thr3ads.net - samba - [Samba] Failed to find a writeable DC [Oct 2025]

If this information is useful, please help other people find it:
Share via:

Rowland Penny

2025-Oct-09 16:29 UTC

[Samba] Failed to find a writeable DC

On Thu, 9 Oct 2025 18:12:00 +0200 (CEST)
Fabrizio Rompani <fabrizio.rompani at yetopen.com>
wrote:> 
> 
> on both VM is installed firewalld : there's a zone "trusted"
with
> target accept . 
> 
> trusted (active)
>   target: ACCEPT
>   icmp-block-inversion: no      
>   interfaces: 
>   sources: ipset:trust 
>   services: 
>   ports: 
>   protocols: 
>   masquerade: no
>   forward-ports: 
>   source-ports: 
>   icmp-blocks: 
>   rich rules: 
> 
> ip yy.yy.yy.yy belongs to ipset "trust"  on VM xx.xx.xx.xx and
> viceversa . so , it should be everythings open from yy.yy.yy.yy to
> xx.xx.xx.xx and viceversa.
> 
> eg. :
> 
> from yy.yy.yy.yy:
> 
> telnet xx.xx.xx.xx 389
> Trying xx.xx.xx.xx...
> Connected to xx.xx.xx.xx.
> Escape character is '^]'.
> 
> telnet xx.xx.xx.xx 445
> Trying xx.xx.xx.xx...
> Connected to xx.xx.xx.xx.
> Escape character is '^]'.
> 
> 
> 
> 
> > 
> > 
> > 
> > What about a different approach : 
> > backup the online DC  ( samba 4.15 ) and restore into new samba
> > 4.23 . change resolv.conf and Nextcloud ldap to point itself :
> > grants-dc
> > 
> > what do you think about ? 
> 
> Not much.
> Joining a new DC should be effortless, when it doesn't work it is
> usually down to a DNS problem.
> 
> so different version shouldn't be a problem , right? 
No, the version shouldn't be a problem.
> could you suggest me some DNS check ? 
> 
The first thing I would do is, turn off the firewalls temporarily.
If the join works, then great, you know where to look, if it doesn't,
then we will go into everything further.

Rowland

Fabrizio Rompani

2025-Oct-10 16:04 UTC

head link

[Samba] Failed to find a writeable DC

temporaly stopped firewall ( both ) 
increased debug .
Same error: 

thank's
f



root at grants-dc:/var/lib/samba# samba-tool domain join s4ad.domain.org DC -U
administrator --realm=S4AD.domain.ORG --debug=15
INFO: Current debug levels:
  all: 15
  tdb: 15
  printdrivers: 15
  lanman: 15
  smb: 15
  rpc_parse: 15
  rpc_srv: 15
  rpc_cli: 15
  passdb: 15
  sam: 15
  auth: 15
  winbind: 15
  vfs: 15
  idmap: 15
  quota: 15
  acls: 15
  locking: 15
  msdfs: 15
  dmapi: 15
  registry: 15
  scavenger: 15
  dns: 15
  ldb: 15
  tevent: 15
  auth_audit: 15
  auth_json_audit: 15
  kerberos: 15
  drs_repl: 15
  smb2: 15
  smb2_credits: 15
  dsdb_audit: 15
  dsdb_json_audit: 15
  dsdb_password_audit: 15
  dsdb_password_json_audit: 15

