thr3ads.net - samba - [Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN

If this information is useful, please help other people find it:
Share via:

James Fowler

2019-May-02 15:56 UTC

[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO

So we have two different Samba servers we are trying to connect to what was
originally a Windows 2003 AD and was raised to 2008R2 (both Forest and
Domain).
(We really only need to connect one of them - the one hosting Samba 4.7.6).

Any ideas or suggestions are helpful!  We've scoured the lists (Rowland -
you are amazing), but still not found what is wrong (we think it is
probably a config issue on the Win2k8R2 DC).

Thank you in advance!

James


There is presently a single Windows 2k8R2 domain controller.
Our focus is on Samba 4.7.6 on Ubuntu.  We also get the same error with
Samba 4.6.7 on Ubuntu (same smb.conf).

We can connect to all of the necessary ports on the Win2k8R2 DC from both
servers hosting Samba.

Here are details from Samba 4.7.6 join attempt and troubleshooting

*smb.conf:*

[global]
    workgroup = DOMAIN1
    realm = DOMAIN1.DOMAIN
    netbios name = DC1
    server string = Zentyal Server
    server role = dc
    server role check:inhibit = yes
    server services = -dns
    server signing = auto
    dsdb:schema update allowed = yes
    ldap server require strong auth = no
    drs:max object sync = 3000

    idmap_ldb:use rfc2307 = yes

    winbind enum users = yes
    winbind enum groups = yes
    template shell = /bin/bash
    template homedir = /home/%U

    rpc server dynamic port range = 49152-65535

    interfaces = lo,eth1
    bind interfaces only = yes

    map to guest = Bad User

    log level = 3
    log file = /var/log/samba/samba.log
    max log size = 100000

    kerberos method = secrets and keytab


    include = /etc/samba/shares.conf

[netlogon]
    path = /var/lib/samba/sysvol/DOMAIN1.DOMAIN/scripts
    browseable = no
    read only = yes

