Peter Beck
2015-Jun-14 11:18 UTC
[Samba] Unable to manage dns (ERR_DNS_ERROR_DS_UNAVAILABLE)
Hi guys,
when trying to do anything dns related on a samba4 dc (additional dc
which should replace an 2003 server) I always got an
"WERR_DNS_ERROR_DS_UNAVAILABLE" error. The zones seem to be replicated
to the samba server as i can dig whatever record I want and it gets
resolved, I am just unable to manage anything on the samba server. It's
also not possible to add the samba server to the windows dns mmc.
I've already tried to switch (and reprovision) from internal dns to
bind-dlz (Bind 9.9.5), but it's the same error.
The system is Debian Jessie 8.0.1 with Samba 4.1.17, no firewall active
on both (windows and debian) systems.
[root at unxads001 ~]# samba-tool dns serverinfo unxads001
-Uadministrator%password
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:unxads001[,sign]
Mapped to DCERPC endpoint 135
added interface eth1 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=10.1.1.22 bcast=10.1.1.255 netmask=255.255.255.0
added interface eth1 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=10.1.1.22 bcast=10.1.1.255 netmask=255.255.255.0
Mapped to DCERPC endpoint 1024
added interface eth1 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=10.1.1.22 bcast=10.1.1.255 netmask=255.255.255.0
added interface eth1 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=10.1.1.22 bcast=10.1.1.255 netmask=255.255.255.0
ERROR(runtime): uncaught exception - (9717,
'WERR_DNS_ERROR_DS_UNAVAILABLE')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line
711, in run
None, 'ServerInfo')
Replication seems to work just fine (on both sides, the windows dc and
the samba dc). I have added the dns partition replicas manually with
ntdsutil according to the wiki-pages [1]
[root at unxads001 ~]# samba-tool drs showrepl
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:unxads001.domain.local,seal]
Mapped to DCERPC endpoint 135
added interface eth1 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=10.1.1.22 bcast=10.1.1.255 netmask=255.255.255.0
added interface eth1 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=10.1.1.22 bcast=10.1.1.255 netmask=255.255.255.0
Mapped to DCERPC endpoint 1024
added interface eth1 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=10.1.1.22 bcast=10.1.1.255 netmask=255.255.255.0
added interface eth1 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=10.1.1.22 bcast=10.1.1.255 netmask=255.255.255.0
added interface eth1 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=10.1.1.22 bcast=10.1.1.255 netmask=255.255.255.0
added interface eth1 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=10.1.1.22 bcast=10.1.1.255 netmask=255.255.255.0
Default-First-Site\UNXADS001
DSA Options: 0x00000001
DSA object GUID: 9f8694eb-ad7a-4304-9d25-96a3ad88cd8a
DSA invocationId: 756659bd-aca4-4cbb-97b0-d8b0e929632b
==== INBOUND NEIGHBORS ===
CN=Schema,CN=Configuration,DC=domain,DC=local
Default-First-Site\WINADS001 via RPC
DSA object GUID: 40d36407-6187-49c4-89a9-827492be6963
Last attempt @ Sun Jun 14 12:19:56 2015 CEST was successful
0 consecutive failure(s).
Last success @ Sun Jun 14 12:19:56 2015 CEST
CN=Configuration,DC=domain,DC=local
Default-First-Site\WINADS001 via RPC
DSA object GUID: 40d36407-6187-49c4-89a9-827492be6963
Last attempt @ Sun Jun 14 12:19:56 2015 CEST was successful
0 consecutive failure(s).
Last success @ Sun Jun 14 12:19:56 2015 CEST
DC=DomainDnsZones,DC=domain,DC=local
Default-First-Site\WINADS001 via RPC
DSA object GUID: 40d36407-6187-49c4-89a9-827492be6963
Last attempt @ Sun Jun 14 12:19:56 2015 CEST was successful
0 consecutive failure(s).
Last success @ Sun Jun 14 12:19:56 2015 CEST
DC=ForestDnsZones,DC=domain,DC=local
Default-First-Site\WINADS001 via RPC
DSA object GUID: 40d36407-6187-49c4-89a9-827492be6963
Last attempt @ Sun Jun 14 12:19:56 2015 CEST was successful
0 consecutive failure(s).
