Can't join a w7 PC to my test domain. Evaluating samba4 here. 2 w2k8 DC (offlined), 1 samba4 DC (the only onlineDC ). The samba4 DC has seized all roles. No log on samba server. Here is my NetSetup.LOG on the client machine: 06/17/2013 12:19:08:872 NetpDsGetDcName: failed to find a DC having account 'PCS0022395V2$': 0x525, last error is 0x0 06/17/2013 12:19:08:872 NetpLoadParameters: loading registry parameters... 06/17/2013 12:19:08:872 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2 06/17/2013 12:19:08:872 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2 06/17/2013 12:19:08:872 NetpLoadParameters: status: 0x2 06/17/2013 12:19:08:872 NetpDsGetDcName: status of verifying DNS A record name resolution for 'samba4testserve.sscc.ctd.xxxxx.com': 0x0 06/17/2013 12:19:08:872 NetpDsGetDcName: found DC '\\samba4testserve.sscc.ctd.xxxxx.com' in the specified domain 06/17/2013 12:19:08:872 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0x0 06/17/2013 12:19:09:043 NetpJoinDomain: status of connecting to dc '\\samba4testserve.sscc.ctd.xxxxx.com': 0x0 06/17/2013 12:19:09:043 NetpProvisionComputerAccount: 06/17/2013 12:19:09:043 lpDomain: sscc.ctd.xxxxx.com 06/17/2013 12:19:09:043 lpMachineName: PCS0022395V2 06/17/2013 12:19:09:043 lpMachineAccountOU: (NULL) 06/17/2013 12:19:09:043 lpDcName: samba4testserve.sscc.ctd.xxxxx.com 06/17/2013 12:19:09:043 lpDnsHostName: (NULL) 06/17/2013 12:19:09:043 lpMachinePassword: (null) 06/17/2013 12:19:09:043 lpAccount: sscc.ctd.xxxxx.com\myuser 06/17/2013 12:19:09:043 lpPassword: (non-null) 06/17/2013 12:19:09:043 dwJoinOptions: 0x425 06/17/2013 12:19:09:043 dwOptions: 0x40000003 06/17/2013 12:19:09:121 NetpLdapBind: Verified minimum encryption strength on samba4testserve.sscc.ctd.xxxxx.com: 0x0 06/17/2013 12:19:09:121 NetpLdapGetLsaPrimaryDomain: reading domain data 06/17/2013 12:19:09:121 NetpGetNCData: Reading NC data 06/17/2013 12:19:09:121 NetpGetDomainData: Lookup domain data for: DC=sscc,DC=ctd,DC=xxxxx,DC=com 06/17/2013 12:19:09:121 NetpGetDomainData: Lookup crossref data for: CN=Partitions,CN=Configuration,DC=sscc,DC=ctd,DC=xxxxx,DC=com 06/17/2013 12:19:09:324 NetpLdapGetLsaPrimaryDomain: result of retrieving domain data: 0x0 06/17/2013 12:19:09:371 NetpGetComputerObjectDn: Cracking DNS domain name sscc.ctd.xxxxx.com/ into Netbios on \\samba4testserve.sscc.ctd.xxxxx.com 06/17/2013 12:19:09:371 NetpGetComputerObjectDn: Crack results: name = SSCC\ 06/17/2013 12:19:09:371 NetpGetComputerObjectDn: Cracking account name SSCC\PCS0022395V2$ on \\samba4testserve.sscc.ctd.xxxxx.com 06/17/2013 12:19:09:371 NetpGetComputerObjectDn: Crack results: Account does not exist 06/17/2013 12:19:09:371 NetpCreateComputerObjectInDs: NetpGetComputerObjectDn failed: 0x534 06/17/2013 12:19:09:371 NetpProvisionComputerAccount: LDAP creation failed: 0x534 06/17/2013 12:19:09:371 ldap_unbind status: 0x0 06/17/2013 12:19:09:371 NetpJoinDomainOnDs: Function exits with status of: 0x534 06/17/2013 12:19:09:371 NetpJoinDomainOnDs: status of disconnecting from '\\samba4testserve.sscc.ctd.xxxxx.com': 0x0 06/17/2013 12:19:09:371 NetpDoDomainJoin: status: 0x534 06/17/2013 