[sysvol]
    path = /var/lib/samba/sysvol
    read only = no


Output of:
root at DC1:~#* samba-tool domain join DOMAIN1.DOMAIN DC
--username='DOMAIN1\EnterpriseAdminUser'
--realm='DOMAIN1.DOMAIN'
--site='Default-First-Site' --server='DC1'
--dns-backend=BIND9_DLZ
--workgroup='DOMAIN1' -d 3*
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
resolve_lmhosts: Attempting lmhosts lookup for name DC1<0x20>
Password for [DOMAIN1\EnterpriseAdminUser]:
workgroup is DOMAIN1
realm is DOMAIN1.DOMAIN
Adding CN=DC1,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN
Adding
CN=DC1,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN
Adding CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN
Using binding ncacn_ip_tcp:DC1[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name DC1<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name DC1<0x20>
Adding SPNs to CN=DC1,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN
Setting account password for DC1$
Enabling account
Adding DNS account CN=dns-DC1,CN=Users,DC=DOMAIN1,DC=DOMAIN with dns/ SPN
Setting account password for dns-DC1
Calling bare provision
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
ldb_wrap open of hklm.ldb
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
partition_metadata: Migrating partition metadata: open of metadata.tdb
gave: (null)
A Kerberos configuration suitable for Samba AD has been generated at
/var/lib/samba/private/krb5.conf
Provision OK for domain DN DC=DOMAIN1,DC=DOMAIN
Starting replication
Using binding ncacn_ip_tcp:DC1[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name DC1<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name DC1<0x20>
Schema-DN[CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN]
objects[402/1438] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN]
objects[804/1438] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN]
objects[1206/1438] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN]
objects[1555/1438] linked_values[0/0]
Analyze and apply schema objects
Discarding older DRS attribute update to objectClass on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to whenCreated on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to dSASignature on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
754d8904-e4a6-4bd4-b283-49f858a0699b
Discarding older DRS attribute update to objectVersion on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to showInAdvancedViewOnly on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to nTSecurityDescriptor on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to name on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to fSMORoleOwner on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to objectCategory on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to schemaInfo on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
754d8904-e4a6-4bd4-b283-49f858a0699b
Discarding older DRS attribute update to objectClass on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to whenCreated on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to dSASignature on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
754d8904-e4a6-4bd4-b283-49f858a0699b
Discarding older DRS attribute update to objectVersion on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to showInAdvancedViewOnly on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to nTSecurityDescriptor on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to name on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to fSMORoleOwner on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to objectCategory on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to schemaInfo on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
754d8904-e4a6-4bd4-b283-49f858a0699b
Discarding older DRS attribute update to objectClass on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to whenCreated on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to dSASignature on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
754d8904-e4a6-4bd4-b283-49f858a0699b
Discarding older DRS attribute update to objectVersion on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to showInAdvancedViewOnly on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to nTSecurityDescriptor on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to name on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to fSMORoleOwner on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to objectCategory on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to schemaInfo on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
754d8904-e4a6-4bd4-b283-49f858a0699b
Replicated 1555 objects (0 linked attributes) for
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN
Partition[CN=Configuration,DC=DOMAIN1,DC=DOMAIN] objects[402/3488]
linked_values[0/31]
Replicated 402 objects (0 linked attributes) for
CN=Configuration,DC=DOMAIN1,DC=DOMAIN
Partition[CN=Configuration,DC=DOMAIN1,DC=DOMAIN] objects[804/3488]
linked_values[0/31]
Replicated 402 objects (0 linked attributes) for
CN=Configuration,DC=DOMAIN1,DC=DOMAIN
Partition[CN=Configuration,DC=DOMAIN1,DC=DOMAIN] objects[1206/3488]
linked_values[0/31]
Replicated 402 objects (0 linked attributes) for
CN=Configuration,DC=DOMAIN1,DC=DOMAIN
Partition[CN=Configuration,DC=DOMAIN1,DC=DOMAIN] objects[1609/3488]
linked_values[0/31]
Replicated 403 objects (0 linked attributes) for
CN=Configuration,DC=DOMAIN1,DC=DOMAIN
Partition[CN=Configuration,DC=DOMAIN1,DC=DOMAIN] objects[1948/3488]
linked_values[31/31]
Replicated 338 objects (31 linked attributes) for
CN=Configuration,DC=DOMAIN1,DC=DOMAIN
Replicating critical objects from the base DN of the domain
Partition[DC=DOMAIN1,DC=DOMAIN] objects[103/122] linked_values[25/51]
Replicated 103 objects (25 linked attributes) for DC=DOMAIN1,DC=DOMAIN
Partition[DC=DOMAIN1,DC=DOMAIN] objects[462/1310] linked_values[38/51]
Replicated 359 objects (38 linked attributes) for DC=DOMAIN1,DC=DOMAIN
Partition[DC=DOMAIN1,DC=DOMAIN] objects[685/1310] linked_values[12/51]
Replicated 221 objects (12 linked attributes) for DC=DOMAIN1,DC=DOMAIN
Partition[DC=DOMAIN1,DC=DOMAIN] objects[771/1310] linked_values[1/51]
Replicated 84 objects (1 linked attributes) for DC=DOMAIN1,DC=DOMAIN
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=DOMAIN1,DC=DOMAIN
Partition[DC=DomainDnsZones,DC=DOMAIN1,DC=DOMAIN] objects[172/31]
linked_values[0/0]
Replicated 172 objects (0 linked attributes) for
DC=DomainDnsZones,DC=DOMAIN1,DC=DOMAIN
Replicating DC=ForestDnsZones,DC=DOMAIN1,DC=DOMAIN
Partition[DC=ForestDnsZones,DC=DOMAIN1,DC=DOMAIN] objects[74/57]
linked_values[0/0]
Replicated 74 objects (0 linked attributes) for
DC=ForestDnsZones,DC=DOMAIN1,DC=DOMAIN
Join failed - cleaning up
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch machine
account password for DOMAIN1 from both secrets.ldb (Could not find entry to
match filter: '(&(flatname=DOMAIN1)(objectclass=primaryDomain))'
base:
'cn=Primary Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4636) and from
/var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Deleted CN=DC1,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN
Deleted CN=dns-DC1,CN=Users,DC=DOMAIN1,DC=DOMAIN
Deleted CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN
Deleted
CN=DC1,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN
ERROR(runtime): uncaught exception - (8453, 'WERR_DS_DRA_ACCESS_DENIED')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line
176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
661,
in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in
join_DC
    ctx.do_join()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1377, in
do_join
    ctx.join_replicate()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 961, in
join_replicate
    exop=drsuapi.DRSUAPI_EXOP_FSMO_RID_ALLOC)
  File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line
291, in
replicate
    (level, ctr) = self.drs.DsGetNCChanges(self.drs_handle, req_level, req)