Last success @ Sun Jun 14 12:19:56 2015 CEST
DC=domain,DC=local
Default-First-Site\WINADS001 via RPC
DSA object GUID: 40d36407-6187-49c4-89a9-827492be6963
Last attempt @ Sun Jun 14 12:19:56 2015 CEST was successful
0 consecutive failure(s).
Last success @ Sun Jun 14 12:19:56 2015 CEST
==== OUTBOUND NEIGHBORS ===
CN=Schema,CN=Configuration,DC=domain,DC=local
Default-First-Site\WINADS001 via RPC
DSA object GUID: 40d36407-6187-49c4-89a9-827492be6963
Last attempt @ Sun Jun 14 12:14:46 2015 CEST was successful
0 consecutive failure(s).
Last success @ Sun Jun 14 12:14:46 2015 CEST
CN=Configuration,DC=domain,DC=local
Default-First-Site\WINADS001 via RPC
DSA object GUID: 40d36407-6187-49c4-89a9-827492be6963
Last attempt @ Sun Jun 14 12:14:46 2015 CEST was successful
0 consecutive failure(s).
Last success @ Sun Jun 14 12:14:46 2015 CEST
DC=DomainDnsZones,DC=domain,DC=local
Default-First-Site\WINADS001 via RPC
DSA object GUID: 40d36407-6187-49c4-89a9-827492be6963
Last attempt @ Sun Jun 14 12:14:46 2015 CEST was successful
0 consecutive failure(s).
Last success @ Sun Jun 14 12:14:46 2015 CEST
DC=ForestDnsZones,DC=domain,DC=local
Default-First-Site\WINADS001 via RPC
DSA object GUID: 40d36407-6187-49c4-89a9-827492be6963
Last attempt @ Sun Jun 14 12:14:46 2015 CEST was successful
0 consecutive failure(s).
Last success @ Sun Jun 14 12:14:46 2015 CEST
DC=domain,DC=local
Default-First-Site\WINADS001 via RPC
DSA object GUID: 40d36407-6187-49c4-89a9-827492be6963
Last attempt @ Sun Jun 14 12:14:46 2015 CEST was successful
0 consecutive failure(s).
Last success @ Sun Jun 14 12:14:46 2015 CEST
==== KCC CONNECTION OBJECTS ===
Connection --
Connection name: 7069717d-4dea-46e9-8be8-243c8e5b9474
Enabled : TRUE
Server DNS name : winads001.domain.local
Server DN name : CN=NTDS
Settings,CN=WINADS001,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=domain,DC=local
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
And the function level is set to 2003
Domain and forest function level for domain 'DC=domain,DC=local'
Forest function level: (Windows) 2003
Domain function level: (Windows) 2003
Lowest function level of a DC: (Windows) 2003
In my resolv.conf there is the correct domain and both servers listed -
does not matter which one I choose as the first - the result is the same.
domain domain.local
search domain.local
nameserver 192.168.0.5 (the windows dc)
nameserver 192.168.0.22 (the samba dc)
samba_dnsupdate --verbose is telling me, that there are no DNS updates
needed
My smb.conf is having the line "nsupdate command = nsupdate" included.
Any clues to get the dns management working on the samba side ? Couldn't
find something on my own researching this issue...only others having
similar issues....
