Bug 13491 - Can't join SAMBA4 DC to a Microsoft Active Directory forest
Summary: Can't join SAMBA4 DC to a Microsoft Active Directory forest
Status: ASSIGNED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.7.6
Hardware: x64 Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-06-27 13:02 UTC by Tim Herrmann (mail address dead)
Modified: 2020-05-23 20:11 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Herrmann (mail address dead) 2018-06-27 13:02:46 UTC
We're having an Active-Directory forest with 4 Windows Server 2008 R2 Domain Controller and 1 Windows Server 2016 DC and the hole forest is running with an Active Directroy 2008 schema.

To get away from the terrible Windows servers we are trying to migrate the Active Directory to SAMBA4 DCs.

I've installed one Ubuntu 18.04 VM on our vSphere Cluster and configured the VM as described in the following documentation:
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Using_the_Domain_Controller_as_a_File_Server

The following packages are installed:
apt-get install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind bind9

I'm trying to join the domain with the following command:
samba-tool domain join tyre24.local DC -U"tyre24.local\administrator" --dns-backend=BIND9_DLZ -d5

But the join fails with some errors as shown below ...


Here are (hopefully) all necessary configs and Logs ;)

######################################################################
15:49:33 root hal:~ # cat /etc/hosts
127.0.0.1	localhost.localdomain	localhost
192.168.105.1	hal.tyre24.local hal

######################################################################
15:49:45 root hal:~ # cat /etc/hostname 
hal

######################################################################
15:49:47 root hal:~ # cat /etc/netplan/50-cloud-init.yaml 
# This file is generated from information provided by
# the datasource.  Changes to it will not persist across an instance.
# To disable cloud-init's network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
    ethernets:
        ens160:
            addresses:
            - 192.168.105.1/21
            gateway4: 192.168.104.12
            nameservers:
                addresses:
                - 192.168.104.6
                search:
                - tyre24.local
            optional: true
    version: 2

######################################################################
15:50:54 root hal:~ # cat /etc/resolv.conf 
nameserver 127.0.0.53
search tyre24.local

######################################################################
15:51:17 root hal:~ # cat /etc/krb5.conf
[libdefaults]
    dns_lookup_realm = false
    dns_lookup_kdc = true
    default_realm = TYRE24.LOCAL

