DsAddEntry failed with status WERR_ACCESS_DENIED info (8567, 'WERR_DS_INCOMPATIBLE_VERSION')
# apt-get install task-samba-dc
# apt-get install python-module-samba-DC samba-DC-common samba-DC-winbind-clients samba-DC-winbind samba-DC-common-libs libpytalloc-devel
# vim /etc/krb5.conf
dns_lookup_kdc = true
dns_lookup_realm = true
default_realm = TEST.LOCAL
# kinit administrator
Password for administrator@TEST.LOCAL:
# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: administrator@TEST.LOCAL
Valid starting Expires Service principal
16.05.2019 11:51:38 16.05.2019 21:51:38 krbtgt/TEST.LOCAL@TEST.LOCAL
renew until 23.05.2019 11:51:35
# mv smb.conf smb.conf.bak1
# samba-tool domain join test.local DC -U"TEST\administrator"
Finding a writeable DC for domain 'test.local'
Found DC DC1.TEST.LOCAL
Password for [TEST\administrator]:
Reconnecting to naming master e31d7da6-8f56-4420-8473-80f2b3a31338._msdcs.TEST. LOCAL
DNS name of new naming master is DC1.TEST.LOCAL
workgroup is TEST
realm is TEST.LOCAL
Adding CN=DC2,OU=Domain Controllers,DC=TEST,DC=LOCAL
Adding CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC =TEST,DC=LOCAL
Adding CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN =Configuration,DC=TEST,DC=LOCAL
Adding SPNs to CN=DC2,OU=Domain Controllers,DC=TEST,DC=LOCAL
Setting account password for DC2$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba AD has been generated at /var/lib/sa mba/private/krb5.conf
Provision OK for domain DN DC=TEST,DC=LOCAL
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=TEST,DC=LOCAL] objects[402/1426] linked _values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=TEST,DC=LOCAL] objects[804/1426] linked _values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=TEST,DC=LOCAL] objects[1206/1426] linke d_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=TEST,DC=LOCAL] objects[1608/1426] linke d_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=TEST,DC=LOCAL] objects[1743/1426] linke d_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=TEST,DC=LOCAL] objects[402/2240] linked_values[0/ 24]
Partition[CN=Configuration,DC=TEST,DC=LOCAL] objects[804/2240] linked_values[0/ 24]
Partition[CN=Configuration,DC=TEST,DC=LOCAL] objects[1206/2240] linked_values[0 /24]
Partition[CN=Configuration,DC=TEST,DC=LOCAL] objects[1608/2240] linked_values[0 /24]
Partition[CN=Configuration,DC=TEST,DC=LOCAL] objects[1772/2240] linked_values[2 4/24]
Replicating critical objects from the base DN of the domain
Partition[DC=TEST,DC=LOCAL] objects[109/110] linked_values[26/29]
Partition[DC=TEST,DC=LOCAL] objects[394/5008] linked_values[29/29]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=TEST,DC=LOCAL
Partition[DC=DomainDnsZones,DC=TEST,DC=LOCAL] objects[42/42] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=TEST,DC=LOCAL
Partition[DC=ForestDnsZones,DC=TEST,DC=LOCAL] objects[20/20] linked_values[0/0]
Exop on[CN=RID Manager$,CN=System,DC=TEST,DC=LOCAL] objects[3] linked_values[0]
Committing SAM database
Adding 1 remote DNS records for DC2.TEST.LOCAL
Adding DNS A record DC2.TEST.LOCAL for IPv4 IP: 192.168.90.201
Adding DNS CNAME record 6ff1df40-cbb5-41f0-b7b3-53a27dde8edf._msdcs.TEST.LOCAL for DC2.TEST.LOCAL
All other DNS records (like _ldap SRV records) will be created samba_dnsupdate o n first startup
Replicating new DNS records in DC=DomainDnsZones,DC=TEST,DC=LOCAL
Partition[DC=DomainDnsZones,DC=TEST,DC=LOCAL] objects[1/42] linked_values[0/0]
Replicating new DNS records in DC=ForestDnsZones,DC=TEST,DC=LOCAL
Partition[DC=ForestDnsZones,DC=TEST,DC=LOCAL] objects[1/20] linked_values[0/0]
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain TEST (SID S-1-5-21-3959064270-1572045903-2556826204) as a DC
# samba-tool drs showrepl
Default-First-Site-Name\DC2
DSA Options: 0x00000001
DSA object GUID: 0e9f5bce-ff59-401e-bdbd-fc69df3fc6bf
DSA invocationId: 017997b5-d718-41d7-a3f3-e57ab5151b5c
==== INBOUND NEIGHBORS ====
DC=ForestDnsZones,DC=test,DC=local
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 60fb339d-efa3-4585-a42d-04974e6601b7
Last attempt @ Mon May 27 12:56:31 2019 MSK was successful
0 consecutive failure(s).
Last success @ Mon May 27 12:56:31 2019 MSK
DC=DomainDnsZones,DC=test,DC=local
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 60fb339d-efa3-4585-a42d-04974e6601b7
Last attempt @ Mon May 27 12:56:32 2019 MSK was successful
0 consecutive failure(s).