12:19:09:402 ----------------------------------------------------------------- 06/17/2013 12:19:09:402 NetpDoDomainJoin 06/17/2013 12:19:09:402 NetpMachineValidToJoin: 'PCS0022395V2' 06/17/2013 12:19:09:402 OS Version: 6.1 06/17/2013 12:19:09:402 Build number: 7601 (7601.win7sp1_rtm.101119-1850) 06/17/2013 12:19:09:402 ServicePack: Service Pack 1 06/17/2013 12:19:09:402 SKU: Windows 7 Professional 06/17/2013 12:19:09:402 NetpDomainJoinLicensingCheck: ulLicenseValue=1, Status: 0x0 06/17/2013 12:19:09:402 NetpGetLsaPrimaryDomain: status: 0x0 06/17/2013 12:19:09:402 NetpMachineValidToJoin: status: 0x0 06/17/2013 12:19:09:402 NetpJoinDomain 06/17/2013 12:19:09:402 Machine: PCS0022395V2 06/17/2013 12:19:09:402 Domain: sscc.ctd.xxxxx.com 06/17/2013 12:19:09:402 MachineAccountOU: (NULL) 06/17/2013 12:19:09:402 Account: sscc.ctd.xxxxx.com\myuser 06/17/2013 12:19:09:402 Options: 0x427 06/17/2013 12:19:09:402 NetpLoadParameters: loading registry parameters... 06/17/2013 12:19:09:402 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2 06/17/2013 12:19:09:402 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2 06/17/2013 12:19:09:402 NetpLoadParameters: status: 0x2 06/17/2013 12:19:09:402 NetpValidateName: checking to see if 'sscc.ctd.xxxxx.com' is valid as type 3 name 06/17/2013 12:19:09:402 NetpValidateName: 'sscc.ctd.xxxxx.com' is not a valid NetBIOS domain name: 0x7b 06/17/2013 12:19:09:730 NetpCheckDomainNameIsValid [ Exists ] for 'sscc.ctd.xxxxx.com' returned 0x0 06/17/2013 12:19:09:730 NetpValidateName: name 'sscc.ctd.xxxxx.com' is valid for type 3 06/17/2013 12:19:09:730 NetpDsGetDcName: trying to find DC in domain 'sscc.ctd.xxxxx.com', flags: 0x40001010 06/17/2013 12:19:24:737 NetpDsGetDcName: failed to find a DC having account 'PCS0022395V2$': 0x525, last error is 0x0 06/17/2013 12:19:24:737 NetpLoadParameters: loading registry parameters... 06/17/2013 12:19:24:737 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2 06/17/2013 12:19:24:737 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2 06/17/2013 12:19:24:737 NetpLoadParameters: status: 0x2 06/17/2013 12:19:24:737 NetpDsGetDcName: status of verifying DNS A record name resolution for 'samba4testserve.sscc.ctd.xxxxx.com': 0x0 06/17/2013 12:19:24:737 NetpDsGetDcName: found DC '\\samba4testserve.sscc.ctd.xxxxx.com' in the specified domain 06/17/2013 12:19:24:737 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0x0 06/17/2013 12:19:24:893 NetpJoinDomain: status of connecting to dc '\\samba4testserve.sscc.ctd.xxxxx.com': 0x0 06/17/2013 12:19:24:893 NetpProvisionComputerAccount: 06/17/2013 12:19:24:893 lpDomain: sscc.ctd.xxxxx.com 06/17/2013 12:19:24:893 lpMachineName: PCS0022395V2 06/17/2013 12:19:24:893 lpMachineAccountOU: (NULL) 06/17/2013 12:19:24:893 lpDcName: samba4testserve.sscc.ctd.xxxxx.com 06/17/2013 12:19:24:893 lpDnsHostName: (NULL) 06/17/2013 12:19:24:893 lpMachinePassword: (null) 06/17/2013 12:19:24:893 lpAccount: sscc.ctd.xxxxx.com\myuser 06/17/2013 12:19:24:893 lpPassword: (non-null) 06/17/2013 12:19:24:893 dwJoinOptions: 0x427 06/17/2013 12:19:24:893 dwOptions: 0x40000003 06/17/2013 12:19:24:940 NetpLdapBind: Verified minimum encryption strength on samba4testserve.sscc.ctd.xxxxx.com: 0x0 06/17/2013 12:19:24:940 NetpLdapGetLsaPrimaryDomain: reading domain data 06/17/2013 12:19:24:940 NetpGetNCData: Reading NC data 06/17/2013 12:19:24:940 NetpGetDomainData: Lookup domain data for: DC=sscc,DC=ctd,DC=xxxxx,DC=com 06/17/2013 12:19:24:940 NetpGetDomainData: Lookup crossref data for: CN=Partitions,CN=Configuration,DC=sscc,DC=ctd,DC=xxxxx,DC=com 06/17/2013 12:19:25:158 NetpLdapGetLsaPrimaryDomain: result of retrieving domain data: 0x0 06/17/2013 12:19:25:158 NetpGetComputerObjectDn: Cracking DNS domain name sscc.ctd.xxxxx.com/ into Netbios on \\samba4testserve.sscc.ctd.xxxxx.com 06/17/2013 12:19:25:158 NetpGetComputerObjectDn: Crack results: name = SSCC\ 06/17/2013 12:19:25:158 NetpGetComputerObjectDn: Cracking account name SSCC\PCS0022395V2$ on \\samba4testserve.sscc.ctd.xxxxx.com 06/17/2013 12:19:25:174 NetpGetComputerObjectDn: Crack results: Account does not exist 06/17/2013 12:19:25:174 NetpGetComputerObjectDn: Cracking Netbios domain name SSCC\ into root DN on \\samba4testserve.sscc.ctd.xxxxx.com 06/17/2013 12:19:25:174 NetpGetComputerObjectDn: Crack results: name = DC=sscc,DC=ctd,DC=xxxxxx,DC=com 06/17/2013 12:19:25:174 NetpGetComputerObjectDn: Got DN CN=PCS0022395V2,CN=Computers,DC=sscc,DC=ctd,DC=xxxxx,DC=com from the default computer container 06/17/2013 12:19:25:174 NetpModifyComputerObjectInDs: Initial attribute values: 06/17/2013 12:19:25:174 objectClass = Computer 06/17/2013 12:19:25:174 SamAccountName = PCS0022395V2$ 06/17/2013 12:19:25:174 userAccountControl = 0x1000 06/17/2013 12:19:25:174 DnsHostName = PCS0022395V2.sscc.ctd.xxxxx.com 06/17/2013 12:19:25:174 ServicePrincipalName = HOST/PCS0022395V2.sscc.ctd.xxxxx.com RestrictedKrbHost/PCS0022395V2.sscc.ctd.xxxxx.com HOST/PCS0022395V2 RestrictedKrbHost/PCS0022395V2 06/17/2013 12:19:25:174 unicodePwd = <SomePassword> 06/17/2013 12:19:25:174 NetpModifyComputerObjectInDs: Computer Object does not exist in OU 06/17/2013 12:19:25:174 NetpModifyComputerObjectInDs: Attribute values to set: 06/17/2013 12:19:25:174 objectClass = Computer 06/17/2013 12:19:25:174 SamAccountName = PCS0022395V2$ 06/17/2013 12:19:25:174 userAccountControl = 0x1000 06/17/2013 12:19:25:174 DnsHostName = PCS0022395V2.sscc.ctd.xxxxx.com 06/17/2013 12:19:25:174 ServicePrincipalName = HOST/PCS0022395V2.sscc.ctd.xxxxx.com RestrictedKrbHost/PCS0022395V2.sscc.ctd.xxxxx.com HOST/PCS0022395V2 RestrictedKrbHost/PCS0022395V2 06/17/2013 12:19:25:174 unicodePwd = <SomePassword> 06/17/2013 12:19:25:205 NetpMapGetLdapExtendedError: Parsed [0x2035] from server extended error string: 00002035: ../source4/dsdb/samdb/ldb_modules/ridalloc.c:517: No RID Set DN - Failed to add RID Set CN=RID Set,CN=SAMBA4TESTSERVER,OU=Domain Controllers,DC=sscc,DC=ctd,DC=xxxxx,DC=com - objectclass: object class 'rIDSet' is system-only, rejecting creation of 'CN=RID Set,CN=SAMBA4TESTSERVER,OU=Domain Controllers,DC=sscc,DC=ctd,DC=xxxxx,DC=com'!NetpModifyComputerObjectInDs: ldap_add_s failed: 0x35 0x3eb 06/17/2013 12:19:25:205 NetpCreateComputerObjectInDs: NetpModifyComputerObjectInDs failed: 0x3eb 