tried:
*kinit EnterpriseAdminUser*
(prompted for password)
*klist --list-all*:
root at DC1:/var/lib/samba# klist --list-all
    Name                    Cache name           Expires
* EnterpriseAdminUser at DOMAIN1.DOMAIN   FILE:/tmp/krb5cc_0   May  2 19:57:20
2019

net getlocalsid:
ldb: dsdb_schema_from_db() failed: 32:No such object: (null)
ldb: dsdb_get_schema: refresh_fn() failed
ldb: schema_load_init: dsdb_get_schema failed
ldb: module schema_load initialization failed : Operations error
ldb: module dsdb_notification initialization failed : Operations error
ldb: module rootdse initialization failed : Operations error
ldb: module samba_dsdb initialization failed : Operations error
ldb: Unable to load modules for /var/lib/samba/private/sam.ldb:
schema_load_init: dsdb_get_schema failed
samdb_connect failed
pdb backend samba_dsdb did not correctly init (error was
NT_STATUS_INTERNAL_ERROR)
WARNING: Could not open passdb

root at DC1:/var/lib/samba# *smbclient -k -L //DC1.DOMAIN1.DOMAIN -d 5*
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
  tevent: 5
  auth_audit: 5
  auth_json_audit: 5
  kerberos: 5
  drs_repl: 5
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
  tevent: 5
  auth_audit: 5
  auth_json_audit: 5
  kerberos: 5
  drs_repl: 5
Processing section "[global]"
doing parameter workgroup = DOMAIN1
doing parameter realm = DOMAIN1.DOMAIN
doing parameter netbios name = DC1
doing parameter server string = Zentyal Server
doing parameter server role = dc
doing parameter server role check:inhibit = yes
doing parameter server services = -dns
doing parameter server signing = auto
doing parameter dsdb:schema update allowed = yes
doing parameter ldap server require strong auth = no
doing parameter drs:max object sync = 3000
doing parameter idmap_ldb:use rfc2307 = yes
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter template shell = /bin/bash
doing parameter template homedir = /home/%U
doing parameter rpc server dynamic port range = 49152-65535
doing parameter interfaces = lo,eth1
doing parameter bind interfaces only = yes
doing parameter map to guest = Bad User
doing parameter log level = 3
doing parameter log file = /var/log/samba/samba.log
doing parameter max log size = 100000
doing parameter kerberos method = secrets and keytab
doing parameter include = /etc/samba/shares.conf
pm_process() returned Yes
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface lo ip=127.0.1.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth1 ip=192.168.1.20 bcast=192.168.1.255
netmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="DC1"
Client started (version 4.7.6-Ubuntu).
Opening cache file at /var/cache/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
sitename_fetch: No stored sitename for realm 'DOMAIN1.DOMAIN'
no entry for DC1.DOMAIN1.DOMAIN#20 found.
resolve_hosts: Attempting host lookup for name DC1.DOMAIN1.DOMAIN<0x20>
namecache_store: storing 1 address for DC1.DOMAIN1.DOMAIN#20: 192.168.1.254
Connecting to 192.168.1.254 at port 445
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_REUSEPORT = 0
        SO_SNDBUF = 87040
        SO_RCVBUF = 372480
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        SO_SNDTIMEO = 0
        SO_RCVTIMEO = 0
        TCP_QUICKACK = 1
        TCP_DEFER_ACCEPT = 0
 session request ok
 negotiated dialect[SMB2_10] against server[DC1.DOMAIN1.DOMAIN]
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
 session setup ok
signed SMB2 message
signed SMB2 message
 tconx ok

