Mitja TavĨar
2024-Aug-09 11:38 UTC
[Samba] Problems on joining samba DC to a Windows Domain while adding DNS record for new DC
Hi,
I'm trying to join a debian bookworm running samba (Version 4.17.12-Debian)
as an additional DC to a Active Directory Domain.
The domain is already running on 2 windows 2019 DC's (hostnames vmw2srvdc1
and vmw2srvdc2) and the functional level of the AD domain is 2008 R2.
I followed the samba wiki instructions at:
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
I also made another Site in AD to which i want the new samba domain controller
to join to. So in the command i also used the --site option.
This is command i used for my last attempt:
samba-tool domain join intra.comune.trento.it DC --site PSN --server
vmw2srvdc2.intra.comune.trento.it --use-kerberos=desired -d 3
Join always fails after adding the DNS records for
LVSRVDC.intra.comune.trento.it (my new domain controller)
I tried varying some options (authentication via Username/password instead of
kerberos and also switching between BIND9_DLZ to SAMBA_INTERNAL dns backend) but
the join process always fail apparently in the same point. From the logs the
error would appear in adding the DNS record for the new domain controller, but i
also noticed the "Could not find machine account in secrets database:
Failed to fetch machine account password for INTRA from both secrets.ldb"
error which
could be the problem.
The samba server is a new debian bookworm setup that was not used for other
purpose, and between the various attempts i also deleted all .ldb and .tdb
databases
from /var/lib/samba/ /var/cache/samba and /run/samba and subfolders and the
/etc/samba/smb.conf. as suggested in the wiki above for a cleaner start.
I'm stuck. Any suggestions for a solution?
Thank you in advance.
Mitja Tav?ar
here are the final parts of the log with -d 3 option after the error:
(..)
INFO 2024-08-08 12:24:34,906 pid:1386
/usr/lib/python3/dist-packages/samba/join.py #1080: Committed SAM database
INFO 2024-08-08 12:24:34,927 pid:1386
/usr/lib/python3/dist-packages/samba/join.py #1156: Adding 1 remote DNS records
for LVSRVDC.intra.comune.trento.it
Using binding ncacn_ip_tcp:vmw2srvdc2.intra.comune.trento.it[,sign]
resolve_lmhosts: Attempting lmhosts lookup for name
vmw2srvdc2.intra.comune.trento.it<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
vmw2srvdc2.intra.comune.trento.it<0x20>
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch machine
account password for INTRA from both secrets.ldb (Could not find entry to match
filter: '(&(flatname=INTRA)(objectclass=primaryDomain))' base:
'cn=Primary Domains': No such object: dsdb_search at
../../source4/dsdb/common/util.c:5176) and
from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
ERROR(<class 'UnboundLocalError'>): uncaught exception - cannot
access local variable 'res' where it is not associated with a value
File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
line 185, in _run
return self.run(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line
711, in run
join_RODC(logger=logger, server=server, creds=creds, lp=lp, domain=domain,
File "/usr/lib/python3/dist-packages/samba/join.py", line 1563, in
join_RODC
ctx.do_join()
File "/usr/lib/python3/dist-packages/samba/join.py", line 1495, in
do_join
ctx.join_add_dns_records()
File "/usr/lib/python3/dist-packages/samba/join.py", line 1191, in
join_add_dns_records
for rec in res.rec:
^^^
Adding CN=LVSRVDC,OU=Domain Controllers,DC=intra,DC=comune,DC=trento,DC=it
Adding CN=krbtgt_LVSRVDC,CN=Users,DC=intra,DC=comune,DC=trento,DC=it
Got krbtgt_name=krbtgt_7869
Renaming CN=krbtgt_LVSRVDC,CN=Users,DC=intra,DC=comune,DC=trento,DC=it to
