[Samba] [PATCH] Fix Samba 4.1.0 join Windows 2003 Server with BIND9_DLZ

Andrew Bartlett Sat, 12 Oct 2013 11:56:08 -0700

On Fri, 2013-10-11 at 12:06 -0300, Jacó Ramos wrote:
> Hi guys,
> 
> When run join in DC
> 
> root@samba4:~# samba-tool domain join jacoramos.net.br DC -Uadministrador
> --realm=jacoramos.net.br --dns-backend=BIND9_DLZ
> Finding a writeable DC for domain 'jacoramos.net.br'
> Found DC win2003.jacoramos.net.br
> Password for [WORKGROUP\administrador]:
> workgroup is JACORAMOS
> realm is jacoramos.net.br
> checking sAMAccountName
> Adding CN=SAMBA4,OU=Domain Controllers,DC=jacoramos,DC=net,DC=br
> Adding
> CN=SAMBA4,CN=Servers,CN=Primeiro-site-padrao,CN=Sites,CN=Configuration,DC=jacoramos,DC=net,DC=br
> Adding CN=NTDS
> Settings,CN=SAMBA4,CN=Servers,CN=Primeiro-site-padrao,CN=Sites,CN=Configuration,DC=jacoramos,DC=net,DC=br
> Adding SPNs to CN=SAMBA4,OU=Domain Controllers,DC=jacoramos,DC=net,DC=br
> Setting account password for SAMBA4$
> Enabling account
> Adding DNS account CN=dns-SAMBA4,CN=Users,DC=jacoramos,DC=net,DC=br with
> dns/ SPN
> Join failed - cleaning up
> checking sAMAccountName
> Deleted CN=SAMBA4,OU=Domain Controllers,DC=jacoramos,DC=net,DC=br
> Deleted CN=NTDS
> Settings,CN=SAMBA4,CN=Servers,CN=Primeiro-site-padrao,CN=Sites,CN=Configuration,DC=jacoramos,DC=net,DC=br
> Deleted
> CN=SAMBA4,CN=Servers,CN=Primeiro-site-padrao,CN=Sites,CN=Configuration,DC=jacoramos,DC=net,DC=br
> ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM -
> <0000052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0
> > <>
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line
> 552, in run
>     machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
> 1169, in join_DC
>     ctx.do_join()
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
> 1072, in do_join
>     ctx.join_add_objects()
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
> 616, in join_add_objects
>     ctx.samdb.add(msg)
> root@samba4:~#


Sorry about that.   Try the attached patch. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

>From db44a43564a5a994184986e5bf5d059512ff5695 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abart...@samba.org>
Date: Sun, 13 Oct 2013 07:40:58 +1300
Subject: [PATCH] provision: Do not set dns-HOSTNAME password during add

Windows servers do not accept password set using clearTextPassword (a
samba only thing), so change it after the creation using the standard routines.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abart...@samba.org>
---
 python/samba/join.py                       | 1 -
 python/samba/provision/__init__.py         | 6 ++++++
 source4/setup/provision_dns_add_samba.ldif | 1 -
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/python/samba/join.py b/python/samba/join.py
index 9cac8f5..c52ffdb 100644
--- a/python/samba/join.py
+++ b/python/samba/join.py
@@ -608,7 +608,6 @@ class dc_join(object):
                                                                 {"DNSDOMAIN": ctx.dnsdomain,
                                                                  "DOMAINDN": ctx.base_dn,
                                                                  "HOSTNAME" : ctx.myname,
-                                                                 "DNSPASS_B64": b64encode(ctx.dnspass),
                                                                  "DNSNAME" : ctx.dnshostname}))
             for changetype, msg in recs:
                 assert changetype == ldb.CHANGETYPE_NONE
diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
index d8f353f..a31132a 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -1127,6 +1127,12 @@ def setup_self_join(samdb, admin_session_info, names, fill, machinepass,
               "DNSNAME" : '%s.%s' % (
                   names.netbiosname.lower(), names.dnsdomain.lower())
               })
+        samdb.setpassword("(&(objectClass=user)(samAccountName=dns-%s))"
+                          % ldb.binary_encode(names.hostname),
+                          dnspass,
+                          force_change_at_next_login=False,
+                          username="dns-%s"
+                          % names.hostname)
 
 
 def getpolicypath(sysvolpath, dnsdomain, guid):
diff --git a/source4/setup/provision_dns_add_samba.ldif b/source4/setup/provision_dns_add_samba.ldif
index 7fb2e78..82f95d4 100644
--- a/source4/setup/provision_dns_add_samba.ldif
+++ b/source4/setup/provision_dns_add_samba.ldif
@@ -12,5 +12,4 @@ userAccountControl: 512
 accountExpires: 9223372036854775807
 sAMAccountName: dns-${HOSTNAME}
 servicePrincipalName: DNS/${DNSNAME}
-clearTextPassword:: ${DNSPASS_B64}
 isCriticalSystemObject: TRUE
-- 
1.8.3.1

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] [PATCH] Fix Samba 4.1.0 join Windows 2003 Server with BIND9_DLZ

Reply via email to