----- Messaggio originale -----
Da: "Rowland Penny via samba" <samba at lists.samba.org>
A: "samba" <samba at lists.samba.org>
Cc: "Rowland Penny" <rpenny at samba.org>
Inviato: Gioved?, 9 ottobre 2025 13:57:58
Oggetto: Re: [Samba] Failed to find a writeable DC
On Thu, 9 Oct 2025 13:13:46 +0200 (CEST)
Fabrizio Rompani <fabrizio.rompani at yetopen.com> wrote:
>
> thank's for your answer .
> see below .
>
>
> ----- Messaggio originale -----
> Da: "Rowland Penny via samba" <samba at lists.samba.org>
> A: "samba" <samba at lists.samba.org>
> Cc: "Rowland Penny" <rpenny at samba.org>
> Inviato: Gioved?, 9 ottobre 2025 10:44:17
> Oggetto: Re: [Samba] Failed to find a writeable DC
>
> On Wed, 8 Oct 2025 22:44:19 +0200 (CEST)
> Fabrizio Rompani via samba <samba at lists.samba.org> wrote:
>
> > hi all
> > I have a DC used to manage user authentication to nextcloud app
> > installed on the same server. I moved NC to a new server leaving
> > samba-ad-dc on the old one ( appropriate firewall rules exits ) Now
> > I want to move samba to new VM so I can shutdown the old one.
> >
> > To do so ,I'm trying to join a second DC installed to the new
> > machine and then , after move all roles , I can demote and switch
> > off the old VM.
> >
> > BUT : when I try to join the second DC
> > I got this :
> > root at grants-dc:~# samba-tool domain join s4ad.domain.org DC -U
> > administrator --realm=S4AD.DOMAIN.ORG -W S4AD INFO 2025-10-08
>
> Either that is bad sanitisation or that is your problem there,
> 's4ad.domain.org' != S4AD.DOMAIN.ORG' (and I am discounting the
case)
>
> yes , my fault : bad sanitisation!
>
>
> You also do not need the '-W' switch
>
> ok
>
>
> > 22:29:30,946 pid:3292 /usr/lib/python3/dist-packages/samba/join.py
> > #106: Finding a writeable DC for domain 's4ad.domain.org'
ERROR:
> > Failed to find a writeable DC for domain 's4ad.domain.org':
The
> > object was not found.
> >
> >
> > Here my config files:
> >
> >
> >
> > * Actual (unique) DC : Ubuntu 20.04 , samba 4.15.13
> >
> > hosts:
> > xx.xx.xx.xx grants.s4ad.domain.org
> >
> > krb5.conf:
> > [libdefaults]
> > default_realm = S4AD.DOMAIN.ORG
> > dns_lookup_kdc = true
> > dns_lookup_realm = false
> >
> > smb.conf
> > [global]
> > dns forwarder = 127.0.0.1
>
> That dns forwarder isn't going to work, you are forwarding the DC to
> itself.
>
> OK . changed in 9.9.9.9
> ALso : I use bind9
While concentrating on the dns forwarder, I missed that, so I will
change my answer to:
You should remove the 'dns forwarder' line, your dns forwarders should
be declared in the named conf files.
OK
>
> > netbios name = GRANTS
> > realm = S4AD.DOMAIN.ORG
> > server role = active directory domain controller
> > workgroup = S4AD
> > server services = -dns
> > interfaces = eth0 lo
> > bind interfaces only = yes
> >
> >
> >
> > * New DC Ubuntu 24.04 samba 4.23
> >
> > hosts:
> > yy.yy.yy.yy grants-dc.s4ad.domain.org
> >
> > /etc/netplan/
> >
> > network:
> > version: 2
> > ethernets:
> > ens18:
> > addresses:
> > - "yy.yy.yy.yy/24"
> > nameservers:
> > addresses:
> > - xx.xx.xx.xx
> > search: []
> >
> >
> >
> >
> >
> >
> > * dig grants.s4ad.domain.org
> >
> > grants.s4ad.domain.org. 0 IN A xx.xx.xx.xx
> >
> >
> >
> >
> >
> > * root at grants-dc:~# host -t SRV
> > _ldap._tcp.dc._msdcs.s4ad.domain.org
> >
> > _ldap._tcp.dc._msdcs.s4ad.domain.org has SRV record 0 100 389
> > grants.s4ad.domain.org.
