Created attachment 10532 [details] --debuglevel=10 transcript Attempting to join existing Windows AD as 2nd AD/DC. Windows AD/DC is 2012R2 domain named "jdh-19550516.local". Prerequisites listed on Samba WiKi page "Joining an Domain as a DC" - including /etc/hosts, Kerberos kinit verification, DNS adjustments, avoidance of mDNS problems, and samba version checking - have all been done or 'passed'. Attempting: # samba-tool domain join JDH-19550516.local DC -UAdministrator \ > --realm=JDH-19550516.local --dns-backend=SAMBA_INTERNAL on Fedora 21 x86_64 machine, running fresh-built and -installed 4.1.14. "Administrator" password accepted, then join fails with: Join failed - cleaning up checking sAMAccountName Deleted CN=DC-02,OU=Domain Controllers,DC=JDH-19550516,DC=local Deleted CN=DC-02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=JDH-19550516,DC=local ERROR(<type 'exceptions.AttributeError'>): uncaught exception - 'drsuapi.DsBindInfoFallBack' object has no attribute 'supported_extensions' File "/opt/samba/4.1.14/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/opt/samba/4.1.14/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 555, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File "/opt/samba/4.1.14/lib64/python2.7/site-packages/samba/join.py", line 1172, in join_DC ctx.do_join() File "/opt/samba/4.1.14/lib64/python2.7/site-packages/samba/join.py", line 1075, in do_join ctx.join_add_objects() File "/opt/samba/4.1.14/lib64/python2.7/site-packages/samba/join.py", line 541, in join_add_objects ctx.join_add_ntdsdsa() File "/opt/samba/4.1.14/lib64/python2.7/site-packages/samba/join.py", line 474, in join_add_ntdsdsa ctx.DsAddEntry([rec]) File "/opt/samba/4.1.14/lib64/python2.7/site-packages/samba/join.py", line 384, in DsAddEntry ctx.drsuapi_connect() File "/opt/samba/4.1.14/lib64/python2.7/site-packages/samba/join.py", line 363, in drsuapi_connect (ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drs_DsBind(ctx.drsuapi) File "/opt/samba/4.1.14/lib64/python2.7/site-packages/samba/drs_utils.py", line 144, in drs_DsBind return (handle, info.info.supported_extensions) A more detailed log of the failed domain join transcript attempted with --debuglevel=10 is attached.
I think this is already fixed in master and v4-2.
Created attachment 10542 [details] Patches for v4-1-test
Created attachment 10543 [details] Patches for v4-0-test
I am rebuilding with patches now. Question, if I may? Is this something new that MSFT has done with the AD / DC of the 2012R2 (Windows 8.1 Server) code family?
Upon building 4.1.14 with provided patches, I encountered the Domain and Forest operating level issue - Bugid # 10265. I used the workaround in that bug report - downgrading the Forest and Domain functional levels to Win2k8R2 - to complete a join. However, this thought comes to mind: If the Win2k12R2 AD is operating at this reduced level, would it have NOT presented RPC records of the kinds/sizes causing my original error in this bug report? Because the 4.1.* family of Samba is likely to never support Domain and Forest levels Win2k12R2 (and Win2k12?), maybe the right "fix" for this bug is simply detecting the other DC is trying to communicate at an unsupported higher level, and refer the administrator to the Domain and Forest operating level downgrade procedure???
Yes, this was a change made by Microsoft for Windows 2012.
Karolin, please pick for the next 4.1 release. Andrew, can we also get this into the next 4.0 release?
(In reply to Stefan (metze) Metzmacher from comment #7) Pushed to autobuild-v4-1-test.
(In reply to Stefan (metze) Metzmacher from comment #7) Should we be trying to enable 2012 with 4.0? If you actually ran the patches, and they work, I guess I'm OK, but I'm hesitant about setting expectations that we fix everything in every branch, even new features like 2012 support.
Pushed to v4-1-test. Re-assigning to Andrew to decide if it can be closed now.
Andrew, net rpc vampire keytab will also fail because of this against a windows 2012* dc. But 4.0 is in security patch mode now...