Samba: Could not join to domain, main domain partition problem

[jbahillo]

You can tru that to diagnose, or to perform queries about kerberos services directly in the windows machine.

For you to have something to compare you should have something similar to this:

Code: [Select]

root@zentyal:/home/xavy# dig axfr testing.lan

; <<>> DiG 9.8.1-P1 <<>> axfr testing.lan
;; global options: +cmd
testing.lan. 3600 IN SOA zentyal.testing.lan. hostmaster.testing.lan. 3 900 600 86400 0
testing.lan. 900 IN NS zentyal.testing.lan.
testing.lan. 259200 IN A 192.168.15.1
_msdcs.testing.lan. 900 IN NS zentyal.testing.lan.
zentyal.testing.lan. 259200 IN A 192.168.15.1
xavy-PC.testing.lan. 1200 IN A 192.168.15.100
_gc._tcp.testing.lan. 900 IN SRV 0 100 3268 zentyal.testing.lan.
_ldap._tcp.testing.lan. 900 IN SRV 0 100 389 zentyal.testing.lan.
_kpasswd._udp.testing.lan. 900 IN SRV 0 100 464 zentyal.testing.lan.
_kpasswd._tcp.testing.lan. 900 IN SRV 0 100 464 zentyal.testing.lan.
_kerberos._udp.testing.lan. 900 IN SRV 0 100 88 zentyal.testing.lan.
_kerberos._tcp.testing.lan. 900 IN SRV 0 100 88 zentyal.testing.lan.
ForestDnsZones.testing.lan. 900 IN A 192.168.15.1
DomainDnsZones.testing.lan. 900 IN A 192.168.15.1
_ldap._tcp.ForestDnsZones.testing.lan. 900 IN SRV 0 100 389 zentyal.testing.lan.
_ldap._tcp.DomainDnsZones.testing.lan. 900 IN SRV 0 100 389 zentyal.testing.lan.
_gc._tcp.Default-First-Site-Name._sites.testing.lan. 900 IN SRV 0 100 3268 zentyal.testing.lan.
_ldap._tcp.Default-First-Site-Name._sites.testing.lan. 900 IN SRV 0 100 389 zentyal.testing.lan.
_kerberos._tcp.Default-First-Site-Name._sites.testing.lan. 900 IN SRV 0 100 88 zentyal.testing.lan.
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.testing.lan. 900 IN SRV 0 100 389 zentyal.testing.lan.
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.testing.lan. 900 IN SRV 0 100 389 zentyal.testing.lan.
testing.lan. 3600 IN SOA zentyal.testing.lan. hostmaster.testing.lan. 3 900 600 86400 0
;; Query time: 6 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Sep 12 17:19:44 2013
;; XFR size: 22 records (messages 1, bytes 1000)
These are the entries that you need to test:

_kerberos._tcp.Default-First-Site-Name._sites.testing.lan. 900 IN SRV 0 100 88 zentyal.testing.lan.
_kpasswd._udp.testing.lan. 900   IN   SRV   0 100 464 zentyal.testing.lan.
_kpasswd._tcp.testing.lan. 900   IN   SRV   0 100 464 zentyal.testing.lan.
_kerberos._udp.testing.lan. 900   IN   SRV   0 100 88 zentyal.testing.lan.
_kerberos._tcp.testing.lan. 900   IN   SRV   0 100 88 zentyal.testing.lan.

Other possibility is to get the DNS results, revert the changes done to DNS and compare them

[revilop]

So after a reboot, zentyal.log reads:

Code: [Select]