> >
> >
> >
> >
> > * root at grants-dc:~# ping grants.s4ad.domain.org
> >
> > PING grants.s4ad.domain.org (89.116.29.118) 56(84) bytes of data.
> > 64 bytes from grants.s4ad.domain.org (xx.xx.xx.xx): icmp_seq=1
> > ttl=53 time=280 ms 64 bytes from grants.s4ad.domain.org
> > (xx.xx.xx.xx): icmp_seq=2 ttl=53 time=290 ms ^C
There isn't much point in sanitising something, if you do not do all of
them.
?????
>
> What is in the /etc/resolv.conf on the new DC ?
>
>
>
> search s4ad.domain.org
> nameserver xx.xx.xx.xx ( old DC server IP )
>
>
> also :
>
> dig grants.s4ad.domain.org
> grants.s4ad.domain.org. 900 IN A xx.xx.xx.xx
>
>
> host -t SRV _ldap._tcp.s4ad.domain.org
> _ldap._tcp.s4ad.domain.org has SRV record 0 100 389
> grants.s4ad.domain.org.
>
>
>
>
>
> I still have same error:
> ERROR: Failed to find a writeable DC for domain 's4ad.domain.org':
> The object was not found
Could there be a firewall stopping connection ?
on both VM is installed firewalld : there's a zone "trusted" with
target accept .
trusted (active)
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources: ipset:trust
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
ip yy.yy.yy.yy belongs to ipset "trust" on VM xx.xx.xx.xx and
viceversa .
so , it should be everythings open from yy.yy.yy.yy to xx.xx.xx.xx and
viceversa.
eg. :
from yy.yy.yy.yy:
telnet xx.xx.xx.xx 389
Trying xx.xx.xx.xx...
Connected to xx.xx.xx.xx.
Escape character is '^]'.
telnet xx.xx.xx.xx 445
Trying xx.xx.xx.xx...
Connected to xx.xx.xx.xx.
Escape character is '^]'.
>
>
>
> What about a different approach :
> backup the online DC ( samba 4.15 ) and restore into new samba 4.23 .
> change resolv.conf and Nextcloud ldap to point itself : grants-dc
>
> what do you think about ?
Not much.
Joining a new DC should be effortless, when it doesn't work it is
usually down to a DNS problem.
so different version shouldn't be a problem , right?
could you suggest me some DNS check ?
thank's
rf
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
YetOpen SB
Corso Martiri della Liberazione 114 - 23900 Lecco - ITALY - | 4801 Glenwood
Avenue - Suite 200 - Raleigh, NC 27612 - USA -
Tel +39 0341 220 205 - info.it at yetopen.com | Phone +1 919-817-8106 - info.us
at yetopen.com
Think green - Non stampare questa e-mail se non necessario / Don't print
this email unless necessary
-------- Riservatezza D.Lgs. 196/2003 e GDPR 679/2016 --------
Questo messaggio e' riservato ai destinatari indicati e contiene
informazioni confidenziali, ivi compresi gli allegati.E' vietata la
diffusione, copia o utilizzo non autorizzato. Se lo ha ricevuto per errore, La
invitiamo a eliminarlo immediatamente e a informarci tempestivamente. Grazie.
-------- Confidentiality Legislative Decree 196/2003 & GDPR 679/2016
--------
This message is intended for the recipient only and may contain confidential
information, including attachments. Unauthorized disclosure, copy or use is
prohibited. If received in error, please delete immediately and notify us.
Thank you.