        Sharename       Type      Comment
        ---------       ----      -------
signed SMB2 message
Bind RPC Pipe: host DC1.DOMAIN1.DOMAIN auth_type 0, auth_level 1
rpc_api_pipe: host DC1.DOMAIN1.DOMAIN
signed SMB2 message
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host DC1.DOMAIN1.DOMAIN
signed SMB2 message
rpc_read_send: data_to_read: 928
        ADMIN$          Disk      Remote Admin
        ADST_Interns    Disk
        ADST_Staff      Disk
        C$              Disk      Default share
        F$              Disk      Default share
        H$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share
        Scanner         Disk
        SYSVOL          Disk      Logon server share
        UserData        Disk
        UserDirectories$ Disk
signed SMB2 message
signed SMB2 message
Reconnecting with SMB1 for workgroup listing.
sitename_fetch: No stored sitename for realm 'DOMAIN1.DOMAIN'
name DC1.DOMAIN1.DOMAIN#20 found.
E2BIG: convert_string(UTF-8,CP850): srclen=22 destlen=16 -
'DC1.DOMAIN1.DOMAIN'
Connecting to 192.168.1.254 at port 139
Connecting to 192.168.1.254 at port 139
Connection to DC1.DOMAIN1.DOMAIN failed (Error
NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no workgroup available

root at DC1:/var/lib/samba# *smbclient -k -L //DC1 -d 5*
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
  tevent: 5
  auth_audit: 5
  auth_json_audit: 5
  kerberos: 5
  drs_repl: 5
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
  tevent: 5
  auth_audit: 5
  auth_json_audit: 5
  kerberos: 5
  drs_repl: 5
Processing section "[global]"
doing parameter workgroup = DOMAIN1
doing parameter realm = DOMAIN1.DOMAIN
doing parameter netbios name = DC1
doing parameter server string = Zentyal Server
doing parameter server role = dc
doing parameter server role check:inhibit = yes
doing parameter server services = -dns
doing parameter server signing = auto
doing parameter dsdb:schema update allowed = yes
doing parameter ldap server require strong auth = no
doing parameter drs:max object sync = 3000
doing parameter idmap_ldb:use rfc2307 = yes
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter template shell = /bin/bash
doing parameter template homedir = /home/%U
doing parameter rpc server dynamic port range = 49152-65535
doing parameter interfaces = lo,eth1
doing parameter bind interfaces only = yes
doing parameter map to guest = Bad User
doing parameter log level = 3
doing parameter log file = /var/log/samba/samba.log
doing parameter max log size = 100000
doing parameter kerberos method = secrets and keytab
doing parameter include = /etc/samba/shares.conf
pm_process() returned Yes
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface lo ip=127.0.1.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth1 ip=192.168.1.20 bcast=192.168.1.255
netmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="DC1"
Client started (version 4.7.6-Ubuntu).
Opening cache file at /var/cache/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
sitename_fetch: No stored sitename for realm 'DOMAIN1.DOMAIN'
no entry for DC1#20 found.
resolve_lmhosts: Attempting lmhosts lookup for name DC1<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name DC1<0x20>
namecache_store: storing 1 address for DC1#20: 192.168.1.254
Connecting to 192.168.1.254 at port 445
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_REUSEPORT = 0
        SO_SNDBUF = 87040
        SO_RCVBUF = 372480
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        SO_SNDTIMEO = 0
        SO_RCVTIMEO = 0
        TCP_QUICKACK = 1
        TCP_DEFER_ACCEPT = 0
 session request ok
 negotiated dialect[SMB2_10] against server[DC1]
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
 session setup ok
signed SMB2 message
signed SMB2 message
 tconx ok

