Cannot join a fresh Zentyal 6.2 to the domain

[devnull]

I have a fresh Zentyal 6.2 installed. I'm trying to join it to the windows domain (set as ADC Controller). Unfortunately something is going wrong.


This is what I have found in the zentyal.log:

Code: [Select]

2020/11/17 11:20:26 INFO> GlobalImpl.pm:617 EBox::GlobalImpl::saveAllModules - Saving config and restarting services: firewall sysinfo audit samba mailfilter mail logs
2020/11/17 11:20:26 INFO> Base.pm:231 EBox::Module::Base::save - Restarting service for module: firewall
2020/11/17 11:20:27 INFO> Base.pm:231 EBox::Module::Base::save - Restarting service for module: sysinfo
2020/11/17 11:20:27 INFO> Base.pm:231 EBox::Module::Base::save - Restarting service for module: audit
2020/11/17 11:20:27 INFO> Base.pm:231 EBox::Module::Base::save - Restarting service for module: samba
2020/11/17 11:20:28 INFO> Provision.pm:810 EBox::Samba::Provision::checkAddress - Resolving pss-serwer.dom1.local to an IP address
2020/11/17 11:20:28 INFO> Provision.pm:830 EBox::Samba::Provision::checkAddress - The DC pss-serwer.dom1.local has been resolved to 192.168.16.2
2020/11/17 11:20:28 INFO> Provision.pm:833 EBox::Samba::Provision::checkAddress - Checking reverse DNS resolution of '192.168.16.2'...
2020/11/17 11:20:28 INFO> Provision.pm:857 EBox::Samba::Provision::checkAddress - The IP address 192.168.16.2 does not have associated PTR record
2020/11/17 11:20:28 INFO> Provision.pm:756 EBox::Samba::Provision::checkServerReachable - Checking if AD server '192.168.16.2' is online...
2020/11/17 11:20:28 INFO> Provision.pm:866 EBox::Samba::Provision::checkFunctionalLevels - Checking forest and domain functional levels...
2020/11/17 11:20:28 INFO> Provision.pm:898 EBox::Samba::Provision::checkRfc2307 - Checking RFC2307 compliant schema...
2020/11/17 11:20:28 INFO> Provision.pm:775 EBox::Samba::Provision::checkLocalRealmAndDomain - Checking local domain and realm...
2020/11/17 11:20:28 INFO> Provision.pm:972 EBox::Samba::Provision::checkClockSkew - Checking clock skew with AD server...
2020/11/17 11:20:28 INFO> Provision.pm:993 EBox::Samba::Provision::checkClockSkew - Clock skew below two minutes, should be enough.
2020/11/17 11:20:28 INFO> Provision.pm:675 EBox::Samba::Provision::checkDnsZonesInMainPartition - Checking for old DNS zones stored in main domain partition...
2020/11/17 11:20:28 INFO> Provision.pm:722 EBox::Samba::Provision::checkForestDomains - Checking number of domains inside forest...
2020/11/17 11:20:28 INFO> Provision.pm:932 EBox::Samba::Provision::checkTrustDomainObjects - Checking for domain trust relationships...
2020/11/17 11:20:28 INFO> Provision.pm:1034 EBox::Samba::Provision::checkADServerSite - Checking the site where the specified server is located
2020/11/17 11:20:28 INFO> Provision.pm:1042 EBox::Samba::Provision::checkADServerSite - The specified server has been located at site named Default-First-Site-Name
2020/11/17 11:20:28 INFO> Provision.pm:1059 EBox::Samba::Provision::checkADNebiosName - Checking domain netbios name...
2020/11/17 11:20:29 INFO> Provision.pm:1286 EBox::Samba::Provision::provisionADC - Joining to domain 'dom1.local' as DC
2020/11/17 11:20:31 INFO> Provision.pm:1299 EBox::Samba::Provision::provisionADC - Trying to get a kerberos ticket for principal 'Admin@dom1.LOCAL'
2020/11/17 11:20:31 INFO> Provision.pm:1308 EBox::Samba::Provision::provisionADC - Executing domain join

