samba - May 2019 - Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO

Inline.

On Mon, May 6, 2019 at 9:58 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Mon, 6 May 2019 09:32:45 -0400
> James Fowler <fowlerj at adst.org> wrote:
>
> > Inline reply.
> >
> > > > > There is also that word 'Zentyal', was/is this
computer a
> > > > > Zentyal DC ?
> > > >  Yes.
> > >
> > > Which, is it a DC, or was it a DC
> > >
> > It has never been a DC.  I even wiped the machine (again) at one
> > point just to eliminate possible contamination
>
> I asked about 'Zentyal' and was/if this was a DC, you answered
'Yes'.
> I asked which, now you say it has never been a DC, so were did
> 'Zentyal' come from ?
>
Yes, this is Zentyal (https://zentyal.com/community/) which is the present
incarnation of Ebox, built on Ubuntu (in this case 18.04).  It aims to more
or less make a turn-key appliance that includes the possibility of
including various services (mail, firewall, Samba, etc.).  That's where it
comes from.  Sorry for the confusion.  I didn't want to obscure that fact
that Zentyal was generating configurations for various services.
>
> >
> > >
> > > If the former then you cannot join it to another DC, if it was a
DC,
> > > then you need to remove all traces of the old DC.
> > >
> > It has never been a DC.  I've been trying to get it to become a DC
>
> I believe you.
>
Thank you. :)
>
>
>
> > >
> > I made the change to exactly reflect your recommended settings.
> >
> > >
> > > >
> > > >
> > > > > > root at DC2:/etc/bind# cat named.conf.local
> > > > > > // Generated by Zentyal
> > > > >
> > > > > Why? they seem to be making a right mess of it ;-)
> > > > >
> > > > Tell me about it!   It is kind of crazy the proliferation of
> > > > named.conf files, zones, etc.
>
> There is that word 'Zentyal' again, where is it coming from ?
>
See above or https://zentyal.com/community/
>
> > > >
> > > > >
> > > > > Mine is just:
> > > > >
> > > > > include "/var/lib/samba/bind-dns/named.conf";
> > > > >
> > > >
> > > > Presently, I have nothing in
> > > > the /var/lib/samba/bind-dns/named.conf
> > >
> > > Ah you wouldn't have, the path changed, yours would be:
> > >
> > > /var/lib/samba/private/named.conf
> > >
> > I don't have anything like that in that path:
>
> Mine is in /var/lib/samba/bind-dns , but I am using 4.9.6 and the path
> changed recently, but it should be in /var/lib/samba/??? , so try
> looking for it. If it isn't there, bind9 wasn't installed when you
> provisioned and/or you didn't provision with
> '--dns-backend=BIND9_DLZ' , or you need to run
'samba_upgradedns'
>
It could be that Zentyal moved it.  If so, they don't reference it or call
it in any of the other bind9 config files.

The provisioning command (originally taken from the one generated by
Zentyal) is:
 samba-tool domain join domain1.domain DC 
--username='EnterpriseAdminUser'
--realm='DOMAIN1.DOMAIN'  --site='Default-First-Site'
--server='existingdc1' --dns-backend=BIND9_DLZ
--workgroup='domain1' -d 3


After attempting to join the following are created (that I know of - except
for /var/lib/samba/private/dns):
/var/lib/samba/:
total 16
drwxr-xr-x  4 root root 4096 May  6 10:03 ./
drwxr-xr-x 60 root root 4096 Apr 29 20:17 ../
drwxr-xr-x  5 root root 4096 May  6 10:07 private/
drwxr-xr-x  3 root root 4096 May  6 10:03 sysvol/

/var/lib/samba/private/:
total 10468
drwxr-xr-x 5 root root    4096 May  6 10:07 ./
drwxr-xr-x 4 root root    4096 May  6 10:03 ../
drwxr-xr-x 2 root root    4096 May  6 10:06 dns/
-rw-r--r-- 1 root root    3663 May  6 10:07 dns_update_list
-rw------- 1 root root 1286144 May  6 10:07 hklm.ldb
-rw------- 1 root root 1286144 May  6 10:07 idmap.ldb
-rw-r--r-- 1 root root      94 May  6 10:07 krb5.conf
-rw------- 1 root root 1286144 May  6 10:07 privilege.ldb
-rw------- 1 root root 4247552 May  6 10:07 sam.ldb
drwx------ 2 root root    4096 May  6 10:07 sam.ldb.d/
-rw------- 1 root root 1286144 May  6 10:07 secrets.ldb
-rw------- 1 root root     696 May  6 10:03 secrets.tdb
-rw------- 1 root root 1286144 May  6 10:03 share.ldb
-rw-r--r-- 1 root root     955 May  6 10:07 spn_update_list
drwx------ 2 root root    4096 May  6 10:03 tls/