        Sharename       Type      Comment
        ---------       ----      -------
signed SMB2 message
Bind RPC Pipe: host DC1 auth_type 0, auth_level 1
rpc_api_pipe: host DC1
signed SMB2 message
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host DC1
signed SMB2 message
rpc_read_send: data_to_read: 928
        ADMIN$          Disk      Remote Admin
        ADST_Interns    Disk
        ADST_Staff      Disk
        C$              Disk      Default share
        F$              Disk      Default share
        H$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share
        Scanner         Disk
        SYSVOL          Disk      Logon server share
        UserData        Disk
        UserDirectories$ Disk
signed SMB2 message
signed SMB2 message
Reconnecting with SMB1 for workgroup listing.
sitename_fetch: No stored sitename for realm 'DOMAIN1.DOMAIN'
name DC1#20 found.
Connecting to 192.168.1.254 at port 139
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_REUSEPORT = 0
        SO_SNDBUF = 87040
        SO_RCVBUF = 372480
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        SO_SNDTIMEO = 0
        SO_RCVTIMEO = 0
        TCP_QUICKACK = 1
        TCP_DEFER_ACCEPT = 0
 session request ok
 negotiated dialect[NT1] against server[DC1]
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
 session setup ok
 tconx ok

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------



-- 
James Fowler
Association for Diplomatic Studies and Training http://adst.org
Capturing, Preserving, Sharing - Oral Histories of US Diplomacy

Rowland Penny

2019-May-02 16:26 UTC

head link

[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO

On Thu, 2 May 2019 11:56:30 -0400
James Fowler via samba <samba at lists.samba.org> wrote:
> So we have two different Samba servers we are trying to connect to
> what was originally a Windows 2003 AD and was raised to 2008R2 (both
> Forest and Domain).
> (We really only need to connect one of them - the one hosting Samba
> 4.7.6).
> 
> Any ideas or suggestions are helpful!  We've scoured the lists
> (Rowland - you are amazing), but still not found what is wrong (we
> think it is probably a config issue on the Win2k8R2 DC).
> 
> Thank you in advance!
> 
> James
> 
> 
> There is presently a single Windows 2k8R2 domain controller.
> Our focus is on Samba 4.7.6 on Ubuntu.  We also get the same error
> with Samba 4.6.7 on Ubuntu (same smb.conf).
> 
> We can connect to all of the necessary ports on the Win2k8R2 DC from
> both servers hosting Samba.
> 
> Here are details from Samba 4.7.6 join attempt and troubleshooting
> 
> *smb.conf:*
If you are joining a new DC to an existing domain, why do you have a
smb.conf ?
Does it already exist ?
From all the cruft in it, it looks like it does.
If it does exist, then remove it and try again.

Rowland

James Fowler

2019-May-02 16:59 UTC

head link

[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO

Thank you for the quick response:

root at DC2:~# rm -rf /etc/samba/smb.conf

root at dc2:~# ll /etc/samba/     [The lmhosts file I created trying to
troubleshoot: touch /etc/samba/lmhosts. It hasn't been touched.]
total 52
drwxr-xr-x   4 root root  4096 May  2 12:57 ./
drwxr-xr-x 135 root root 12288 May  2 11:05 ../
drwxr-xr-x   2 root root  4096 May  2 09:56 etc/
-rw-r--r--   1 root root     8 Aug  6  2018 gdbcommands
-rw-r--r--   1 root root     0 May  2 09:04 lmhosts
-rw-r--r--   1 root root   376 Apr 30 08:19 shares.conf
-rw-r--r--   1 root root   969 May  2 07:09 smb.conf.bak
-rw-r--r--   1 root root  1075 May  2 09:56 smb.conf.mod1
-rw-r--r--   1 root root  9538 Apr 29 09:20 smb.conf.ucf-dist
drwxr-xr-x   2 root root  4096 Aug  6  2018 tls/
root at dc2:~#