CN=krbtgt_7869,CN=Users,DC=intra,DC=comune,DC=trento,DC=it
Adding
CN=LVSRVDC,CN=Servers,CN=PSN,CN=Sites,CN=Configuration,DC=intra,DC=comune,DC=trento,DC=it
Adding CN=NTDS
Settings,CN=LVSRVDC,CN=Servers,CN=PSN,CN=Sites,CN=Configuration,DC=intra,DC=comune,DC=trento,DC=it
Adding CN=RODC Connection (FRS),CN=NTDS
Settings,CN=LVSRVDC,CN=Servers,CN=PSN,CN=Sites,CN=Configuration,DC=intra,DC=comune,DC=trento,DC=it
Adding SPNs to CN=LVSRVDC,OU=Domain
Controllers,DC=intra,DC=comune,DC=trento,DC=it
Setting account password for LVSRVDC$
Enabling account
Calling bare provision
Provision OK for domain DN DC=intra,DC=comune,DC=trento,DC=it
Missing target object - retrying with DRS_GET_TGT
Replicating critical objects from the base DN of the domain
Missing target object - retrying with DRS_GET_TGT
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=intra,DC=comune,DC=trento,DC=it
Replicating DC=ForestDnsZones,DC=intra,DC=comune,DC=trento,DC=it
Join failed - cleaning up
Deleted CN=LVSRVDC,OU=Domain Controllers,DC=intra,DC=comune,DC=trento,DC=it
Deleted CN=krbtgt_7869,CN=Users,DC=intra,DC=comune,DC=trento,DC=it
Deleted CN=RODC Connection (FRS),CN=NTDS
Settings,CN=LVSRVDC,CN=Servers,CN=PSN,CN=Sites,CN=Configuration,DC=intra,DC=comune,DC=trento,DC=it
Deleted CN=NTDS
Settings,CN=LVSRVDC,CN=Servers,CN=PSN,CN=Sites,CN=Configuration,DC=intra,DC=comune,DC=trento,DC=it
Deleted
CN=LVSRVDC,CN=Servers,CN=PSN,CN=Sites,CN=Configuration,DC=intra,DC=comune,DC=trento,DC=it
Rowland Penny
2024-Aug-09 14:09 UTC
[Samba] Problems on joining samba DC to a Windows Domain while adding DNS record for new DC
On Fri, 9 Aug 2024 13:38:35 +0200 Mitja Tav?ar via samba <samba at lists.samba.org> wrote:> Hi, > > I'm trying to join a debian bookworm running samba (Version > 4.17.12-Debian) as an additional DC to a Active Directory Domain. The > domain is already running on 2 windows 2019 DC's (hostnames > vmw2srvdc1 and vmw2srvdc2) and the functional level of the AD domain > is 2008 R2. > > I followed the samba wiki instructions at: > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory > > I also made another Site in AD to which i want the new samba domain > controller to join to. So in the command i also used the --site > option. > > This is command i used for my last attempt: > samba-tool domain join intra.comune.trento.it DC --site PSN --server > vmw2srvdc2.intra.comune.trento.it --use-kerberos=desired -d 3 > > Join always fails after adding the DNS records for > LVSRVDC.intra.comune.trento.it (my new domain controller) > > I tried varying some options (authentication via Username/password > instead of kerberos and also switching between BIND9_DLZ to > SAMBA_INTERNAL dns backend) but the join process always fail > apparently in the same point. From the logs the error would appear in > adding the DNS record for the new domain controller, but i also > noticed the "Could not find machine account in secrets database: > Failed to fetch machine account password for INTRA from both > secrets.ldb" error which could be the problem. > > The samba server is a new debian bookworm setup that was not used for > other purpose, and between the various attempts i also deleted all > .ldb and .tdb databases from /var/lib/samba/ /var/cache/samba and > /run/samba and subfolders and the /etc/samba/smb.conf. as suggested > in the wiki above for a cleaner start. > >Can you please try again with Samba from Bookworm backports, that will get you 4.20.2 , there has been better support for Windows domains added. As you are using kerberos for the join, I take it you are running samba-tool as root, so have you also run 'kinit Administrator' as root ? Rowland