Thanks,

James

> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 
James Fowler
Association for Diplomatic Studies and Training http://adst.org
Capturing, Preserving, Sharing - Oral Histories of US Diplomacy

On Mon, 6 May 2019 10:39:05 -0400
James Fowler <fowlerj at adst.org> wrote:
> Inline.
> 
> On Mon, May 6, 2019 at 9:58 AM Rowland Penny via samba <
> samba at lists.samba.org> wrote:  
> 
> > On Mon, 6 May 2019 09:32:45 -0400
> > James Fowler <fowlerj at adst.org> wrote:
> >  
> > > Inline reply.
> > >  
> > > > > > There is also that word 'Zentyal', was/is
this computer a
> > > > > > Zentyal DC ?  
> > > > >  Yes.  
> > > >
> > > > Which, is it a DC, or was it a DC
> > > >  
> > > It has never been a DC.  I even wiped the machine (again) at one
> > > point just to eliminate possible contamination  
> >
> > I asked about 'Zentyal' and was/if this was a DC, you answered
> > 'Yes'. I asked which, now you say it has never been a DC, so
were
> > did 'Zentyal' come from ?
> >  
> Yes, this is Zentyal (https://zentyal.com/community/) which is the
> present incarnation of Ebox, built on Ubuntu (in this case 18.04).
> It aims to more or less make a turn-key appliance that includes the
> possibility of including various services (mail, firewall, Samba,
> etc.).  That's where it comes from.  Sorry for the confusion.  I
> didn't want to obscure that fact that Zentyal was generating
> configurations for various services.
> 
Zentyal is usually a Samba AD DC, I suggest you you wipe it from your
disc and then start with clean OS.

Rowland

All, but once, I've used it as second DC in conjunction with a Windows AD
server, joining it to an existing domain.  Granted, this is the first time
I've used it with a 2008R2 AD domain and forest level.

Before I spent anyone else's time on this, I wiped it completely (down to
new disk labels) and still run into this error.

It is good to know that it should be working.  If anyone comes upon a
solution, please post it to the list.  If/when I find one, I will too.

Thank you for all of your help.

James

On Mon, May 6, 2019 at 10:49 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Mon, 6 May 2019 10:39:05 -0400
> James Fowler <fowlerj at adst.org> wrote:
>
> > Inline.
> >
> > On Mon, May 6, 2019 at 9:58 AM Rowland Penny via samba <
> > samba at lists.samba.org> wrote:
> >
> > > On Mon, 6 May 2019 09:32:45 -0400
> > > James Fowler <fowlerj at adst.org> wrote:
> > >
> > > > Inline reply.
> > > >
> > > > > > > There is also that word 'Zentyal',
was/is this computer a
> > > > > > > Zentyal DC ?
> > > > > >  Yes.
> > > > >
> > > > > Which, is it a DC, or was it a DC
> > > > >
> > > > It has never been a DC.  I even wiped the machine (again) at
one
> > > > point just to eliminate possible contamination
> > >
> > > I asked about 'Zentyal' and was/if this was a DC, you
answered
> > > 'Yes'. I asked which, now you say it has never been a DC,
so were
> > > did 'Zentyal' come from ?
> > >
> > Yes, this is Zentyal (https://zentyal.com/community/) which is the
> > present incarnation of Ebox, built on Ubuntu (in this case 18.04).
> > It aims to more or less make a turn-key appliance that includes the
> > possibility of including various services (mail, firewall, Samba,
> > etc.).  That's where it comes from.  Sorry for the confusion.  I
> > didn't want to obscure that fact that Zentyal was generating
> > configurations for various services.
> >
>
> Zentyal is usually a Samba AD DC, I suggest you you wipe it from your
> disc and then start with clean OS.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 
James Fowler
Association for Diplomatic Studies and Training http://adst.org
Capturing, Preserving, Sharing - Oral Histories of US Diplomacy