root at DC2:~# samba-tool domain join DOMAIN1.DOMAIN DC
--username='DOMAIN1\EnterpriseAdminUser'
--realm='DOMAIN1.DOMAIN'
--site='Default-First-Site' --server='DC1'
--dns-backend=BIND9_DLZ
--workgroup='DOMAIN1' -d 3
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
resolve_lmhosts: Attempting lmhosts lookup for name DC1<0x20>
Password for [DOMAIN1\EnterpriseAdminUser]:
workgroup is DOMAIN1
realm is DOMAIN1.DOMAIN
Adding CN=DC2,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN
Adding
CN=DC2,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN
Adding CN=NTDS
Settings,CN=DC2,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN
Using binding ncacn_ip_tcp:DC1[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name DC1<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name DC1<0x20>
Adding SPNs to CN=DC2,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN
Setting account password for DC2$
Enabling account
Adding DNS account CN=dns-DC2,CN=Users,DC=DOMAIN1,DC=DOMAIN with dns/ SPN
Setting account password for dns-DC2
Calling bare provision
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
Looking up IPv4 addresses
More than one IPv4 address found. Using 192.168.1.20
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
ldb_wrap open of hklm.ldb
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
partition_metadata: Migrating partition metadata: open of metadata.tdb
gave: (null)
A Kerberos configuration suitable for Samba AD has been generated at
/var/lib/samba/private/krb5.conf
Provision OK for domain DN DC=DOMAIN1,DC=DOMAIN
Starting replication
Using binding ncacn_ip_tcp:DC1[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name DC1<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name DC1<0x20>
Schema-DN[CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN]
objects[402/1438] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN]
objects[804/1438] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN]
objects[1206/1438] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN]
objects[1555/1438] linked_values[0/0]
Analyze and apply schema objects
Discarding older DRS attribute update to objectClass on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to whenCreated on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to dSASignature on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
754d8904-e4a6-4bd4-b283-49f858a0699b
Discarding older DRS attribute update to objectVersion on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to showInAdvancedViewOnly on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to nTSecurityDescriptor on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to name on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to fSMORoleOwner on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to objectCategory on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to schemaInfo on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
754d8904-e4a6-4bd4-b283-49f858a0699b
Discarding older DRS attribute update to objectClass on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to whenCreated on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to dSASignature on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
754d8904-e4a6-4bd4-b283-49f858a0699b
Discarding older DRS attribute update to objectVersion on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to showInAdvancedViewOnly on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to nTSecurityDescriptor on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to name on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to fSMORoleOwner on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to objectCategory on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to schemaInfo on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
754d8904-e4a6-4bd4-b283-49f858a0699b
Discarding older DRS attribute update to objectClass on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to whenCreated on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to dSASignature on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
754d8904-e4a6-4bd4-b283-49f858a0699b
Discarding older DRS attribute update to objectVersion on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to showInAdvancedViewOnly on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to nTSecurityDescriptor on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to name on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to fSMORoleOwner on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to objectCategory on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to schemaInfo on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
754d8904-e4a6-4bd4-b283-49f858a0699b
Replicated 1555 objects (0 linked attributes) for
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN
Partition[CN=Configuration,DC=DOMAIN1,DC=DOMAIN] objects[402/3575]
linked_values[0/31]
Replicated 402 objects (0 linked attributes) for
CN=Configuration,DC=DOMAIN1,DC=DOMAIN
Partition[CN=Configuration,DC=DOMAIN1,DC=DOMAIN] objects[804/3575]
linked_values[0/31]
Replicated 402 objects (0 linked attributes) for
CN=Configuration,DC=DOMAIN1,DC=DOMAIN
Partition[CN=Configuration,DC=DOMAIN1,DC=DOMAIN] objects[1206/3575]
linked_values[0/31]
Replicated 402 objects (0 linked attributes) for
CN=Configuration,DC=DOMAIN1,DC=DOMAIN
Partition[CN=Configuration,DC=DOMAIN1,DC=DOMAIN] objects[1609/3575]
linked_values[0/31]
Replicated 403 objects (0 linked attributes) for
CN=Configuration,DC=DOMAIN1,DC=DOMAIN
Partition[CN=Configuration,DC=DOMAIN1,DC=DOMAIN] objects[1960/3575]
linked_values[31/31]
Replicated 350 objects (31 linked attributes) for
CN=Configuration,DC=DOMAIN1,DC=DOMAIN
Replicating critical objects from the base DN of the domain
Partition[DC=DOMAIN1,DC=DOMAIN] objects[103/122] linked_values[25/51]
Replicated 103 objects (25 linked attributes) for DC=DOMAIN1,DC=DOMAIN
Partition[DC=DOMAIN1,DC=DOMAIN] objects[462/1419] linked_values[38/51]
Replicated 359 objects (38 linked attributes) for DC=DOMAIN1,DC=DOMAIN
Partition[DC=DOMAIN1,DC=DOMAIN] objects[686/1419] linked_values[12/51]
Replicated 222 objects (12 linked attributes) for DC=DOMAIN1,DC=DOMAIN
Partition[DC=DOMAIN1,DC=DOMAIN] objects[779/1419] linked_values[1/51]
Replicated 91 objects (1 linked attributes) for DC=DOMAIN1,DC=DOMAIN
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=DOMAIN1,DC=DOMAIN
Partition[DC=DomainDnsZones,DC=DOMAIN1,DC=DOMAIN] objects[172/31]
linked_values[0/0]
Replicated 172 objects (0 linked attributes) for
DC=DomainDnsZones,DC=DOMAIN1,DC=DOMAIN
Replicating DC=ForestDnsZones,DC=DOMAIN1,DC=DOMAIN
Partition[DC=ForestDnsZones,DC=DOMAIN1,DC=DOMAIN] objects[74/57]
linked_values[0/0]
Replicated 74 objects (0 linked attributes) for
DC=ForestDnsZones,DC=DOMAIN1,DC=DOMAIN
Join failed - cleaning up
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch machine
account password for DOMAIN1 from both secrets.ldb (Could not find entry to
match filter: '(&(flatname=DOMAIN1)(objectclass=primaryDomain))'
base:
'cn=Primary Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4636) and from
/var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Deleted CN=DC2,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN
Deleted CN=dns-DC2,CN=Users,DC=DOMAIN1,DC=DOMAIN
Deleted CN=NTDS
Settings,CN=DC2,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN
Deleted
CN=DC2,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN
ERROR(runtime): uncaught exception - (8453, 'WERR_DS_DRA_ACCESS_DENIED')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line
176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
661,
in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in
join_DC
    ctx.do_join()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1377, in
do_join
    ctx.join_replicate()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 961, in
join_replicate
    exop=drsuapi.DRSUAPI_EXOP_FSMO_RID_ALLOC)
  File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line
291, in
replicate
    (level, ctr) = self.drs.DsGetNCChanges(self.drs_handle, req_level, req)
root at DC2:~#