   dsdb_transaction_audit: 15
  dsdb_transaction_json_audit: 15
  dsdb_group_audit: 15
  dsdb_group_json_audit: 15
  ldapsrv: 15
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'ncalrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
added interface docker0 ip=172.17.0.1 bcast=172.17.255.255 netmask=255.255.0.0
added interface docker_gwbridge ip=172.18.0.1 bcast=172.18.255.255
netmask=255.255.0.0
added interface br-eaf7db576deb ip=172.30.252.1 bcast=172.30.252.255
netmask=255.255.255.0
added interface br-fdcd9449d660 ip=172.30.253.1 bcast=172.30.253.255
netmask=255.255.255.0
added interface ens18 ip=yy.yy.yy.yy bcast=yy.yy.yy.255 netmask=255.255.255.0
added interface docker0 ip=172.17.0.1 bcast=172.17.255.255 netmask=255.255.0.0
added interface docker_gwbridge ip=172.18.0.1 bcast=172.18.255.255
netmask=255.255.0.0
added interface br-eaf7db576deb ip=172.30.252.1 bcast=172.30.252.255
netmask=255.255.255.0
added interface br-fdcd9449d660 ip=172.30.253.1 bcast=172.30.253.255
netmask=255.255.255.0
added interface ens18 ip=yy.yy.yy.yy bcast=yy.yy.yy.255 netmask=255.255.255.0
added interface docker0 ip=172.17.0.1 bcast=172.17.255.255 netmask=255.255.0.0
added interface docker_gwbridge ip=172.18.0.1 bcast=172.18.255.255
netmask=255.255.0.0
added interface br-eaf7db576deb ip=172.30.252.1 bcast=172.30.252.255
netmask=255.255.255.0
added interface br-fdcd9449d660 ip=172.30.253.1 bcast=172.30.253.255
netmask=255.255.255.0
added interface ens18 ip=yy.yy.yy.yy bcast=yy.yy.yy.255 netmask=255.255.255.0
added interface docker0 ip=172.17.0.1 bcast=172.17.255.255 netmask=255.255.0.0
added interface docker_gwbridge ip=172.18.0.1 bcast=172.18.255.255
netmask=255.255.0.0
added interface br-eaf7db576deb ip=172.30.252.1 bcast=172.30.252.255
netmask=255.255.255.0
added interface br-fdcd9449d660 ip=172.30.253.1 bcast=172.30.253.255
netmask=255.255.255.0
added interface ens18 ip=yy.yy.yy.yy bcast=yy.yy.yy.255 netmask=255.255.255.0
INFO 2025-10-10 17:57:32,177 pid:133803
/usr/lib/python3/dist-packages/samba/join.py #106: Finding a writeable DC for
domain 's4ad.domain.org'
added interface docker0 ip=172.17.0.1 bcast=172.17.255.255 netmask=255.255.0.0
added interface docker_gwbridge ip=172.18.0.1 bcast=172.18.255.255
netmask=255.255.0.0
added interface br-eaf7db576deb ip=172.30.252.1 bcast=172.30.252.255
netmask=255.255.255.0
added interface br-fdcd9449d660 ip=172.30.253.1 bcast=172.30.253.255
netmask=255.255.255.0
added interface ens18 ip=yy.yy.yy.yy bcast=yy.yy.yy.255 netmask=255.255.255.0
added interface docker0 ip=172.17.0.1 bcast=172.17.255.255 netmask=255.255.0.0
added interface docker_gwbridge ip=172.18.0.1 bcast=172.18.255.255
netmask=255.255.0.0
added interface br-eaf7db576deb ip=172.30.252.1 bcast=172.30.252.255
netmask=255.255.255.0
added interface br-fdcd9449d660 ip=172.30.253.1 bcast=172.30.253.255
netmask=255.255.255.0
added interface ens18 ip=yy.yy.yy.yy bcast=yy.yy.yy.255 netmask=255.255.255.0
finddcs: searching for a DC by DNS domain s4ad.domain.org                    
finddcs: looking for SRV records for _ldap._tcp.s4ad.domain.org              
resolve_lmhosts: Attempting lmhosts lookup for name
_ldap._tcp.s4ad.domain.org<0x0>
getlmhostsent: lmhost entry: xx.xx.xx.xx grants                           
getlmhostsent: lmhost entry: yy.yy.yy.yy grants-dc                         
dns_lookup_send_next: Sending DNS request #0 to xx.xx.xx.xx               
dns_cli_request_send: Asking xx.xx.xx.xx for _ldap._tcp.s4ad.domain.org./1/33
via UDP
[0000] 0D 34 01 00 00 01 00 00   00 00 00 01 05 5F 6C 64   .4...... ....._ld
[0010] 61 70 04 5F 74 63 70 04   73 34 61 64 05 63 65 73   ap._tcp. s4ad.ces
[0020] 76 69 03 6F 72 67 00 00   21 00 01 00 00 29 10 00   vi.org.. !....)..
[0030] 00 00 00 00 00 00                                   ......
dns_lookup_send_next: cancelling wait_subreq                                
[0000] 0D 34 85 80 00 01 00 01   00 00 00 01 05 5F 6C 64   .4...... ....._ld
[0010] 61 70 04 5F 74 63 70 04   73 34 61 64 05 63 65 73   ap._tcp. s4ad.ces
[0020] 76 69 03 6F 72 67 00 00   21 00 01 C0 0C 00 21 00   vi.org.. !.....!.
[0030] 01 00 00 03 84 00 1D 00   00 00 64 01 85 06 67 72   ........ ..d...gr
[0040] 61 6E 74 73 04 73 34 61   64 05 63 65 73 76 69 03   ants.s4a d.domain.
[0050] 6F 72 67 00 00 00 29 04   D0 00 00 00 00 00 00      org...). .......
Addrs = xx.xx.xx.xx at 389/grants                                            
finddcs: DNS SRV response 0 at 'xx.xx.xx.xx'
ERROR: Failed to find a writeable DC for domain 's4ad.domain.org': The
object was not found.
  File "/usr/lib/python3/dist-packages/samba/join.py", line 352, in
find_dc
    ctx.cldap_ret = ctx.net.finddc(domain=domain, flags=nbt.NBT_SERVER_LDAP |
nbt.NBT_SERVER_DS | nbt.NBT_SERVER_WRITABLE)
                   