Last success @ Mon May 27 12:56:32 2019 MSK
CN=Schema,CN=Configuration,DC=test,DC=local
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 60fb339d-efa3-4585-a42d-04974e6601b7
Last attempt @ Mon May 27 12:56:32 2019 MSK was successful
0 consecutive failure(s).
Last success @ Mon May 27 12:56:32 2019 MSK
DC=test,DC=local
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 60fb339d-efa3-4585-a42d-04974e6601b7
Last attempt @ Mon May 27 12:56:32 2019 MSK was successful
0 consecutive failure(s).
Last success @ Mon May 27 12:56:32 2019 MSK
CN=Configuration,DC=test,DC=local
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 60fb339d-efa3-4585-a42d-04974e6601b7
Last attempt @ Mon May 27 12:56:33 2019 MSK was successful
0 consecutive failure(s).
Last success @ Mon May 27 12:56:33 2019 MSK
==== OUTBOUND NEIGHBORS ====
DC=ForestDnsZones,DC=test,DC=local
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 60fb339d-efa3-4585-a42d-04974e6601b7
Last attempt @ Thu May 23 16:40:03 2019 MSK was successful
0 consecutive failure(s).
Last success @ Thu May 23 16:40:03 2019 MSK
DC=DomainDnsZones,DC=test,DC=local
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 60fb339d-efa3-4585-a42d-04974e6601b7
Last attempt @ Thu May 23 16:40:03 2019 MSK was successful
0 consecutive failure(s).
Last success @ Thu May 23 16:40:03 2019 MSK
CN=Schema,CN=Configuration,DC=test,DC=local
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 60fb339d-efa3-4585-a42d-04974e6601b7
Last attempt @ Thu May 23 16:40:08 2019 MSK was successful
0 consecutive failure(s).
Last success @ Thu May 23 16:40:08 2019 MSK
DC=test,DC=local
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 60fb339d-efa3-4585-a42d-04974e6601b7
Last attempt @ Thu May 23 16:40:08 2019 MSK was successful
0 consecutive failure(s).
Last success @ Thu May 23 16:40:08 2019 MSK
CN=Configuration,DC=test,DC=local
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 60fb339d-efa3-4585-a42d-04974e6601b7
Last attempt @ Mon May 27 12:12:17 2019 MSK was successful
0 consecutive failure(s).
Last success @ Mon May 27 12:12:17 2019 MSK
==== KCC CONNECTION OBJECTS ====
Connection --
Connection name: 6d2652b3-e723-4af7-a19f-1ee48915753c
Enabled : TRUE
Server DNS name : DC1.test.local
Server DN name : CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=local
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
# samba-tool ldapcmp ldap://dc1.test.local ldap://dc2.test.local -Uadministrator
* Comparing [DOMAIN] context...
* Objects to be compared: 249
* Result for [DOMAIN]: SUCCESS
* Comparing [CONFIGURATION] context...
* Objects to be compared: 1750
* Result for [CONFIGURATION]: SUCCESS
* Comparing [SCHEMA] context...
* Objects to be compared: 1739
* Result for [SCHEMA]: SUCCESS
* Comparing [DNSDOMAIN] context...
* Objects to be compared: 42
* Result for [DNSDOMAIN]: SUCCESS
* Comparing [DNSFOREST] context...
* Objects to be compared: 20
* Result for [DNSFOREST]: SUCCESS
\\DC1\SYSVOL\test.local\ \\DC2\SYSVOL\test.local\ /mir /sec
# vim /etc/security/pam_mount.conf.xml
<volume uid="100000000-2000000000" fstype="cifs" server="dfs" path="Profile_Users/%(USER)" mountpoint="~" options="sec=krb5,cruid=%(USERUID),nounix,uid=%(USERUID),gid=%(USERGID),file_mode=0664,dir_mode=0775"/>
# vim /etc/security/pam_mount.conf.xml
<volume uid="100000000-2000200000" fstype="cifs" server="dfs" path="Profile_Users/%(USER)/Рабочий стол" mountpoint="~/Рабочий стол" options="sec=krb5,cruid=%(USERUID),nounix,uid=%(USERUID),gid=%(USERGID),file_mode=0664,dir_mode=0775"/>
<volume uid="100000000-2000200000" fstype="cifs" server="dfs" path="Profile_Users/%(USER)/Downloads" mountpoint="~/Загрузки" options="sec=krb5,cruid=%(USERUID),nounix,uid=%(USERUID),gid=%(USERGID),file_mode=0664,dir_mode=0775"/>
<volume uid="100000000-2000200000" fstype="cifs" server="dfs" path="Profile_Users/%(USER)/Мои документы" mountpoint="~/Документы" options="sec=krb5,cruid=%(USERUID),nounix,uid=%(USERUID),gid=%(USERGID),file_mode=0664,dir_mode=0775"/>
К сожалению, не доступен сервер mySQL