After compiling samba 4.1 in an ubuntu server I try to join to a Windows 2012 server and get this error: root@samba41:~/compilar/samba-4.1.0# /root/compilar/samba-4.1.0/bin/samba-tool domain join zentyal.it.com DC -Uadministrator --realm=zentyal.it.com Finding a writeable DC for domain 'zentyal.it.com' Found DC win2k12.zentyal.it.com Password for [WORKGROUP\administrator]: workgroup is ZENTYAL realm is zentyal.it.com checking sAMAccountName Adding CN=SAMBA41,OU=Domain Controllers,DC=zentyal,DC=it,DC=com Adding CN=SAMBA41,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zentyal,DC=it,DC=com Adding CN=NTDS Settings,CN=SAMBA41,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zentyal,DC=it,DC=com DsAddEntry failed with status (5, 'WERR_ACCESS_DENIED') info (8567, 'WERR_DS_INCOMPATIBLE_VERSION') Join failed - cleaning up checking sAMAccountName Deleted CN=SAMBA41,OU=Domain Controllers,DC=zentyal,DC=it,DC=com Deleted CN=SAMBA41,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=zentyal,DC=it,DC=com ERROR(runtime): uncaught exception - DsAddEntry failed File "bin/python/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "bin/python/samba/netcmd/domain.py", line 552, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File "bin/python/samba/join.py", line 1169, in join_DC ctx.do_join() File "bin/python/samba/join.py", line 1072, in do_join ctx.join_add_objects() File "bin/python/samba/join.py", line 541, in join_add_objects ctx.join_add_ntdsdsa() File "bin/python/samba/join.py", line 474, in join_add_ntdsdsa ctx.DsAddEntry([rec]) File "bin/python/samba/join.py", line 437, in DsAddEntry raise RuntimeError("DsAddEntry failed")
Looks like it's necessary to manually lower the domain and forest functional levels on the Windows 2012 server first, via Powershell: Set-ADForestMode -Identity "mydom.local" -ForestMode Windows2008R2Forest Set-ADDomainMode -Identity "mydom.local" -DomainMode Windows2008R2Domain With these settings at least the domain join of a samba 4.1 with a W2k12 DC worked for me.
samba as an AD DC together with MS AD DCs is not supported. First of all we miss sysvol replication, other things might also be missing. This is not a supported setup currently.
This is a valid bug, and pending time these issues can and should be addressed. Some aspects will be easier than others, but this isn't a WONTFIX. Björn, Feel free to discuss this with my offline if you need further clarification. Thanks, Andrew Bartlett
if you want to keep bug reports of unsupported features as enhancement / TODO issues, you should set the title and the importance of those bugs accordingly then
Is there any roadmap, when this feature: join samba as an DC in a MS AD - may be integrated?
(In reply to comment #5) > Is there any roadmap, when this feature: join samba as an DC in a MS AD - may > be integrated? Implementing the sysvol replication is a lot of work, so its unlikely to be ready before 4.4.0 unless someone sponsors the work.