samba - Dec 2018 - Setup a Samba AD DC as an additional DC

Apologies for not replying to the thread, I just subscribed to the list,
after a day of troubleshooting this.

Regarding:
9601, 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST'

I am experiencing the same symptoms, in a simpler environment than the
original submitter at the previous thread:

Single Windows 2008R2 Domain Controller
Schema version 47
No MS Exchange

Attempting to add a Samba 4 domain controller with the intention of
decommissioning the Windows Server.

Same symptoms from two different Samba 4 platforms:

FreeBSD 11.2 - samba 4.8.7 from packages
CentOS 7 - samba 4.9.3 compiled from source

SERVER1 = Windows Server 2008R2 Standard
SERVER3 = FreeBSD Samba Host

kinit and klist work fine.

# samba-tool domain join ad.mydomain DC -U"AD\administrator"
--dns-backend=SAMBA_INTERNAL

...
Adding DNS CNAME record
f44ee6af-47c7-4cb1-b29f-5d4470bc3063._msdcs.ad.mydomain for
SERVER3.ad.mydomain
Join failed - cleaning up
...
ERROR(runtime): uncaught exception - (9601,
'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST')
  File
"/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/lib/python2.7/site-packages/samba/netcmd/domain.py",
line 706, in run
    plaintext_secrets=plaintext_secrets)
  File "/usr/local/lib/python2.7/site-packages/samba/join.py", line
1482,
in join_DC
    ctx.do_join()
  File "/usr/local/lib/python2.7/site-packages/samba/join.py", line
1390,
in do_join
    ctx.join_add_dns_records()
  File "/usr/local/lib/python2.7/site-packages/samba/join.py", line
1144,
in join_add_dns_records
    None)


So, next - try checking then adding the DC DNS record manually via:
https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record#Verifying_and_Creating_the_objectGUID_Record


# ldbsearch -H /var/db/samba4/private/sam.ldb '(invocationId=*)'
--cross-ncs objectguid

# record 1
dn: CN=NTDS
Settings,CN=SERVER3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain
objectGUID: f44ee6af-47c7-4cb1-b29f-5d4470bc3063

# record 2
dn: CN=NTDS
Settings,CN=SERVER1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain
objectGUID: f5bf75a2-8dae-4456-835e-a568910c9052

# returned 2 records
# 2 entries
# 0 referrals


# host -t CNAME f44ee6af-47c7-4cb1-b29f-5d4470bc3063._msdcs.ad.mydomain.
Host f44ee6af-47c7-4cb1-b29f-5d4470bc3063._msdcs.ad.mydomain not found:
3(NXDOMAIN)

# samba-tool dns add SERVER1 _msdcs.ad.mydomain
f44ee6af-47c7-4cb1-b29f-5d4470bc3063 CNAME SERVER3.ad.mydomain
-Uadministrator

root at server3:/var/db/samba4/private # samba-tool dns add SERVER1
_msdcs.ad.mydomain f44ee6af-47c7-4cb1-b29f-5d4470bc3063 CNAME
SERVER3.ad.mydomain -Uadministrator
Password for [AD\administrator]:
ERROR(runtime): uncaught exception - (9601,
'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST')
  File
"/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/dns.py",
line
940, in run
    raise e


When I list the zones, I don't see the _msdcs zone like I do at other
domains - instead I have TrustAnchors.  But DNSSEC isn't configured at
SERVER1:

# samba-tool dns zonelist SERVER1 -U administrator

root at server3:/var/db/samba4/private # samba-tool dns zonelist SERVER1 -U
administrator
Password for [AD\administrator]:
  3 zone(s) found

  pszZoneName                 : 254.168.192.in-addr.arpa
  Flags                       : DNS_RPC_ZONE_REVERSE
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : NONE
  pszDpFqdn                   : None

  pszZoneName                 : ad.mydomain
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
  pszDpFqdn                   : DomainDnsZones.ad.mydomain

  pszZoneName                 : TrustAnchors
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED
  pszDpFqdn                   : ForestDnsZones.ad.mydomain


So this is where I'm at now.  Earlier today I found a reference on another
thread or another list which I need to find again, which suggested this
might be a bug or issue with Samba 4.8 and higher.  I have not yet tried
adding Samba 4.7 to same domain.

