AD takeover could not find machine account

samba-ad
ad-takeover

#1

Hi All,
I am facing an issue while performing AD takeover process.
Present scenario is Samba4 version 4.0.5 on Ubuntu10, client machines are windows and ubuntu desktops. I wanted to migrate it to UCS as some windows 10 clients are not joining into existing SAMBA4 domain.
I have installed UCS 4.2.2 and configured same domain name as existing with different IP in same subnet,
the error logs are as follows.

Could not find machine account in secrets database: Failed to fetch machine account password for EXAMPLEDOMAIN from both secrets.ldb (Could not find entry to match filter: ‘(&(flatname=EXAMPLEDOMAIN)(objectclass=primaryDomain))’ base: ‘cn=Primary Domains’: No such object: dsdb_search at …/source4/dsdb/common/util.c:4576) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
2017-11-15 14:01:00,840 ERROR(runtime): uncaught exception - (8203, ‘WERR_DS_INVALID_ATTRIBUTE_SYNTAX’)

Thanks
Ilesh


#2

Good Afternoon ileshwart,

  • you can post the output of testparm -vs on the Ubuntu server. Then
    you can check which role is activated i.e if the SAMBA AD DC role is activated?

  • This role has to be activated for AD takeover to be successful.

Regards.
Anna Takang


#3

Hi Anna Takang,

Thanks for your reply. Right now I am not at the server, but I have the configuration of Ubuntu server smb.conf as follows.

# Global parameters
[global]
** server role = active directory domain controller**
** workgroup = EXAMPLEDOMAIN**
** realm = exampledomain.com**
** netbios name = BBIL15**
** browseable = yes**
** server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate**
** dcerpc endpoint servers = +winreg +srvsvc**

[netlogon]
** path = /usr/local/samba/var/locks/sysvol/exampledomain.com/scripts**
** read only = No**

[sysvol]
** path = /usr/local/samba/var/locks/sysvol**
** read only = No**

[data]
** path = /data**
** read only = No**
** browseable = yes**

Thanks
Ilesh


#4

Good day ileshwart,

I can see the SAMBA AD DC role is activated. You can also post the /var/log/univention/ad-takeover.log log from the UCS.

Regards
Anna Takang


#5

Hi Anna takang,

I was busy with the other assignment takeover,log as follows.