2013/09/12 16:17:16 INFO> NTP.pm:57 EBox::NTP::appArmorProfiles - Setting NTP apparmor profile
2013/09/12 16:17:16 INFO> Service.pm:949 EBox::Module::Service::restartService - Restarting service for module: users
2013/09/12 16:17:16 ERROR> Ldap.pm:835 EBox::Ldap::safeConnect - Couldn't connect to LDAP server ldapi://%2fvar%2frun%2fslapd%2fldapi: connect: No such file or directory. Retrying
2013/09/12 16:17:16 ERROR> Ldap.pm:835 EBox::Ldap::safeConnect - Couldn't connect to LDAP server ldapi://%2fvar%2frun%2fslapd%2fldapi: connect: Connection refused. Retrying
2013/09/12 16:17:17 INFO> Ldap.pm:846 EBox::Ldap::safeConnect - LDAP reconnect successful
2013/09/12 16:17:18 INFO> Service.pm:949 EBox::Module::Service::restartService - Restarting service for module: samba
2013/09/12 16:17:19 INFO> Provision.pm:682 EBox::Samba::Provision::checkAddress - Resolving win.contoso.local to an IP address
2013/09/12 16:17:19 INFO> Provision.pm:702 EBox::Samba::Provision::checkAddress - The DC win.contoso.local has been resolved to 10.0.1.2
2013/09/12 16:17:19 INFO> Provision.pm:705 EBox::Samba::Provision::checkAddress - Checking reverse DNS resolution of '10.0.1.2'...
2013/09/12 16:17:19 INFO> Provision.pm:726 EBox::Samba::Provision::checkAddress - The IP address 10.0.1.2 has been resolved to win.contoso.local
2013/09/12 16:17:19 INFO> Provision.pm:628 EBox::Samba::Provision::checkServerReachable - Checking if AD server '10.0.1.2' is online...
2013/09/12 16:17:19 INFO> Provision.pm:738 EBox::Samba::Provision::checkFunctionalLevels - Checking forest and domain functional levels...
2013/09/12 16:17:19 INFO> Provision.pm:647 EBox::Samba::Provision::checkLocalRealmAndDomain - Checking local domain and realm...
2013/09/12 16:17:19 INFO> Provision.pm:806 EBox::Samba::Provision::__ANON__ - Checking clock skew with AD server...
2013/09/12 16:17:19 INFO> Provision.pm:827 EBox::Samba::Provision::checkClockSkew - Clock skew below two minutes, should be enought.
2013/09/12 16:17:19 INFO> Provision.pm:547 EBox::Samba::Provision::checkDnsZonesInMainPartition - Checking for old DNS zones stored in main domain partition...
2013/09/12 16:17:19 INFO> Provision.pm:594 EBox::Samba::Provision::checkForestDomains - Checking number of domains inside forest...
2013/09/12 16:17:19 INFO> Provision.pm:766 EBox::Samba::Provision::checkTrustDomainObjects - Checking for domain trust relationships...
2013/09/12 16:17:19 INFO> Provision.pm:868 EBox::Samba::Provision::checkADServerSite - Checking the site where the specified server is located
2013/09/12 16:17:19 INFO> Provision.pm:876 EBox::Samba::Provision::checkADServerSite - The specified server has been located at site named Default-First-Site-Name
2013/09/12 16:17:19 INFO> Provision.pm:893 EBox::Samba::Provision::checkADNebiosName - Checking domain netbios name...
2013/09/12 16:17:19 INFO> Provision.pm:992 EBox::Samba::Provision::__ANON__ - Joining to domain 'contoso.local' as DC
2013/09/12 16:17:19 INFO> Provision.pm:1009 EBox::Samba::Provision::__ANON__ - Trying to get a kerberos ticket for principal 'Administrator@contoso.LOCAL'
2013/09/12 16:17:20 INFO> Provision.pm:1018 EBox::Samba::Provision::__ANON__ - Executing domain join
2013/09/12 16:17:53 INFO> SysvolSync.pm:204 EBox::Samba::SysvolSync::run - Samba sysvol synchronizer script started
2013/09/12 16:17:57 INFO> Provision.pm:1052 EBox::Samba::Provision::__ANON__ - Running DNS update on remote DC
2013/09/12 16:17:58 INFO> Provision.pm:1057 EBox::Samba::Provision::__ANON__ - Running KCC on remote DC
2013/09/12 16:18:04 INFO> Provision.pm:1064 EBox::Samba::Provision::__ANON__ - Purging the Zentyal LDAP to import Samba users
2013/09/12 16:18:04 INFO> LDB.pm:528 EBox::LDB::ldapServicePrincipalsToLdb - Loading Zentyal service principals into samba database
2013/09/12 16:18:04 INFO> Provision.pm:339 EBox::Samba::Provision::mapAccounts - Mapping domain administrator account
2013/09/12 16:18:04 INFO> User.pm:467 EBox::Samba::User::addToZentyal - Adding samba user 'Administrator' to Zentyal
2013/09/12 16:18:04 DEBUG> LdbObject.pm:255 EBox::Samba::LdbObject::save - There was an error updating LDAP: 0000200A: objectclass_attrs: attribute 'uidNumber' on entry 'CN=Administrator,CN=Users,DC=contoso,DC=local' was not found in the schema!
2013/09/12 16:18:04 ERROR> Service.pm:954 EBox::Module::Service::__ANON__ - Error restarting service: There was an error updating LDAP: 0000200A: objectclass_attrs: attribute 'uidNumber' on entry 'CN=Administrator,CN=Users,DC=contoso,DC=local' was not found in the schema!

[jbahillo]

Try this:

/usr/share/zentyal/purge-module dns
/usr/share/zentyal/purge-module users
/usr/share/zentyal/purge-module samba
/usr/share/zentyal/unconfigure-module dns
/usr/share/zentyal/unconfigure-module  users
/usr/share/zentyal/unconfigure-module samba
/etc/init.d/zentyal apache restart
rm /home/samba/.provisioned
And then enable those modules and start over again the joing process

[revilop]

I have to install on the SBS box the unix extensions to AD. This will map the GUID from WIndows to Zentyal