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^










----- Messaggio originale -----
Da: "Rowland Penny via samba" <samba at lists.samba.org>
A: "samba" <samba at lists.samba.org>
Cc: "Rowland Penny" <rpenny at samba.org>
Inviato: Gioved?, 9 ottobre 2025 18:29:55
Oggetto: Re: [Samba] Failed to find a writeable DC

On Thu, 9 Oct 2025 18:12:00 +0200 (CEST)
Fabrizio Rompani <fabrizio.rompani at yetopen.com>
wrote:> 
> 
> on both VM is installed firewalld : there's a zone "trusted"
with
> target accept . 
> 
> trusted (active)
>   target: ACCEPT
>   icmp-block-inversion: no      
>   interfaces: 
>   sources: ipset:trust 
>   services: 
>   ports: 
>   protocols: 
>   masquerade: no
>   forward-ports: 
>   source-ports: 
>   icmp-blocks: 
>   rich rules: 
> 
> ip yy.yy.yy.yy belongs to ipset "trust"  on VM xx.xx.xx.xx and
> viceversa . so , it should be everythings open from yy.yy.yy.yy to
> xx.xx.xx.xx and viceversa.
> 
> eg. :
> 
> from yy.yy.yy.yy:
> 
> telnet xx.xx.xx.xx 389
> Trying xx.xx.xx.xx...
> Connected to xx.xx.xx.xx.
> Escape character is '^]'.
> 
> telnet xx.xx.xx.xx 445
> Trying xx.xx.xx.xx...
> Connected to xx.xx.xx.xx.
> Escape character is '^]'.
> 
> 
> 
> 
> > 
> > 
> > 
> > What about a different approach : 
> > backup the online DC  ( samba 4.15 ) and restore into new samba
> > 4.23 . change resolv.conf and Nextcloud ldap to point itself :
> > grants-dc
> > 
> > what do you think about ? 
> 
> Not much.
> Joining a new DC should be effortless, when it doesn't work it is
> usually down to a DNS problem.
> 
> so different version shouldn't be a problem , right? 
No, the version shouldn't be a problem.
> could you suggest me some DNS check ? 
> 
The first thing I would do is, turn off the firewalls temporarily.
If the join works, then great, you know where to look, if it doesn't,
then we will go into everything further.

Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
YetOpen SB
Corso Martiri della Liberazione 114 - 23900 Lecco - ITALY - | 4801 Glenwood
Avenue - Suite 200 - Raleigh, NC 27612 - USA -
Tel +39 0341 220 205 - info.it at yetopen.com  | Phone +1 919-817-8106 - info.us
at yetopen.com

Think green - Non stampare questa e-mail se non necessario / Don't print
this email unless necessary

-------- Riservatezza D.Lgs. 196/2003 e GDPR 679/2016 --------
Questo messaggio e' riservato ai destinatari indicati e contiene
informazioni confidenziali, ivi compresi gli allegati.E' vietata la
diffusione, copia o utilizzo non autorizzato. Se lo ha ricevuto per errore, La
invitiamo a eliminarlo immediatamente  e a informarci tempestivamente. Grazie.

-------- Confidentiality Legislative Decree 196/2003 & GDPR 679/2016
--------
This message is intended for the recipient only and may contain confidential
information, including attachments. Unauthorized disclosure, copy or use is
prohibited.  If received in error, please delete immediately and notify us.
Thank you.

samba - Oct 2025 - Failed to find a writeable DC

[Samba] Failed to find a writeable DC

[Samba] Failed to find a writeable DC