14.11.17 13:42:34.359 DEBUG_INIT
14.11.17 13:42:35.002 MODULE ( PROCESS ) : Loading python module.
14.11.17 13:42:35.095 MODULE ( PROCESS ) : Imported python module.
14.11.17 13:42:35.096 MODULE ( PROCESS ) : Module instance created.
14.11.17 13:42:35.096 MODULE ( PROCESS ) : Module socket initialized.
14.11.17 13:42:35.120 MODULE ( PROCESS ) : Setting user LDAP DN 'uid=Administrator,cn=users,dc=exampledomain,dc=com’
14.11.17 13:42:35.120 MODULE ( PROCESS ) : Setting auth type to None
14.11.17 13:42:35.120 MODULE ( PROCESS ) : Initializing module.
14.11.17 13:42:52.520 MODULE ( PROCESS ) : Running connect
14.11.17 13:42:52.520 MODULE ( PROCESS ) : ### Connecting to 10.10.30.40 ###
14.11.17 13:42:52.581 MODULE ( PROCESS ) : Authenticating
14.11.17 13:42:52.647 MODULE ( PROCESS ) : Retrieving information from AD DC
14.11.17 13:42:56.619 MODULE ( PROCESS ) : Running copy_domain_data
14.11.17 13:42:56.619 MODULE ( PROCESS ) : ### Connecting to 10.10.30.40 ###
14.11.17 13:42:56.635 MODULE ( PROCESS ) : ### Authenticating ###
14.11.17 13:42:56.673 MODULE ( PROCESS ) : ### Synchronizing system clock ###
14.11.17 13:42:56.686 MODULE ( PROCESS ) : ### Joining the domain ###
14.11.17 13:43:04.809 MODULE ( PROCESS ) : Copying Schema partition
14.11.17 13:43:07.101 MODULE ( PROCESS ) : Copying CN=Configuration
14.11.17 13:43:27.961 MODULE ( WARN ) : Error during copy_domain_data: The domain join failed. See /var/log/univention/ad-takeover.log for details.
14.11.17 13:53:28.221 MAIN ( WARN ) : Shutting down all open connections
14.11.17 14:48:02.436 DEBUG_INIT
14.11.17 14:48:03.194 MODULE ( PROCESS ) : Loading python module.
14.11.17 14:48:03.289 MODULE ( PROCESS ) : Imported python module.
14.11.17 14:48:03.290 MODULE ( PROCESS ) : Module instance created.
14.11.17 14:48:03.290 MODULE ( PROCESS ) : Module socket initialized.
14.11.17 14:48:03.338 MODULE ( PROCESS ) : Setting user LDAP DN 'uid=Administrator,cn=users,dc=exampledomain,dc=com’
14.11.17 14:48:03.338 MODULE ( PROCESS ) : Setting auth type to None
14.11.17 14:48:03.338 MODULE ( PROCESS ) : Initializing module.
14.11.17 14:48:22.131 MODULE ( PROCESS ) : Running connect
14.11.17 14:48:22.131 MODULE ( PROCESS ) : ### Connecting to 10.10.30.40 ###
14.11.17 14:48:22.189 MODULE ( PROCESS ) : Authenticating
14.11.17 14:48:22.237 MODULE ( PROCESS ) : Retrieving information from AD DC
14.11.17 14:48:36.931 MODULE ( PROCESS ) : Running copy_domain_data
14.11.17 14:48:36.931 MODULE ( PROCESS ) : ### Connecting to 10.10.30.40 ###
14.11.17 14:48:36.947 MODULE ( PROCESS ) : ### Authenticating ###
14.11.17 14:48:36.984 MODULE ( PROCESS ) : ### Synchronizing system clock ###
14.11.17 14:48:36.996 MODULE ( PROCESS ) : ### Joining the domain ###
14.11.17 14:48:45.407 MODULE ( PROCESS ) : Copying Schema partition
14.11.17 14:48:47.689 MODULE ( PROCESS ) : Copying CN=Configuration
14.11.17 14:49:08.400 MODULE ( WARN ) : Error during copy_domain_data: The domain join failed. See /var/log/univention/ad-takeover.log for details.
14.11.17 14:59:09.069 MAIN ( WARN ) : Shutting down all open connections
14.11.17 15:03:09.878 DEBUG_INIT
14.11.17 15:03:10.527 MODULE ( PROCESS ) : Loading python module.
14.11.17 15:03:10.619 MODULE ( PROCESS ) : Imported python module.
14.11.17 15:03:10.620 MODULE ( PROCESS ) : Module instance created.
14.11.17 15:03:10.620 MODULE ( PROCESS ) : Module socket initialized.
14.11.17 15:03:10.642 MODULE ( PROCESS ) : Setting user LDAP DN 'uid=Administrator,cn=users,dc=exampledomain,dc=com’
14.11.17 15:03:10.642 MODULE ( PROCESS ) : Setting auth type to None
14.11.17 15:03:10.642 MODULE ( PROCESS ) : Initializing module.
14.11.17 15:03:27.641 MODULE ( PROCESS ) : Running connect
14.11.17 15:03:27.641 MODULE ( PROCESS ) : ### Connecting to 10.10.30.48 ###
14.11.17 15:03:27.695 MODULE ( PROCESS ) : Authenticating