06/17/2013 12:19:25:205 NetpCreateComputerObjectInDsW2K: Try again setting password separately from creation i.e. DC may be W2K 06/17/2013 12:19:25:205 NetpGetComputerObjectDn: Cracking DNS domain name sscc.ctd.xxxxx.com/ into Netbios on \\samba4testserve.sscc.ctd.xxxxx.com 06/17/2013 12:19:25:205 NetpGetComputerObjectDn: Crack results: name = SSCC\ 06/17/2013 12:19:25:205 NetpGetComputerObjectDn: Cracking account name SSCC\PCS0022395V2$ on \\samba4testserve.sscc.ctd.xxxxx.com 06/17/2013 12:19:25:205 NetpGetComputerObjectDn: Crack results: Account does not exist 06/17/2013 12:19:25:205 NetpGetComputerObjectDn: Cracking Netbios domain name SSCC\ into root DN on \\samba4testserve.sscc.ctd.xxxxx.com 06/17/2013 12:19:25:221 NetpGetComputerObjectDn: Crack results: name = DC=sscc,DC=ctd,DC=xxxxx,DC=com 06/17/2013 12:19:25:221 NetpGetComputerObjectDn: Got DN CN=PCS0022395V2,CN=Computers,DC=sscc,DC=ctd,DC=xxxxx,DC=com from the default computer container 06/17/2013 12:19:25:221 NetpModifyComputerObjectInDs: Initial attribute values: 06/17/2013 12:19:25:221 objectClass = Computer 06/17/2013 12:19:25:221 SamAccountName = PCS0022395V2$ 06/17/2013 12:19:25:221 userAccountControl = 0x1000 06/17/2013 12:19:25:221 DnsHostName = PCS0022395V2.sscc.ctd.xxxxx.com 06/17/2013 12:19:25:221 ServicePrincipalName = HOST/PCS0022395V2.sscc.ctd.xxxxx.com RestrictedKrbHost/PCS0022395V2.sscc.ctd.xxxxx.com HOST/PCS0022395V2 RestrictedKrbHost/PCS0022395V2 06/17/2013 12:19:25:221 NetpModifyComputerObjectInDs: Computer Object does not exist in OU 06/17/2013 12:19:25:221 NetpModifyComputerObjectInDs: Attribute values to set: 06/17/2013 12:19:25:221 objectClass = Computer 06/17/2013 12:19:25:221 SamAccountName = PCS0022395V2$ 06/17/2013 12:19:25:221 userAccountControl = 0x1000 06/17/2013 12:19:25:221 DnsHostName = PCS0022395V2.sscc.ctd.xxxxx.com 06/17/2013 12:19:25:221 ServicePrincipalName = HOST/PCS0022395V2.sscc.ctd.xxxxx.com RestrictedKrbHost/PCS0022395V2.sscc.ctd.xxxxx.com HOST/PCS0022395V2 RestrictedKrbHost/PCS0022395V2 06/17/2013 12:19:25:236 NetpMapGetLdapExtendedError: Parsed [0x2035] from server extended error string: 00002035: ../source4/dsdb/samdb/ldb_modules/ridalloc.c:517: No RID Set DN - Failed to add RID Set CN=RID Set,CN=SAMBA4TESTSERVER,OU=Domain Controllers,DC=sscc,DC=ctd,DC=xxxxx,DC=com - objectclass: object class 'rIDSet' is system-only, rejecting creation of 'CN=RID Set,CN=SAMBA4TESTSERVER,OU=Domain Controllers,DC=sscc,DC=ctd,DC=xxxxx,DC=com'!NetpModifyComputerObjectInDs: ldap_add_s failed: 0x35 0x3eb 06/17/2013 12:19:25:236 NetpCreateComputerObjectInDs: NetpModifyComputerObjectInDs failed: 0x3eb 06/17/2013 12:19:25:236 ldap_unbind status: 0x0 06/17/2013 12:19:25:236 NetpJoinDomainOnDs: Function exits with status of: 0x3eb 06/17/2013 12:19:25:236 NetpJoinDomainOnDs: status of disconnecting from '\\samba4testserve.sscc.ctd.xxxxx.com': 0x0 06/17/2013 12:19:25:236 NetpDoDomainJoin: status: 0x3eb
Upgraded to samba 4.0.7, same errors
Upgraded to samba 4.0.9, same errors
(In reply to comment #2) > Upgraded to samba 4.0.9, same errors I think we need to to have the creation of the RID set be done 'as_system'.