Hopefully this helps narrow it, and of course any suggestions to help
resolve or continue troubleshooting are appreciated.

Thanks,
Andrew

I have been dealing with this same error in the same circumstance for about 3
weeks with no solution, so I have undertaken to build samba and debug it.

To see if your error is really the same as mine although your output is the
same...
>Regarding:
>9601, 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST'
Do this:
sudo ldbedit -e nano -H /var/lib/samba/private/secrets.ldb

You should get 3 records in the secret file.  I have only been getting the first
2 and the Machine Secret (record 3) has not been written to the file.

You can re-run the join with a -d8 which sets the debug level to 8  and you
should see something like (if we are seeing the same error)  Rowland and Luis
have been trying to help me figure this out:

Could not find machine account in secrets database: Failed to fetch machine
account password for DARAM from both secrets.ldb (Could not find entry to match
filter: '(&(flatname=DARAM)(objectclass=primaryDomain))' base:
'cn=Primary Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4702) and from /var/lib/samba/private/secrets.tdb:
NT_STATUS_CANT_ACCESS_DOMAIN_INFO

If you see a log that it "could not find machine account in secrets
database..." then we are having the same problem I believe.

Our AD Domain is Functional Level 2012 and we do have Exchange.  We were
thinking that might be the problem.  I do know that even if I can get a join
Exchange may prevent replication, but I'd be happy to get a join, and we are
working on replacing Exchange.

I'm not wishing bad luck on you, but it is useful to know that our AD is not
the only one that this happens with.

We are trying to use on Ubuntu Server 18.04.  I even thought about trying 16.xx 
to see if it was an Ubuntu 18 problem.

I've been working on this so much that I've been sidelined due to lack
of sleep.  Hope to have my own build of Samba in the next few days and then get
a debugger going.  I am certain it is a fairly small problem.

Also check your Windows AD Event log.  Are you getting any errors showing a
connection from your attempted server is failing?  Samba was able to write to
our AD with all the schema entries to add the Samba DC because I could see that
happening, but then when it "cleans up" it deletes them all.

Let's see if we are dealing with the same problem.  Maybe we can help each
other.

-Barry Adkins

On Tue, 2018-12-04 at 21:25 -0500, Andrew Ruscica via samba
wrote:
> Apologies for not replying to the thread, I just subscribed to the list,
> after a day of troubleshooting this.
> 
> Regarding:
> 9601, 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST'
> 
> I am experiencing the same symptoms, in a simpler environment than the
> original submitter at the previous thread:
> 
> Single Windows 2008R2 Domain Controller
> Schema version 47
> No MS Exchange
It is very likely 'just a bug'.  We do some DNS things trying to make
sure the new DC can work the moment it starts (before that, folks had a
lot of difficulty with the new DC not being in global DNS). 

This is different to what windows does, and there is a variety of
different ways DNS can be set up on windows, so clearly it isn't
interoperable right now.

Sorry about that. 

