We're having an Active-Directory forest with 4 Windows Server 2008 R2 Domain Controller and 1 Windows Server 2016 DC and the hole forest is running with an Active Directroy 2008 schema. To get away from the terrible Windows servers we are trying to migrate the Active Directory to SAMBA4 DCs. I've installed one Ubuntu 18.04 VM on our vSphere Cluster and configured the VM as described in the following documentation: https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Using_the_Domain_Controller_as_a_File_Server The following packages are installed: apt-get install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind bind9 I'm trying to join the domain with the following command: samba-tool domain join tyre24.local DC -U"tyre24.local\administrator" --dns-backend=BIND9_DLZ -d5 But the join fails with some errors as shown below ... Here are (hopefully) all necessary configs and Logs ;) ###################################################################### 15:49:33 root hal:~ # cat /etc/hosts 127.0.0.1 localhost.localdomain localhost 192.168.105.1 hal.tyre24.local hal ###################################################################### 15:49:45 root hal:~ # cat /etc/hostname hal ###################################################################### 15:49:47 root hal:~ # cat /etc/netplan/50-cloud-init.yaml # This file is generated from information provided by # the datasource. Changes to it will not persist across an instance. # To disable cloud-init's network configuration capabilities, write a file # /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following: # network: {config: disabled} network: ethernets: ens160: addresses: - 192.168.105.1/21 gateway4: 192.168.104.12 nameservers: addresses: - 192.168.104.6 search: - tyre24.local optional: true version: 2 ###################################################################### 15:50:54 root hal:~ # cat /etc/resolv.conf nameserver 127.0.0.53 search tyre24.local ###################################################################### 15:51:17 root hal:~ # cat /etc/krb5.conf [libdefaults] dns_lookup_realm = false dns_lookup_kdc = true default_realm = TYRE24.LOCAL ###################################################################### 15:51:58 root hal:~ # samba-tool domain join tyre24.local DC -U"tyre24.local\administrator" --dns-backend=BIND9_DLZ -d5 INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 scavenger: 5 dns: 5 ldb: 5 tevent: 5 auth_audit: 5 auth_json_audit: 5 kerberos: 5 drs_repl: 5 GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered added interface ens160 ip=192.168.105.1 bcast=192.168.111.255 netmask=255.255.248.0 added interface ens160 ip=192.168.105.1 bcast=192.168.111.255 netmask=255.255.248.0 added interface ens160 ip=192.168.105.1 bcast=192.168.111.255 netmask=255.255.248.0 added interface ens160 ip=192.168.105.1 bcast=192.168.111.255 netmask=255.255.248.0 Finding a writeable DC for domain 'tyre24.local' added interface ens160 ip=192.168.105.1 bcast=192.168.111.255 netmask=255.255.248.0 added interface ens160 ip=192.168.105.1 bcast=192.168.111.255 netmask=255.255.248.0 finddcs: searching for a DC by DNS domain tyre24.local finddcs: looking for SRV records for _ldap._tcp.tyre24.local resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.tyre24.local<0x0> ads_dns_lookup_srv: 3 records returned in the answer section. finddcs: DNS SRV response 0 at '192.168.104.6' finddcs: DNS SRV response 1 at '192.168.105.8' finddcs: DNS SRV response 2 at '192.168.105.6' finddcs: DNS SRV response 3 at '192.168.104.8' finddcs: performing CLDAP query on 192.168.104.6 finddcs: Found matching DC 192.168.104.6 with server_type=0x0001f3fc Found DC nas02.tyre24.local added interface ens160 ip=192.168.105.1 bcast=192.168.111.255 netmask=255.255.248.0 added interface ens160 ip=192.168.105.1 bcast=192.168.111.255 netmask=255.255.248.0 resolve_lmhosts: Attempting lmhosts lookup for name nas02.tyre24.local<0x20> Starting GENSEC mechanism spnego Starting GENSEC submechanism gssapi_krb5 cli_credentials(TYRE24.LOCAL\administrator) without realm, cannot use kerberos for this connection ldap/nas02.tyre24.local Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER Starting GENSEC submechanism ntlmssp Got challenge flags: Got NTLMSSP neg_flags=0x62898235 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_SEAL NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_TARGET_TYPE_DOMAIN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_TARGET_INFO NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH Password for [TYRE24.LOCAL\administrator]: NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_SEAL NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_SEAL NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_SEAL NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH workgroup is TYRE24 realm is tyre24.local Adding CN=HAL,OU=Domain Controllers,DC=tyre24,DC=local Adding CN=HAL,CN=Servers,CN=Siegelbach,CN=Sites,CN=Configuration,DC=tyre24,DC=local Adding CN=NTDS Settings,CN=HAL,CN=Servers,CN=Siegelbach,CN=Sites,CN=Configuration,DC=tyre24,DC=local Using binding ncacn_ip_tcp:nas02.tyre24.local[,seal] Mapped to DCERPC endpoint 135 added interface ens160 ip=192.168.105.1 bcast=192.168.111.255 netmask=255.255.248.0 added interface ens160 ip=192.168.105.1 bcast=192.168.111.255 netmask=255.255.248.0 resolve_lmhosts: Attempting lmhosts lookup for name nas02.tyre24.local<0x20> Mapped to DCERPC endpoint 49668 added interface ens160 ip=192.168.105.1 bcast=192.168.111.255 netmask=255.255.248.0 added interface ens160 ip=192.168.105.1 bcast=192.168.111.255 netmask=255.255.248.0 resolve_lmhosts: Attempting lmhosts lookup for name nas02.tyre24.local<0x20> Starting GENSEC mechanism spnego Starting GENSEC submechanism gssapi_krb5 cli_credentials(TYRE24.LOCAL\administrator) without realm, cannot use kerberos for this connection ldap/NAS02.TYRE24.LOCAL Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER Starting GENSEC submechanism ntlmssp Got challenge flags: Got NTLMSSP neg_flags=0x62898235 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_SEAL NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_TARGET_TYPE_DOMAIN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_TARGET_INFO NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_SEAL NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_SEAL NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_SEAL NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH Join failed - cleaning up tdb(/var/lib/samba/private/secrets.tdb): tdb_open_ex: could not open file /var/lib/samba/private/secrets.tdb: No such file or directory Could not open tdb: No such file or directory ldb_wrap open of secrets.ldb Could not find machine account in secrets database: Failed to fetch machine account password from secrets.ldb: Could not find entry to match filter: '(&(flatname=TYRE24)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4636 and failed to open /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO Deleted CN=HAL,OU=Domain Controllers,DC=tyre24,DC=local Deleted CN=NTDS Settings,CN=HAL,CN=Servers,CN=Siegelbach,CN=Sites,CN=Configuration,DC=tyre24,DC=local Deleted CN=HAL,CN=Servers,CN=Siegelbach,CN=Sites,CN=Configuration,DC=tyre24,DC=local ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL - <0000202B: RefErr: DSID-030A08C0, data 0, 1 access points ref 1: 'd594881a-89dd-4589-b3c4-4fdc713ae67f._msdcs.tyre24.local' > <ldap://d594881a-89dd-4589-b3c4-4fdc713ae67f._msdcs.tyre24.local> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in join_DC ctx.do_join() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in do_join ctx.join_add_objects() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 668, in join_add_objects ctx.samdb.modify(m)
OK, so for others looking into this the secrets.tdb thing is a Red Herring and this is the same as this thread: https://lists.samba.org/archive/samba-technical/2018-June/128752.html The windows DC is rejecting our modify of the replication status of the application partition. We may need to use a different API for that or do it a different way. Joining to the naming master with --server may help.
Hi Andrew, thank you for you're response. I've tried the join with the "--server" parameter to join directly over the naming-master but now I get a slighty different error message xD According to the other issue, the only solution there was also to use the "--server" parameter, isn't it? 08:15:03 root hal:~ # samba-tool domain join tyre24.local DC -U"tyre24.local\administrator" --server=PDC01 --dns-backend=BIND9_DLZ -d5 INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 scavenger: 5 dns: 5 ldb: 5 tevent: 5 auth_audit: 5 auth_json_audit: 5 kerberos: 5 drs_repl: 5 GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered added interface ens160 ip=192.168.105.1 bcast=192.168.111.255 netmask=255.255.248.0 added interface ens160 ip=192.168.105.1 bcast=192.168.111.255 netmask=255.255.248.0 added interface ens160 ip=192.168.105.1 bcast=192.168.111.255 netmask=255.255.248.0 added interface ens160 ip=192.168.105.1 bcast=192.168.111.255 netmask=255.255.248.0 added interface ens160 ip=192.168.105.1 bcast=192.168.111.255 netmask=255.255.248.0 added interface ens160 ip=192.168.105.1 bcast=192.168.111.255 netmask=255.255.248.0 resolve_lmhosts: Attempting lmhosts lookup for name PDC01<0x20> Starting GENSEC mechanism spnego Starting GENSEC submechanism gssapi_krb5 cli_credentials(TYRE24.LOCAL\administrator) without realm, cannot use kerberos for this connection ldap/PDC01 Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER Starting GENSEC submechanism ntlmssp Got challenge flags: Got NTLMSSP neg_flags=0x62898235 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_SEAL NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_TARGET_TYPE_DOMAIN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_TARGET_INFO NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH Password for [TYRE24.LOCAL\administrator]: NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_SEAL NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_SEAL NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_SEAL NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH workgroup is TYRE24 realm is tyre24.local Adding CN=HAL,OU=Domain Controllers,DC=tyre24,DC=local Adding CN=HAL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=tyre24,DC=local Join failed - cleaning up tdb(/var/lib/samba/private/secrets.tdb): tdb_open_ex: could not open file /var/lib/samba/private/secrets.tdb: No such file or directory Could not open tdb: No such file or directory ldb_wrap open of secrets.ldb Could not find machine account in secrets database: Failed to fetch machine account password from secrets.ldb: Could not find entry to match filter: '(&(flatname=TYRE24)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4636 and failed to open /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO Deleted CN=HAL,OU=Domain Controllers,DC=tyre24,DC=local ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT - CN=Sites,CN=Configuration,DC=tyre24,DC=local <0000208D: NameErr: DSID-031001E4, problem 2001 (NO_OBJECT), data 0, best match of: 'CN=Sites,CN=Configuration,DC=tyre24,DC=local' > <> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in join_DC ctx.do_join() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in do_join ctx.join_add_objects() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 631, in join_add_objects ctx.samdb.add(rec)
For some reason the server has not detected the correct site via CLDAP, and so has defaulted to 'Default-First-Site-Name', which is not present in your domain. which sites are present? do any cover the subnet of the new DC? Do you have a Default-First-Site-Name (perhaps in another language?).
You're right, there is no site named 'Default-First-Site-Name'. Actually we only have 1 site defined in the forest wich is called "Siegelbach" and it covers the subnet 192.168.104.0/21. All Windows DCs and the new SAMBA4 DC are in this subnet.
renaming the default-first-site-name seems to be commonly supported in the Windows world, so samba-tool needs to be enhanced to look out for the right site name in any case. From comment#2 it seems like at least with the --server parameter the site name is not looked up or not used when creating the new DC account.
if you still have a chance to test this, can you have a look if the additional parameter --site=<sitename> makes the join work for you?
*** This bug has been marked as a duplicate of bug 11134 ***