Samba 4 gives "Failed to find a writeable DC for domain" on samba-tool domain join

centos samba active-directory

6,602

I was passing the wrong info to samba-tool. currentwindowsadserver is the dc, not the domain or realm. Instead of:

sudo samba-tool domain join currentwindowsadserver.mydomain.lan DC -Uadministrator --realm=currentwindowsadserver.mydomain.lan

...the command should simply read:

sudo samba-tool domain join mydomain.lan DC -Uadministrator --realm=mydomain.lan

This succeeded, with SELinux still enabled, and with the domain directive in resolv.conf commented out.

6,602

Kev

I have been programming almost since the cradle. I am mostly based in Europe and remote (or mostly remote) programming jobs for EUR or CHF are my ideal. If you don't mind the time zone difference, I have successfully worked with North American companies from here before (EST and PST, but it depends on your requirements.)

Updated on September 18, 2022

Comments

Kev over 1 year
I have a CentOS 6.4 box with SerNet's Samba 4.0.8 installed and no smb.conf file yet, as it should be. I want it to become an AD DC in my existing Windows domain, replicating from the existing Windows Server 2003 box. I have SELinux enabled and want it to stay that way in the end, but would be willing to attempt to disable it temporarily. But I've run sudo setsebool -P samba_domain_controller on and sudo setsebool -P samba_enable_home_dirs on and they returned no errors.

Also I opted to try using Samba 4's internal DNS rather than BIND.

I'm getting this error trying to run samba-tool:
```
$ sudo samba-tool domain join currentwindowsadserver.mydomain.lan DC -Uadministrator --realm=currentwindowsadserver.mydomain.lan
Finding a writeable DC for domain 'currentwindowsadserver.mydomain.lan'
ERROR(exception): uncaught exception - Failed to find a writeable DC for domain 'currentwindowsadserver.mydomain.lan'
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 552, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib64/python2.6/site-packages/samba/join.py", line 1082, in join_DC
    machinepass, use_ntvfs, dns_backend, promote_existing)
  File "/usr/lib64/python2.6/site-packages/samba/join.py", line 73, in __init__
    ctx.server = ctx.find_dc(domain)
  File "/usr/lib64/python2.6/site-packages/samba/join.py", line 246, in find_dc
    raise Exception("Failed to find a writeable DC for domain '%s'" % domain)
```
Same situation as described here, but the suggested -S does not seem to exist anymore--it spits out usage directions when I try it and said:
```
samba-tool domain join: error: no such option: -S
```
I tried adding the old and new to /etc/hosts but that didn't change the results.

kinit and klist work as they should, and host -t A mynewserver also produces correct output (giving the correct IP and the correct name, see below.)

Currently, my windows AD server has 5 names and 5 IP addresses, but if I ping it from CentOS by its main name that I use for everything Windows (the other 4 I only use for Apache, yes I know, running Apache on Windows...you can see why I'm migrating) it returns correctly as that name. Nonetheless I thought maybe that was causing some problems, so seeing this page (and even samba-tool domain join -h) I also tried adding --ipaddress=192.168.1.2 and it said that it wasn't a valid option either:
```
samba-tool domain join: error: no such option: --ip-address
```
samba-tool domain info without DC but otherwise the same parameters as at the start, correctly gives me info about the Windows DC. Also DNS seems to be fine:
```
$ host -t SRV _ldap._tcp.mydomain.lan
_ldap._tcp.mydomain.lan has SRV record 0 100 389 currentwindowsadserver.mydomain.lan
$ host -t SRV _kerberos._udp.mydomain.lan
_kerberos._udp.mydomain.lan has SRV record 0 100 88 currentwindowsadserver.mydomain.lan
$ host -t SRV _ldap._tcp.dc._msdcs.mydomain.lan
_ldap._tcp.dc._msdcs.mydomain.lan has SRV record 0 100 389 currentwindowsadserver.mydomain.lan
$ host -t SRV _kerberos._tcp.dc._msdcs.mydomain.lan
_kerberos._tcp.dc._msdcs.mydomain.lan has SRV record 0 100 88 currentwindowsadserver.mydomain.lan
$ host -t SRV _kpasswd._tcp.mydomain.lan
_kpasswd._tcp.mydomain.lan has SRV record 0 100 464 currentwindowsadserver.mydomain.lan.
$ host -t SRV _kpasswd._udp.mydomain.lan
_kpasswd._udp.mydomain.lan has SRV record 0 100 464 currentwindowsadserver.mydomain.lan.
$ host -t SRV _ldap._tcp.gc._msdcs.mydomain.lan
_ldap._tcp.gc._msdcs.mydomain.lan has SRV record 0 100 3268 currentwindowsadserver.mydomain.lan.
$ host -t SRV _gc._tcp.mydomain.lan
_gc._tcp.mydomain.lan has SRV record 0 100 3268 currentwindowsadserver.mydomain.lan.
```
ATM, AFAIK, we're an IPv4-only network (one page mentioned IPv6 issues). I don't see any IPv6 addresses when I ping or run host -t A or anything like that--if this is the issue I'm not sure what to do to verify or fix it, maybe someone could help me out with that.

sudo netstat -tunpe | grep ":53" returns nothing, and I have iptables open on 445 UDP and TCP. Update, I now have it open on everything listed here except the NetBIOS ones, and reloaded iptables without error, but still no change. I've also tried stopping the iptables service temporarily, no difference.

I also have both domain and search directives with mydomain.lan after them in /etc/resolv.conf, as well as nameserver with the primary IP of the Windows box.

What else could it be? Google isn't giving me much else to try here.