On Thu, May 2, 2019 at 12:27 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Thu, 2 May 2019 11:56:30 -0400
> James Fowler via samba <samba at lists.samba.org> wrote:
>
> > So we have two different Samba servers we are trying to connect to
> > what was originally a Windows 2003 AD and was raised to 2008R2 (both
> > Forest and Domain).
> > (We really only need to connect one of them - the one hosting Samba
> > 4.7.6).
> >
> > Any ideas or suggestions are helpful!  We've scoured the lists
> > (Rowland - you are amazing), but still not found what is wrong (we
> > think it is probably a config issue on the Win2k8R2 DC).
> >
> > Thank you in advance!
> >
> > James
> >
> >
> > There is presently a single Windows 2k8R2 domain controller.
> > Our focus is on Samba 4.7.6 on Ubuntu.  We also get the same error
> > with Samba 4.6.7 on Ubuntu (same smb.conf).
> >
> > We can connect to all of the necessary ports on the Win2k8R2 DC from
> > both servers hosting Samba.
> >
> > Here are details from Samba 4.7.6 join attempt and troubleshooting
> >
> > *smb.conf:*
>
> If you are joining a new DC to an existing domain, why do you have a
> smb.conf ?
> Does it already exist ?
> From all the cruft in it, it looks like it does.
> If it does exist, then remove it and try again.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 
James Fowler
Chief Information Officer
Association for Diplomatic Studies and Training http://adst.org
Capturing, Preserving, Sharing - Oral Histories of US Diplomacy

Possibly Parallel Threads

Search for more possibly parallel threads

samba - May 2019 - Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO

[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO

[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO

[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO

Possibly Parallel Threads