Andrew Bartlett
> Attempting to add a Samba 4 domain controller with the intention of
> decommissioning the Windows Server.
> 
> Same symptoms from two different Samba 4 platforms:
> 
> FreeBSD 11.2 - samba 4.8.7 from packages
> CentOS 7 - samba 4.9.3 compiled from source
> 
> SERVER1 = Windows Server 2008R2 Standard
> SERVER3 = FreeBSD Samba Host
> 
> kinit and klist work fine.
> 
> # samba-tool domain join ad.mydomain DC -U"AD\administrator"
> --dns-backend=SAMBA_INTERNAL
> 
> ...
> Adding DNS CNAME record
> f44ee6af-47c7-4cb1-b29f-5d4470bc3063._msdcs.ad.mydomain for
> SERVER3.ad.mydomain
> Join failed - cleaning up
> ...
> ERROR(runtime): uncaught exception - (9601,
> 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST')
>   File
"/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File
"/usr/local/lib/python2.7/site-packages/samba/netcmd/domain.py",
> line 706, in run
>     plaintext_secrets=plaintext_secrets)
>   File "/usr/local/lib/python2.7/site-packages/samba/join.py",
line 1482,
> in join_DC
>     ctx.do_join()
>   File "/usr/local/lib/python2.7/site-packages/samba/join.py",
line 1390,
> in do_join
>     ctx.join_add_dns_records()
>   File "/usr/local/lib/python2.7/site-packages/samba/join.py",
line 1144,
> in join_add_dns_records
>     None)
> 
> 
> So, next - try checking then adding the DC DNS record manually via:
>
https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record#Verifying_and_Creating_the_objectGUID_Record
> 
> 
> # ldbsearch -H /var/db/samba4/private/sam.ldb '(invocationId=*)'
> --cross-ncs objectguid
> 
> # record 1
> dn: CN=NTDS
>
Settings,CN=SERVER3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain
> objectGUID: f44ee6af-47c7-4cb1-b29f-5d4470bc3063
> 
> # record 2
> dn: CN=NTDS
>
Settings,CN=SERVER1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain
> objectGUID: f5bf75a2-8dae-4456-835e-a568910c9052
> 
> # returned 2 records
> # 2 entries
> # 0 referrals
> 
> 
> # host -t CNAME f44ee6af-47c7-4cb1-b29f-5d4470bc3063._msdcs.ad.mydomain.
> Host f44ee6af-47c7-4cb1-b29f-5d4470bc3063._msdcs.ad.mydomain not found:
> 3(NXDOMAIN)
> 
> # samba-tool dns add SERVER1 _msdcs.ad.mydomain
> f44ee6af-47c7-4cb1-b29f-5d4470bc3063 CNAME SERVER3.ad.mydomain
> -Uadministrator
> 
> root at server3:/var/db/samba4/private # samba-tool dns add SERVER1
> _msdcs.ad.mydomain f44ee6af-47c7-4cb1-b29f-5d4470bc3063 CNAME
> SERVER3.ad.mydomain -Uadministrator
> Password for [AD\administrator]:
> ERROR(runtime): uncaught exception - (9601,
> 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST')
>   File
"/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File
"/usr/local/lib/python2.7/site-packages/samba/netcmd/dns.py", line
> 940, in run
>     raise e
> 
> 
> When I list the zones, I don't see the _msdcs zone like I do at other
> domains - instead I have TrustAnchors.  But DNSSEC isn't configured at
> SERVER1:
> 
> # samba-tool dns zonelist SERVER1 -U administrator
> 
> root at server3:/var/db/samba4/private # samba-tool dns zonelist SERVER1 -U
> administrator
> Password for [AD\administrator]:
>   3 zone(s) found
> 
>   pszZoneName                 : 254.168.192.in-addr.arpa
>   Flags                       : DNS_RPC_ZONE_REVERSE
>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>   Version                     : 50
>   dwDpFlags                   : NONE
>   pszDpFqdn                   : None
> 
>   pszZoneName                 : ad.mydomain
>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>   Version                     : 50
>   dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
> DNS_DP_ENLISTED
>   pszDpFqdn                   : DomainDnsZones.ad.mydomain
> 
>   pszZoneName                 : TrustAnchors
>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED
>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>   Version                     : 50
>   dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
> DNS_DP_ENLISTED
>   pszDpFqdn                   : ForestDnsZones.ad.mydomain
> 
> 
> So this is where I'm at now.  Earlier today I found a reference on
another
> thread or another list which I need to find again, which suggested this
> might be a bug or issue with Samba 4.8 and higher.  I have not yet tried
> adding Samba 4.7 to same domain.
> 
> Hopefully this helps narrow it, and of course any suggestions to help
> resolve or continue troubleshooting are appreciated.
> 
> Thanks,
> Andrew
-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba

As I posted I've been dealing with this same problem for 3 weeks.  To the
point I'm setting up a system to debug the problem.

