INFO 2024-06-15 10:28:34,725 pid:27560 > /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py > #2322: Setting up SAM db > INFO 2024-06-15 10:28:34,729 pid:27560 > /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py > #882: Setting up sam.ldb partitions and settings > INFO 2024-06-15 10:28:34,730 pid:27560 > /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py > #894: Setting up sam.ldb rootDSE > INFO 2024-06-15 10:28:34,732 pid:27560 > /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py > #1310: Pre-loading the Samba 4 and AD schema > Unable to determine the DomainSID, can not enforce uniqueness > constraint on local domainSIDs > > INFO 2024-06-15 10:28:34,767 pid:27560 > /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py > #2412: A Kerberos configuration suitable for Samba AD has been > generated at /usr/local/samba/private/krb5.conf > INFO 2024-06-15 10:28:34,767 pid:27560 > /usr/local/samba/lib/python3.10/site-packages/samba/provision/__init__.py > #2414: Merge the contents of this file with your system krb5.conf > or replace it with this one. Do not create a symlink! > Provision OK for domain DN DC=domainname,DC=lan > INFO 2024-06-15 10:28:34,769 pid:27560 > /usr/local/samba/lib/python3.10/site-packages/samba/join.py #964: > Starting replication > Schema-DN[CN=Schema,CN=Configuration,DC=domainname,DC=lan] > objects[402/1550] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=domainname,DC=lan] > objects[804/1550] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=domainname,DC=lan] > objects[1206/1550] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=domainname,DC=lan] > objects[1550/1550] linked_values[0/0] > Analyze and apply schema objects > Partition[CN=Configuration,DC=domainname,DC=lan] objects[402/1648] > linked_values[0/1] > Partition[CN=Configuration,DC=domainname,DC=lan] objects[804/1648] > linked_values[0/1] > Partition[CN=Configuration,DC=domainname,DC=lan] > objects[1206/1648] linked_values[0/1] > Partition[CN=Configuration,DC=domainname,DC=lan] > objects[1608/1648] linked_values[0/1] > Partition[CN=Configuration,DC=domainname,DC=lan] > objects[1648/1648] linked_values[64/64] > Failed to commit objects: WERR_DS_DRA_RECYCLED_TARGET > Missing target object - retrying with DRS_GET_TGT > Partition[CN=Configuration,DC=domainname,DC=lan] > objects[2050/1648] linked_values[64/1] > Partition[CN=Configuration,DC=domainname,DC=lan] > objects[2452/1648] linked_values[64/1] > Partition[CN=Configuration,DC=domainname,DC=lan] > objects[2854/1648] linked_values[64/1] > Partition[CN=Configuration,DC=domainname,DC=lan] > objects[3256/1648] linked_values[64/1] > Partition[CN=Configuration,DC=domainname,DC=lan] > objects[3296/1648] linked_values[128/64] > Replicating critical objects from the base DN of the domain > Partition[DC=domainname,DC=lan] objects[97/97] > linked_values[29/29] Partition[DC=domainname,DC=lan] objects[402/484] > linked_values[0/290] Partition[DC=domainname,DC=lan] objects[484/484] > linked_values[338/338] Done with always replicated NC (base, config, > schema) Replicating DC=DomainDnsZones,DC=domainname,DC=lanWhere did your domain come from ? Did it start as a Samba domain that you provisioned, or was it upgraded from an early Microsoft domain ?> Join failed - cleaning upAnything after the above line is an artefact of the failure and can be ignored.> > Regarding European support you're right. I'm waiting for a Sernet > response. I sent them a mail requesting support. >You should be in good hands with Sernet, quite a few of the Samba team are employed there. Rowland