 ERROR(runtime): uncaught exception - (9005, 'WERR_DNS_ERROR_RCODE_REFUSED')
2020/11/17 11:22:16 ERROR> Sudo.pm:240 EBox::Sudo::_rootError - root command samba-tool domain join dom1.local DC  --username='Admin'  --workgroup='dom1'  --password=`cat /var/lib/zentyal/tmp/wlKk0l`  --server='192.168.16.2'  --dns-backend=BIND9_DLZ  --realm='dom1.LOCAL'  --site='Default-First-Site-Name'  failed.
 ERROR(runtime): uncaught exception - (9003, 'WERR_DNS_ERROR_RCODE_NAME_ERROR')
 ERROR(runtime): uncaught exception - (9003, 'WERR_DNS_ERROR_RCODE_NAME_ERROR')
2020/11/17 11:22:22 ERROR> GlobalImpl.pm:653 EBox::GlobalImpl::saveAllModules - Failed to save changes in module samba: root command samba-tool domain join dom1.local DC  --username='Admin'  --workgroup='dom1'  --password=`cat /var/lib/zentyal/tmp/wlKk0l`  --server='192.168.16.2'  --dns-backend=BIND9_DLZ  --realm='dom1.LOCAL'  --site='Default-First-Site-Name'  failed.


2020/11/17 11:22:16 ERROR> Sudo.pm:240 EBox::Sudo::_rootError - root command samba-tool domain join dom1.local DC  --username='Admin'  --workgroup='dom1'  --password=`cat /var/lib/zentyal/tmp/wlKk0l`  --server='192.168.16.2'  --dns-backend=BIND9_DLZ  --realm='dom1.LOCAL'  --site='Default-First-Site-Name'  failed.
2020/11/17 11:22:16 INFO> Provision.pm:299 EBox::Samba::Provision::setupKerberos - Setting up kerberos
2020/11/17 11:22:16 INFO> Provision.pm:276 EBox::Samba::Provision::setupDNS - Setting up DNS
2020/11/17 11:22:16 INFO> Base.pm:231 EBox::Module::Base::save - Restarting service for module: dns
2020/11/17 11:22:17 INFO> DNS.pm:91 EBox::DNS::appArmorProfiles - Setting DNS apparmor profile
2020/11/17 11:22:22 ERROR> GlobalImpl.pm:653 EBox::GlobalImpl::saveAllModules - Failed to save changes in module samba: root command samba-tool domain join dom1.local DC  --username='Admin'  --workgroup='dom1'  --password=`cat /var/lib/zentyal/tmp/wlKk0l`  --server='192.168.16.2'  --dns-backend=BIND9_DLZ  --realm='dom1.LOCAL'  --site='Default-First-Site-Name'  failed.

Any suggestions?

[doncamilo]

 

It could be useful enabling the Zentyal debugging mode:

Code: [Select]

sudo su -
sed -i 's/^debug = no/debug = yes/' /etc/zentyal/zentyal.conf
zs webadmin restart

Configure the samba module as a stand-alone server to generate a valid configuration and proceed to join Zentyal one more time as an additional domain controller.

If it fails, paste here the zentyal.log.

Cheers!

[devnull]

Thanks for your response. I've set up a standalone server without problems, enabled debugging and then tried to switch to ADC mode. This unfortunately has failed again. I couldn't attach a Zentyal.log to this post, so pasted here instead: https://drive.google.com/file/d/1BQgOvmcnJkOIgMzmJwC-lGqQQiRhP56S/view

[doncamilo]

 

You should try to do it by hand https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory Zentyal will read the samba database when rebooting after joining to the domain.

Cheers!

[devnull]

I've tried joining domain via cmd

Code: [Select]

samba-tool domain join test.local DC -U"test\admin"
It fails after

Code: [Select]

Adding 1 remote DNS records for MA.test.local
a few last lines:

Code: [Select]

Committing SAM database
Adding 1 remote DNS records for MA.test.local
Join failed - cleaning up
Deleted CN=RID Set,CN=MA,OU=Domain Controllers,DC=test,DC=local
Deleted CN=MA,OU=Domain Controllers,DC=test,DC=local
Deleted CN=NTDS Settings,CN=MA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=local
Deleted CN=MA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=local
ERROR(runtime): uncaught exception - (9005, 'WERR_DNS_ERROR_RCODE_REFUSED')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in join_DC
    ctx.do_join()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1384, in do_join
    ctx.join_add_dns_records()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1084, in join_add_dns_records
    del_rec_buf)

It seems it has a problem communicating the DNS server on PDC. DNS server looks good, I've joined another Windows Server to the AD and this went fine, so this issue is specific to Samba4 and Windows Server.

[doncamilo]

 

The PDC is refusing to create the new ADC DNS records.
Did you check the logs of the Windows Server? Please, paste here the events regarding this issue.

Cheers!