Samba-tool complains that the Machine Account is not in the Secrets.LDB file and
I can confirm IT IS NOT.  Only Records 1 & 2 are there.  Yet it throws this
DNS zone does not exists exception.  I observe Samba Tool is writing AD data for
a joined DC only to delete it when the join fails.

I've had to take a few days to sleep as I've been working numerous
all-nighters working on this.  I expect in the next few days to have a system
building Samba and then hope to setup debugging.  I was a systems software
developer for Compaq from 1994 until 2002.  I can do it, but have to become
familiar with such things on Linux and all the integrated scripts... python.  I
did python development for Computational Analysis in 2015, but it was solely
Python so we were using an IDE for Python.

I am committed to get this to work and we are also working to dump Exchange in
order to migrate to all Samba AD DCs.  We embarked on a plan to just join a
member server, which did not completely work.  Then upon support list member
recommendation to add a Samba DC with NO success.  Later to learn that while we
were planning to dump Exchange that we need to get that as a top priority which
it can be.

-Barry Adkins

-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Andrew
Bartlett via samba
Sent: Tuesday, December 4, 2018 10:47 PM
To: Andrew Ruscica <andrew.lists at ruscica.com>; samba at lists.samba.org
Subject: Re: [Samba] Setup a Samba AD DC as an additional DC

On Tue, 2018-12-04 at 21:25 -0500, Andrew Ruscica via samba
wrote:
> Apologies for not replying to the thread, I just subscribed to the 
> list, after a day of troubleshooting this.
> 
> Regarding:
> 9601, 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST'
> 
> I am experiencing the same symptoms, in a simpler environment than the 
> original submitter at the previous thread:
> 
> Single Windows 2008R2 Domain Controller Schema version 47 No MS 
> Exchange
It is very likely 'just a bug'.  We do some DNS things trying to make
sure the new DC can work the moment it starts (before that, folks had a lot of
difficulty with the new DC not being in global DNS).

This is different to what windows does, and there is a variety of different ways
DNS can be set up on windows, so clearly it isn't interoperable right now.

Sorry about that. 