######################################################################
15:51:58 root hal:~ # samba-tool domain join tyre24.local DC -U"tyre24.local\administrator" --dns-backend=BIND9_DLZ -d5
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
  tevent: 5
  auth_audit: 5
  auth_json_audit: 5
  kerberos: 5
  drs_repl: 5
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
added interface ens160 ip=192.168.105.1 bcast=192.168.111.255 netmask=255.255.248.0
added interface ens160 ip=192.168.105.1 bcast=192.168.111.255 netmask=255.255.248.0
added interface ens160 ip=192.168.105.1 bcast=192.168.111.255 netmask=255.255.248.0
added interface ens160 ip=192.168.105.1 bcast=192.168.111.255 netmask=255.255.248.0
Finding a writeable DC for domain 'tyre24.local'
added interface ens160 ip=192.168.105.1 bcast=192.168.111.255 netmask=255.255.248.0
added interface ens160 ip=192.168.105.1 bcast=192.168.111.255 netmask=255.255.248.0
finddcs: searching for a DC by DNS domain tyre24.local
finddcs: looking for SRV records for _ldap._tcp.tyre24.local
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.tyre24.local<0x0>
ads_dns_lookup_srv: 3 records returned in the answer section.
finddcs: DNS SRV response 0 at '192.168.104.6'
finddcs: DNS SRV response 1 at '192.168.105.8'
finddcs: DNS SRV response 2 at '192.168.105.6'
finddcs: DNS SRV response 3 at '192.168.104.8'
finddcs: performing CLDAP query on 192.168.104.6
finddcs: Found matching DC 192.168.104.6 with server_type=0x0001f3fc
Found DC nas02.tyre24.local
added interface ens160 ip=192.168.105.1 bcast=192.168.111.255 netmask=255.255.248.0
added interface ens160 ip=192.168.105.1 bcast=192.168.111.255 netmask=255.255.248.0
resolve_lmhosts: Attempting lmhosts lookup for name nas02.tyre24.local<0x20>
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
cli_credentials(TYRE24.LOCAL\administrator) without realm, cannot use kerberos for this connection ldap/nas02.tyre24.local
Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_SEAL
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_TARGET_TYPE_DOMAIN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
Password for [TYRE24.LOCAL\administrator]:
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_SEAL
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_SEAL
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_SEAL
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
workgroup is TYRE24
realm is tyre24.local
Adding CN=HAL,OU=Domain Controllers,DC=tyre24,DC=local
Adding CN=HAL,CN=Servers,CN=Siegelbach,CN=Sites,CN=Configuration,DC=tyre24,DC=local
Adding CN=NTDS Settings,CN=HAL,CN=Servers,CN=Siegelbach,CN=Sites,CN=Configuration,DC=tyre24,DC=local
Using binding ncacn_ip_tcp:nas02.tyre24.local[,seal]
Mapped to DCERPC endpoint 135
added interface ens160 ip=192.168.105.1 bcast=192.168.111.255 netmask=255.255.248.0
added interface ens160 ip=192.168.105.1 bcast=192.168.111.255 netmask=255.255.248.0
resolve_lmhosts: Attempting lmhosts lookup for name nas02.tyre24.local<0x20>
Mapped to DCERPC endpoint 49668
added interface ens160 ip=192.168.105.1 bcast=192.168.111.255 netmask=255.255.248.0
added interface ens160 ip=192.168.105.1 bcast=192.168.111.255 netmask=255.255.248.0
resolve_lmhosts: Attempting lmhosts lookup for name nas02.tyre24.local<0x20>
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
cli_credentials(TYRE24.LOCAL\administrator) without realm, cannot use kerberos for this connection ldap/NAS02.TYRE24.LOCAL
Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_SEAL
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_TARGET_TYPE_DOMAIN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_SEAL
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_SEAL
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_SEAL
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
Join failed - cleaning up
tdb(/var/lib/samba/private/secrets.tdb): tdb_open_ex: could not open file /var/lib/samba/private/secrets.tdb: No such file or directory
Could not open tdb: No such file or directory
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch machine account password from secrets.ldb: Could not find entry to match filter: '(&(flatname=TYRE24)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4636 and failed to open /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Deleted CN=HAL,OU=Domain Controllers,DC=tyre24,DC=local
Deleted CN=NTDS Settings,CN=HAL,CN=Servers,CN=Siegelbach,CN=Sites,CN=Configuration,DC=tyre24,DC=local
Deleted CN=HAL,CN=Servers,CN=Siegelbach,CN=Sites,CN=Configuration,DC=tyre24,DC=local
ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL -  <0000202B: RefErr: DSID-030A08C0, data 0, 1 access points
	ref 1: 'd594881a-89dd-4589-b3c4-4fdc713ae67f._msdcs.tyre24.local'
> <ldap://d594881a-89dd-4589-b3c4-4fdc713ae67f._msdcs.tyre24.local>
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in join_DC
    ctx.do_join()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in do_join
    ctx.join_add_objects()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 668, in join_add_objects
    ctx.samdb.modify(m)
Comment 1 Andrew Bartlett 2018-06-27 18:25:33 UTC
OK, so for others looking into this the secrets.tdb thing is a Red Herring and this is the same as this thread:

https://lists.samba.org/archive/samba-technical/2018-June/128752.html

The windows DC is rejecting our modify of the replication status of the application partition.  We may need to use a different API for that or do it a different way.