14.11.17 15:03:27.732 MODULE ( WARN ) : Error during connect: The selected Active Directory server has the same NTDS GUID as this UCS server.
14.11.17 15:13:28.104 MAIN ( WARN ) : Shutting down all open connections
15.11.17 13:36:08.550 DEBUG_INIT
15.11.17 13:36:09.227 MODULE ( PROCESS ) : Loading python module.
15.11.17 13:36:09.318 MODULE ( PROCESS ) : Imported python module.
15.11.17 13:36:09.318 MODULE ( PROCESS ) : Module instance created.
15.11.17 13:36:09.319 MODULE ( PROCESS ) : Module socket initialized.
15.11.17 13:36:09.365 MODULE ( PROCESS ) : Setting user LDAP DN 'uid=Administrator,cn=users,dc=exampledomain,dc=com’
15.11.17 13:36:09.365 MODULE ( PROCESS ) : Setting auth type to None
15.11.17 13:36:09.365 MODULE ( PROCESS ) : Initializing module.
15.11.17 13:41:30.463 MODULE ( PROCESS ) : Running connect
15.11.17 13:41:30.463 MODULE ( PROCESS ) : ### Connecting to bbil15.exampledomain.com ###
15.11.17 13:41:30.522 MODULE ( PROCESS ) : Authenticating
15.11.17 13:41:31.629 MODULE ( PROCESS ) : Retrieving information from AD DC
15.11.17 13:41:40.964 MODULE ( PROCESS ) : Running copy_domain_data
15.11.17 13:41:40.964 MODULE ( PROCESS ) : ### Connecting to bbil15.exampledomain.com ###
15.11.17 13:41:40.982 MODULE ( PROCESS ) : ### Authenticating ###
15.11.17 13:41:43.883 MODULE ( PROCESS ) : ### Synchronizing system clock ###
15.11.17 13:41:43.899 MODULE ( PROCESS ) : ### Joining the domain ###
15.11.17 13:41:43.919 MODULE ( PROCESS ) : Remove service AD Member from localhost
15.11.17 13:41:44.894 MODULE ( PROCESS ) : Revert UCR settings
15.11.17 13:41:44.894 MODULE ( PROCESS ) : Unsetting UCR variables: [u’ad/member’, u’directory/manager/web/modules/users/user/display’, u’kerberos/defaults/dns_lookup_kdc’, u’directory/manager/web/modules/computers/computer/show/adnotification’, u’directory/manager/web/modules/groups/group/show/adnotification’, u’directory/manager/web/modules/users/user/show/adnotification’, u’directory/manager/web/modules/dns/dns/show/adnotification’]
15.11.17 13:41:44.995 MODULE ( PROCESS ) : Setting UCR variables: [u’nameserver/external=false’]
15.11.17 13:41:45.059 MODULE ( PROCESS ) : Revert connector settings
15.11.17 13:41:45.059 MODULE ( PROCESS ) : Unsetting UCR variables: [u’connector/ad/ldap/host’, u’connector/ad/ldap/base’, u’connector/ad/ldap/binddn’, u’connector/ad/ldap/bindpw’, u’connector/ad/ldap/kerberos’, u’connector/ad/mapping/syncmode’, u’connector/ad/mapping/user/ignorelist’]
15.11.17 14:00:52.766 MODULE ( PROCESS ) : Copying Schema partition
15.11.17 14:00:55.137 MODULE ( PROCESS ) : Copying CN=Configuration
15.11.17 14:01:17.532 MODULE ( WARN ) : Error during copy_domain_data: The domain join failed. See /var/log/univention/ad-takeover.log for details.
15.11.17 14:11:17.988 MAIN ( WARN ) : Shutting down all open connections
15.11.17 14:17:15.616 DEBUG_INIT
15.11.17 14:17:16.261 MODULE ( PROCESS ) : Loading python module.
15.11.17 14:17:16.353 MODULE ( PROCESS ) : Imported python module.
15.11.17 14:17:16.353 MODULE ( PROCESS ) : Module instance created.
15.11.17 14:17:16.353 MODULE ( PROCESS ) : Module socket initialized.
15.11.17 14:17:16.381 MODULE ( PROCESS ) : Setting user LDAP DN 'uid=Administrator,cn=users,dc=exampledomain,dc=com’
15.11.17 14:17:16.381 MODULE ( PROCESS ) : Setting auth type to None
15.11.17 14:17:16.381 MODULE ( PROCESS ) : Initializing module.
15.11.17 14:17:43.179 MODULE ( PROCESS ) : Running connect
15.11.17 14:17:43.179 MODULE ( PROCESS ) : ### Connecting to bbil15.exampledomain.com ###
15.11.17 14:17:43.237 MODULE ( PROCESS ) : Authenticating
15.11.17 14:17:43.348 MODULE ( PROCESS ) : Retrieving information from AD DC
15.11.17 14:17:46.753 MODULE ( PROCESS ) : Running copy_domain_data
15.11.17 14:17:46.753 MODULE ( PROCESS ) : ### Connecting to bbil15.exampledomain.com ###
15.11.17 14:17:48.545 MODULE ( PROCESS ) : ### Authenticating ###
15.11.17 14:17:48.641 MODULE ( PROCESS ) : ### Synchronizing system clock ###
