Created attachment 15318 [details] This seems to fix the problem When samba tries to join a Windows domain (2012 DC with functional level set to 2008R2), it can throw an error in DsAddEntry() with the error code WERR_DS_NO_CROSSREF_FOR_NC. Adding CN = NTDS Settings, CN = SAD, CN = Servers, CN = Default First Site Name, CN = Sites, CN = Configuration, DC = mydom, DC = local DsAddEntry failed with status WERR_ACCESS_DENIED info (8363, 'WERR_DS_NO_CROSSREF_FOR_NC') Join failed - cleaning up Deleted CN = SAD, OU = domain controllers, DC = mydom, DC = local Deleted CN = SAD, CN = Servers, CN = Default First Site Name, CN = Sites, CN = Configuration, DC = mydom, DC = local ERROR (runtime): uncaught exception - DsAddEntry failed File "/usr/local/samba/lib/python3.6/site-packages/samba/netcmd/__init__.py", line 185, in _run return self.run (* args, ** kwargs) File "/usr/local/samba/lib/python3.6/site-packages/samba/netcmd/domain.py", line 700, in run backend_store = backend_store) File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 1535, in join_DC ctx.do_join () File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 1427, in do_join ctx.join_add_objects () File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 669, in join_add_objects ctx.join_add_ntdsdsa () File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 594, in join_add_ntdsdsa ctx.DsAddEntry ([REC]) File "/usr/local/samba/lib/python3.6/site-packages/samba/join.py", line 543, in DsAddEntry raise RuntimeError ("DsAddEntry failed") As seen on mailing list: https://lists.samba.org/archive/samba/2019-July/224541.html This is a problem on Samba v4.10 and v4.11/master. Earlier releases work OK (I tried v4.7 and v4.9). It looks like the problem might be a python2 vs python3 issue. One work-around for v4.10 (if the samba python2 packages are present) would be to run the samba-tool command under python2, e.g. '$(which python2) samba-tool domain join...'. The problem appears to be a list/dictionary ordering problem, so alternatively if you run the command enough times with python3 it might eventually work...
Created attachment 15329 [details] Backport for v4.10 and v4.11
Please select for 4.10.next and 4.11.0rcNEXT
From discussions with Microsoft, it appears that we may be working around a different underlying behaviour (more details to come). It's fine to fix the releases, but there may be more to do here (probably will open a separate bug though).
Pushed to autobuild-v4-{10,11}-test.
(In reply to Karolin Seeger from comment #4) Pushed to both branches. Closing out bug report. Thanks!