Bug 14046 - WERR_DS_NO_CROSSREF_FOR_NC error when joining Windows domain (2008R2 FL)
Summary: WERR_DS_NO_CROSSREF_FOR_NC error when joining Windows domain (2008R2 FL)
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.10.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
Depends on:
Reported: 2019-07-23 05:06 UTC by Tim Beale
Modified: 2019-08-09 08:14 UTC (History)
1 user (show)

See Also:

This seems to fix the problem (1.69 KB, patch)
2019-07-23 05:06 UTC, Tim Beale
no flags Details
Backport for v4.10 and v4.11 (3.90 KB, patch)
2019-07-26 02:20 UTC, Tim Beale
abartlet: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Beale 2019-07-23 05:06:37 UTC
Created attachment 15318 [details]
This seems to fix the problem

When samba tries to join a Windows domain (2012 DC with functional level set to 2008R2), it can throw an error in DsAddEntry() with the error code WERR_DS_NO_CROSSREF_FOR_NC.

Adding CN = NTDS Settings, CN = SAD, CN = Servers, CN = Default First Site Name, CN = Sites, CN = Configuration, DC = mydom, DC = local
DsAddEntry failed with status WERR_ACCESS_DENIED info (8363, 'WERR_DS_NO_CROSSREF_FOR_NC')
Join failed - cleaning up
Deleted CN = SAD, OU = domain controllers, DC = mydom, DC = local
Deleted CN = SAD, CN = Servers, CN = Default First Site Name, CN = Sites, CN = Configuration, DC = mydom, DC = local
ERROR (runtime): uncaught exception - DsAddEntry failed
  File "/usr/local/samba/lib/python3.6/site-packages/samba/netcmd/__init__.py", line 185, in _run
    return self.run (* args, ** kwargs)
  File "/usr/local/samba/lib/python3.6/site-packages/samba/netcmd/domain.py", line 700, in run
    backend_store = backend_store)
  File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 1535, in join_DC
    ctx.do_join ()
  File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 1427, in do_join
    ctx.join_add_objects ()
  File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 669, in join_add_objects
    ctx.join_add_ntdsdsa ()
  File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 594, in join_add_ntdsdsa
    ctx.DsAddEntry ([REC])
  File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 543, in DsAddEntry
    raise RuntimeError ("DsAddEntry failed")

As seen on mailing list: https://lists.samba.org/archive/samba/2019-July/224541.html

This is a problem on Samba v4.10 and v4.11/master. Earlier releases work OK (I tried v4.7 and v4.9).

It looks like the problem might be a python2 vs python3 issue. One work-around for v4.10 (if the samba python2 packages are present) would be to run the samba-tool command under
python2, e.g. '$(which python2) samba-tool domain join...'.

The problem appears to be a list/dictionary ordering problem, so alternatively if you run the command enough times with python3 it might eventually work...
Comment 1 Tim Beale 2019-07-26 02:20:22 UTC
Created attachment 15329 [details]
Backport for v4.10 and v4.11
Comment 2 Andrew Bartlett 2019-07-26 02:23:14 UTC
Please select for 4.10.next and 4.11.0rcNEXT
Comment 3 Garming Sam 2019-07-31 23:47:43 UTC
From discussions with Microsoft, it appears that we may be working around a different underlying behaviour (more details to come). It's fine to fix the releases, but there may be more to do here (probably will open a separate bug though).
Comment 4 Karolin Seeger 2019-08-07 10:52:15 UTC
Pushed to autobuild-v4-{10,11}-test.
Comment 5 Karolin Seeger 2019-08-09 08:14:30 UTC
(In reply to Karolin Seeger from comment #4)
Pushed to both branches.
Closing out bug report.