I once had similar issues two years ago [2]
Thanks
Peter
[1]
https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting#DNS_Replication_from_Windows_AD_DC_fails
[2] https://lists.samba.org/archive/samba/2013-February/171749.html
Peter Beck
2015-Jun-14 22:28 UTC
[Samba] Unable to manage dns (ERR_DNS_ERROR_DS_UNAVAILABLE)
what I've also recognized: on a pure Samba4 domain (2 domain controllers) there is the directory /var/lib/private/samba/dns with a "sam.ldb" file and a subdirectory "sam.ldb.d" containing all zones as ldb files: [root at unxads002 ~]# ls -lh /var/lib/samba/private/dns/sam.ldb.d/ -rw-r----- 1 root root 7.4M Aug 4 2014 CN=CONFIGURATION,DC=DOMAIN,DC=LOCAL.ldb -rw-r----- 1 root root 7.8M Aug 4 2014 CN=SCHEMA,CN=CONFIGURATION,DC=DOMAIN,DC=LOCAL.ldb -rw-r----- 1 root root 676K Aug 4 2014 DC=DOMAINDNSZONES,DC=DOMAIN,DC=LOCAL.ldb -rw-r----- 1 root root 3.0M Aug 4 2014 DC=FORESTDNSZONES,DC=DOMAIN,DC=LOCAL.ldb -rw-r----- 1 root root 52K Aug 4 2014 DC=DOMAIN,DC=LOCAL.ldb -rw-rw---- 2 root bind 412K Jun 14 20:06 metadata.tdb The sam.ldb file contains one single record: # editing 1 records # record 1 dn: DC=domain,DC=local instanceType: 5 objectClass: top objectClass: domaindns objectGUID: ffc42d7d-2d34-486d-ab9b-0741871ca1d9 objectSid: S-1-5-21-2026243258-1306757702-3697109298 distinguishedName: DC=domain,DC=local This directory is completely missing on the Samba dc which was added to the Server 2003 domain. How can I get this files ? Can I manually force the creation ? Sounds to me like this could be the problem ? Regards Peter
buhorojo
2015-Jun-15 17:11 UTC
[Samba] Unable to manage dns (ERR_DNS_ERROR_DS_UNAVAILABLE)
On 15/06/15 00:28, Peter Beck wrote:> what I've also recognized: > > on a pure Samba4 domain (2 domain controllers) there is the directory > /var/lib/private/samba/dns with a "sam.ldb" file and a subdirectory > "sam.ldb.d" containing all zones as ldb files: > > [root at unxads002 ~]# ls -lh /var/lib/samba/private/dns/sam.ldb.d/ > -rw-r----- 1 root root 7.4M Aug 4 2014 CN=CONFIGURATION,DC=DOMAIN,DC=LOCAL.ldb > -rw-r----- 1 root root 7.8M Aug 4 2014 CN=SCHEMA,CN=CONFIGURATION,DC=DOMAIN,DC=LOCAL.ldbbind needs w here too:> -rw-r----- 1 root root 676K Aug 4 2014 DC=DOMAINDNSZONES,DC=DOMAIN,DC=LOCAL.ldb > -rw-r----- 1 root root 3.0M Aug 4 2014 DC=FORESTDNSZONES,DC=DOMAIN,DC=LOCAL.ldb> -rw-r----- 1 root root 52K Aug 4 2014 DC=DOMAIN,DC=LOCAL.ldb > -rw-rw---- 2 root bind 412K Jun 14 20:06 metadata.tdb > > > The sam.ldb file contains one single record: > > # editing 1 records > # record 1 > dn: DC=domain,DC=local > instanceType: 5 > objectClass: top > objectClass: domaindns > objectGUID: ffc42d7d-2d34-486d-ab9b-0741871ca1d9 > objectSid: S-1-5-21-2026243258-1306757702-3697109298 > distinguishedName: DC=domain,DC=local > > > This directory is completely missing on the Samba dc which was added to > the Server 2003 domain. > > How can I get this files ? Can I manually force the creation ? Sounds to > me like this could be the problem ? > > Regards > PeterIs bind installed?