Andrew Bartlett
> Attempting to add a Samba 4 domain controller with the intention of 
> decommissioning the Windows Server.
> 
> Same symptoms from two different Samba 4 platforms:
> 
> FreeBSD 11.2 - samba 4.8.7 from packages CentOS 7 - samba 4.9.3 
> compiled from source
> 
> SERVER1 = Windows Server 2008R2 Standard
> SERVER3 = FreeBSD Samba Host
> 
> kinit and klist work fine.
> 
> # samba-tool domain join ad.mydomain DC -U"AD\administrator"
> --dns-backend=SAMBA_INTERNAL
> 
> ...
> Adding DNS CNAME record
> f44ee6af-47c7-4cb1-b29f-5d4470bc3063._msdcs.ad.mydomain for 
> SERVER3.ad.mydomain Join failed - cleaning up ...
> ERROR(runtime): uncaught exception - (9601,
> 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST')
>   File 
>
"/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File 
> "/usr/local/lib/python2.7/site-packages/samba/netcmd/domain.py",
> line 706, in run
>     plaintext_secrets=plaintext_secrets)
>   File "/usr/local/lib/python2.7/site-packages/samba/join.py",
line
> 1482, in join_DC
>     ctx.do_join()
>   File "/usr/local/lib/python2.7/site-packages/samba/join.py",
line
> 1390, in do_join
>     ctx.join_add_dns_records()
>   File "/usr/local/lib/python2.7/site-packages/samba/join.py",
line
> 1144, in join_add_dns_records
>     None)
> 
> 
> So, next - try checking then adding the DC DNS record manually via:
> https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Recor
> d#Verifying_and_Creating_the_objectGUID_Record
> 
> 
> # ldbsearch -H /var/db/samba4/private/sam.ldb '(invocationId=*)'
> --cross-ncs objectguid
> 
> # record 1
> dn: CN=NTDS
> Settings,CN=SERVER3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN>
Configuration,DC=ad,DC=mydomain
> objectGUID: f44ee6af-47c7-4cb1-b29f-5d4470bc3063
> 
> # record 2
> dn: CN=NTDS
> Settings,CN=SERVER1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN>
Configuration,DC=ad,DC=mydomain
> objectGUID: f5bf75a2-8dae-4456-835e-a568910c9052
> 
> # returned 2 records
> # 2 entries
> # 0 referrals
> 
> 
> # host -t CNAME f44ee6af-47c7-4cb1-b29f-5d4470bc3063._msdcs.ad.mydomain.
> Host f44ee6af-47c7-4cb1-b29f-5d4470bc3063._msdcs.ad.mydomain not found:
> 3(NXDOMAIN)
> 
> # samba-tool dns add SERVER1 _msdcs.ad.mydomain
> f44ee6af-47c7-4cb1-b29f-5d4470bc3063 CNAME SERVER3.ad.mydomain 
> -Uadministrator
> 
> root at server3:/var/db/samba4/private # samba-tool dns add SERVER1 
> _msdcs.ad.mydomain f44ee6af-47c7-4cb1-b29f-5d4470bc3063 CNAME 
> SERVER3.ad.mydomain -Uadministrator Password for [AD\administrator]:
> ERROR(runtime): uncaught exception - (9601,
> 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST')
>   File 
>
"/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File
"/usr/local/lib/python2.7/site-packages/samba/netcmd/dns.py",
> line 940, in run
>     raise e
> 
> 
> When I list the zones, I don't see the _msdcs zone like I do at other 
> domains - instead I have TrustAnchors.  But DNSSEC isn't configured at
> SERVER1:
> 
> # samba-tool dns zonelist SERVER1 -U administrator
> 
> root at server3:/var/db/samba4/private # samba-tool dns zonelist SERVER1 
> -U administrator Password for [AD\administrator]:
>   3 zone(s) found
> 
>   pszZoneName                 : 254.168.192.in-addr.arpa
>   Flags                       : DNS_RPC_ZONE_REVERSE
>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>   Version                     : 50
>   dwDpFlags                   : NONE
>   pszDpFqdn                   : None
> 
>   pszZoneName                 : ad.mydomain
>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>   Version                     : 50
>   dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
> DNS_DP_ENLISTED
>   pszDpFqdn                   : DomainDnsZones.ad.mydomain
> 
>   pszZoneName                 : TrustAnchors
>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED
>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>   Version                     : 50
>   dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
> DNS_DP_ENLISTED
>   pszDpFqdn                   : ForestDnsZones.ad.mydomain
> 
> 
> So this is where I'm at now.  Earlier today I found a reference on 
> another thread or another list which I need to find again, which 
> suggested this might be a bug or issue with Samba 4.8 and higher.  I 
> have not yet tried adding Samba 4.7 to same domain.
> 
> Hopefully this helps narrow it, and of course any suggestions to help 
> resolve or continue troubleshooting are appreciated.
> 
> Thanks,
> Andrew
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba





-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Tue, Dec 4, 2018 at 11:46 PM Andrew Bartlett <abartlet at samba.org>
wrote:
> ...
> It is very likely 'just a bug'.  We do some DNS things trying to
make
> sure the new DC can work the moment it starts (before that, folks had a
> lot of difficulty with the new DC not being in global DNS).
>
> This is different to what windows does, and there is a variety of
> different ways DNS can be set up on windows, so clearly it isn't
> interoperable right now.
>
> Sorry about that.
> Andrew Bartlett
>

Thank you for the responses, Andrew and Barry;

I have achieved success:  it was necessary to (re)create the
_msdcs.my.domain zone at Windows DNS.  It previously did not exist, for
reasons unknown to me. I'm assuming related to the domain functional level
being upgraded over time from 2003 to 2008R2.

There are a number of guidelines out there to accomplish this, but when
doing so, but some miss a required option for Samba: you must ensure the
Replication is set to all DNS servers in the *forest. *