Joining to the naming master with --server may help.
Comment 2 Tim Herrmann (mail address dead) 2018-06-28 08:24:14 UTC
Hi Andrew,

thank you for you're response.

I've tried the join with the "--server" parameter to join directly over the naming-master but now I get a slighty different error message xD

According to the other issue, the only solution there was also to use the "--server" parameter, isn't it?


08:15:03 root hal:~ # samba-tool domain join tyre24.local DC -U"tyre24.local\administrator" --server=PDC01 --dns-backend=BIND9_DLZ -d5
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
  tevent: 5
  auth_audit: 5
  auth_json_audit: 5
  kerberos: 5
  drs_repl: 5
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
added interface ens160 ip=192.168.105.1 bcast=192.168.111.255 netmask=255.255.248.0
added interface ens160 ip=192.168.105.1 bcast=192.168.111.255 netmask=255.255.248.0
added interface ens160 ip=192.168.105.1 bcast=192.168.111.255 netmask=255.255.248.0
added interface ens160 ip=192.168.105.1 bcast=192.168.111.255 netmask=255.255.248.0
added interface ens160 ip=192.168.105.1 bcast=192.168.111.255 netmask=255.255.248.0
added interface ens160 ip=192.168.105.1 bcast=192.168.111.255 netmask=255.255.248.0
resolve_lmhosts: Attempting lmhosts lookup for name PDC01<0x20>
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
cli_credentials(TYRE24.LOCAL\administrator) without realm, cannot use kerberos for this connection ldap/PDC01
Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_SEAL
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_TARGET_TYPE_DOMAIN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
Password for [TYRE24.LOCAL\administrator]:
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_SEAL
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_SEAL
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_SEAL
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
workgroup is TYRE24
realm is tyre24.local
Adding CN=HAL,OU=Domain Controllers,DC=tyre24,DC=local
Adding CN=HAL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=tyre24,DC=local
Join failed - cleaning up
tdb(/var/lib/samba/private/secrets.tdb): tdb_open_ex: could not open file /var/lib/samba/private/secrets.tdb: No such file or directory
Could not open tdb: No such file or directory
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch machine account password from secrets.ldb: Could not find entry to match filter: '(&(flatname=TYRE24)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4636 and failed to open /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Deleted CN=HAL,OU=Domain Controllers,DC=tyre24,DC=local
ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT - CN=Sites,CN=Configuration,DC=tyre24,DC=local <0000208D: NameErr: DSID-031001E4, problem 2001 (NO_OBJECT), data 0, best match of:
	'CN=Sites,CN=Configuration,DC=tyre24,DC=local'
> <>
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in join_DC
    ctx.do_join()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in do_join
    ctx.join_add_objects()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 631, in join_add_objects
    ctx.samdb.add(rec)
Comment 3 Andrew Bartlett 2018-06-28 08:35:02 UTC
For some reason the server has not detected the correct site via CLDAP, and so has defaulted to 'Default-First-Site-Name', which is not present in your domain. 

which sites are present?  do any cover the subnet of the new DC?

Do you have a Default-First-Site-Name (perhaps in another language?).
Comment 4 Tim Herrmann (mail address dead) 2018-06-28 08:49:48 UTC
You're right, there is no site named 'Default-First-Site-Name'.

Actually we only have 1 site defined in the forest wich is called "Siegelbach" and it covers the subnet 192.168.104.0/21.
All Windows DCs and the new SAMBA4 DC are in this subnet.
Comment 5 Björn Jacke 2019-09-18 11:26:50 UTC
renaming the default-first-site-name seems to be commonly supported in the Windows world, so samba-tool needs to be enhanced to look out for the right site name in any case. From comment#2 it seems like at least with the --server parameter the site name is not looked up or not used when creating the new DC account.
Comment 6 Björn Jacke 2020-05-23 20:11:29 UTC
if you still have a chance to test this, can you have a look if the additional parameter --site=<sitename> makes the join work for you?