15.11.17 14:17:48.656 MODULE ( PROCESS ) : ### Joining the domain ###
15.11.17 14:26:46.631 MODULE ( PROCESS ) : Copying Schema partition
15.11.17 14:26:49.056 MODULE ( PROCESS ) : Copying CN=Configuration
15.11.17 14:27:10.113 MODULE ( WARN ) : Error during copy_domain_data: The domain join failed. See /var/log/univention/ad-takeover.log for details.
15.11.17 14:37:10.239 MAIN ( WARN ) : Shutting down all open connections
15.11.17 14:46:25.669 DEBUG_INIT
15.11.17 14:46:26.299 MODULE ( PROCESS ) : Loading python module.
15.11.17 14:46:26.388 MODULE ( PROCESS ) : Imported python module.
15.11.17 14:46:26.388 MODULE ( PROCESS ) : Module instance created.
15.11.17 14:46:26.388 MODULE ( PROCESS ) : Module socket initialized.
15.11.17 14:46:26.434 MODULE ( PROCESS ) : Setting user LDAP DN 'uid=Administrator,cn=users,dc=exampledomain,dc=com’
15.11.17 14:46:26.434 MODULE ( PROCESS ) : Setting auth type to None
15.11.17 14:46:26.434 MODULE ( PROCESS ) : Initializing module.
15.11.17 14:46:44.862 MODULE ( PROCESS ) : Running connect
15.11.17 14:46:44.862 MODULE ( PROCESS ) : ### Connecting to bbil15.exampledomain.com ###
15.11.17 14:46:44.921 MODULE ( PROCESS ) : Authenticating
15.11.17 14:46:45.032 MODULE ( PROCESS ) : Retrieving information from AD DC
15.11.17 14:46:47.738 MODULE ( PROCESS ) : Running copy_domain_data
15.11.17 14:46:47.738 MODULE ( PROCESS ) : ### Connecting to bbil15.exampledomain.com ###
15.11.17 14:46:49.329 MODULE ( PROCESS ) : ### Authenticating ###
15.11.17 14:46:49.432 MODULE ( PROCESS ) : ### Synchronizing system clock ###
15.11.17 14:46:49.448 MODULE ( PROCESS ) : ### Joining the domain ###
15.11.17 14:51:22.010 MODULE ( PROCESS ) : Copying Schema partition
15.11.17 14:51:24.399 MODULE ( PROCESS ) : Copying CN=Configuration
15.11.17 14:51:45.698 MODULE ( WARN ) : Error during copy_domain_data: The domain join failed. See /var/log/univention/ad-takeover.log for details.
15.11.17 14:53:32.201 MODULE ( PROCESS ) : Running connect
15.11.17 14:53:32.201 MODULE ( PROCESS ) : ### Connecting to bbil15.exampledomain.com ###
15.11.17 14:53:32.222 MODULE ( PROCESS ) : Authenticating
15.11.17 14:53:32.325 MODULE ( PROCESS ) : Retrieving information from AD DC
15.11.17 14:53:34.588 MODULE ( PROCESS ) : Running copy_domain_data
15.11.17 14:53:34.588 MODULE ( PROCESS ) : ### Connecting to bbil15.exampledomain.com ###
15.11.17 14:53:34.607 MODULE ( PROCESS ) : ### Authenticating ###
15.11.17 14:53:34.702 MODULE ( PROCESS ) : ### Synchronizing system clock ###
15.11.17 14:53:34.713 MODULE ( PROCESS ) : ### Joining the domain ###
15.11.17 15:00:23.927 MODULE ( PROCESS ) : Copying Schema partition
15.11.17 15:00:26.329 MODULE ( PROCESS ) : Copying CN=Configuration
15.11.17 15:00:38.077 MODULE ( WARN ) : Error during copy_domain_data: The domain join failed. See /var/log/univention/ad-takeover.log for details.
15.11.17 15:10:38.242 MAIN ( WARN ) : Shutting down all open connections


#6

Hi,
And one more thing, I have joined UCS as member and it is successfully joined and synced all the users and groups.
Now guide me how to promote it as Master or AD takeover is better option.

Thanks
Ilesh


#7

Good day ileshwart,

is it possible for you to upgrade your system? I think this will be good as the system is old and there is no longer support for Ubuntu 10.

It is preferable that you install the AD Takeover software on the member server, to have it take up the job of the Ubuntu AD.

An alternative can be, depending on how big your company is, i.e how many users and computers you have, you can have UCS play the role of the AD DC instead of the Ubuntu, by manually installing Samba4 i.e the Active Directory-compatible Domain Controller from the univention App center (can be reached from the UMC ). After which you then have to carry out a manual transfer of the users and computers to it.

Regards

Anna Takang