A patch for this is at: http://git.catalyst.net.nz/gw?p=samba.git;a=shortlog;h=refs/heads/rid-set-clive As to how this happens, what I see is: Samba joins a domain, and joins a DC that is not the RID Master. After startup, because the new server has no RID Set, it attempts to contact the RID Master to get one. If that fails, it can't add users. If Samba is later made the RID master by force (seizing the role), the automatic task to create a RID set won't operate. Instead, the creation of the first user should create the RID set, but because that is an LDAP user in this case, not via samba-tool the operation is not done 'as system', so it fails. This effectively prevents joining new machines, additional domain controllers or adding users to the domain, rendering it inert. The fix is to have samba-tool dbcheck able to detect a RID master with no rid set, and to have the seize and transfer commands also allocate a RID set if required. The code to add a RID set when adding users also needs to be fixed. Finally, if we join a DC who is the RID master, we should move the RID Set allocation to the join, to make things more failsafe in this common situation. To test, we will join Samba as a DC to a DC that is the RID master, and confirm that the RID set is present. We will then join Samba as a DC to a DC that is NOT the RID master, and then (offline) seize the role. We will confirm we get a RID Set at this point. Finally, to test the new logic in the patches to fix duplicate SIDs, we will then add 500 users to the live DC, then 'samba-tool drs replicate --local' the changes into the new offline DC, and then add a user locally. This will fail with a RID collision. Running dbcheck should cause us to change the rIDNextRID value until there is no collision. To test that dbcheck can recover a DC that has already seized the RID manager role (pre upgrade), we will take a copy of the joined DB, do the seize with an LDAP modify, and confirm the dbcheck adds the RID set. This should help cover the case where we are 'given' the RID manager role over DRS. Likewise, to test that adding a user to an DC that has already seized the RID manager role (pre upgrade), we will take a copy of the joined DB, do the seize with an LDAP modify, and confirm that samba-tool user add works against the local DB.
Created attachment 12620 [details] specific patch for this issue (for master) Patches for this will be posted to samba-technical shortly. The exact patch for this is tiny, but we are taking steps to make this much less likely to happen in the future. In particular, that will be by making the 'fsmo sieze' operation allocate a RID Set if required, and remotely allocating a RID set at the join when possible.
Comment on attachment 12620 [details] specific patch for this issue (for master) This patch is wrong. The issue is (and always has been) that the RELAX flag, and so also the AS_SYSTEM flag, is stripped off by the rootdse module, due to FLAG_TOP_MODULE. We will instead remove the add-on-demand of the RID set, and have dreplsrv crate it at startup.
Fixed in master with 815658d2db46e4accdd35f5925585ec1f1c3d74f Hopefully we can land some more patches to have us allocate a RID Set at join time (rather than first boot), but this should at least address the main issue.
Fixed in Samba 4.5.2 with ee07db353f619effa4cb3e789831ae8947aea028