Rowland Penny
2015-Jun-15 18:48 UTC
[Samba] Unable to manage dns (ERR_DNS_ERROR_DS_UNAVAILABLE)
On 14/06/15 23:28, Peter Beck wrote:> what I've also recognized: > > on a pure Samba4 domain (2 domain controllers) there is the directory > /var/lib/private/samba/dns with a "sam.ldb" file and a subdirectory > "sam.ldb.d" containing all zones as ldb files: > > [root at unxads002 ~]# ls -lh /var/lib/samba/private/dns/sam.ldb.d/ > -rw-r----- 1 root root 7.4M Aug 4 2014 CN=CONFIGURATION,DC=DOMAIN,DC=LOCAL.ldb > -rw-r----- 1 root root 7.8M Aug 4 2014 CN=SCHEMA,CN=CONFIGURATION,DC=DOMAIN,DC=LOCAL.ldb > -rw-r----- 1 root root 676K Aug 4 2014 DC=DOMAINDNSZONES,DC=DOMAIN,DC=LOCAL.ldb > -rw-r----- 1 root root 3.0M Aug 4 2014 DC=FORESTDNSZONES,DC=DOMAIN,DC=LOCAL.ldb > -rw-r----- 1 root root 52K Aug 4 2014 DC=DOMAIN,DC=LOCAL.ldb > -rw-rw---- 2 root bind 412K Jun 14 20:06 metadata.tdb > > > The sam.ldb file contains one single record: > > # editing 1 records > # record 1 > dn: DC=domain,DC=local > instanceType: 5 > objectClass: top > objectClass: domaindns > objectGUID: ffc42d7d-2d34-486d-ab9b-0741871ca1d9 > objectSid: S-1-5-21-2026243258-1306757702-3697109298 > distinguishedName: DC=domain,DC=local > > > This directory is completely missing on the Samba dc which was added to > the Server 2003 domain. > > How can I get this files ? Can I manually force the creation ? Sounds to > me like this could be the problem ? > > Regards > PeterAre you sure anything is missing ? try: ldbedit -e nano -H /var/lib/samba/private/sam.ldb --cross-ncs the sam.ldb file does contain everything, but you cannot see everything normally, what ever you do, *do not* edit the files in the sam.ldb.d directory. Rowland
L.P.H. van Belle
2015-Jun-16 07:26 UTC
[Samba] Unable to manage dns (ERR_DNS_ERROR_DS_UNAVAILABLE)
just saw this ....>> [root at unxads002 ~]# ls -lh /var/lib/samba/private/dns/sam.ldb.d/ >> -rw-r----- 1 root root 7.4M Aug 4 2014 >CN=CONFIGURATION,DC=DOMAIN,DC=LOCAL.ldb >> -rw-r----- 1 root root 7.8M Aug 4 2014 >CN=SCHEMA,CN=CONFIGURATION,DC=DOMAIN,DC=LOCAL.ldb >bind needs w here too: >> -rw-r----- 1 root root 676K Aug 4 2014 >DC=DOMAINDNSZONES,DC=DOMAIN,DC=LOCAL.ldb >> -rw-r----- 1 root root 3.0M Aug 4 2014Alle incorrect rights, and thats your problem. Bind cant write. Your folder /var/lib/samba/private/dns/sam.ldb.d/ has 750 set, should be 770 and root:root, should be root:bind. please check, from this point, below is what you want. /var/lib/samba/private/dns drwxrwx--- 3 root bind 4096 Jun 1 09:41 dns so do a chgrp bind on all files and folders.. and make sure you have 660 set on the files. and that should fix it. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: buhorojo.lcb at gmail.com >[mailto:samba-bounces at lists.samba.org] Namens buhorojo >Verzonden: maandag 15 juni 2015 19:12 >Aan: samba at lists.samba.org >Onderwerp: Re: [Samba] Unable to manage dns >(ERR_DNS_ERROR_DS_UNAVAILABLE) > >On 15/06/15 00:28, Peter Beck wrote: >> what I've also recognized: >> >> on a pure Samba4 domain (2 domain controllers) there is the directory >> /var/lib/private/samba/dns with a "sam.ldb" file and a subdirectory >> "sam.ldb.d" containing all zones as ldb files: >> >> [root at unxads002 ~]# ls -lh /var/lib/samba/private/dns/sam.ldb.d/ >> -rw-r----- 1 root root 7.4M Aug 4 2014 >CN=CONFIGURATION,DC=DOMAIN,DC=LOCAL.ldb >> -rw-r----- 1 root root 7.8M Aug 4 2014 >CN=SCHEMA,CN=CONFIGURATION,DC=DOMAIN,DC=LOCAL.ldb >bind needs w here too: >> -rw-r----- 1 root root 676K Aug 4 2014 >DC=DOMAINDNSZONES,DC=DOMAIN,DC=LOCAL.ldb >> -rw-r----- 1 root root 3.0M Aug 4 2014 >DC=FORESTDNSZONES,DC=DOMAIN,DC=LOCAL.ldb > >> -rw-r----- 1 root root 52K Aug 4 2014 DC=DOMAIN,DC=LOCAL.ldb >> -rw-rw---- 2 root bind 412K Jun 14 20:06 metadata.tdb >> >> >> The sam.ldb file contains one single record: >> >> # editing 1 records >> # record 1 >> dn: DC=domain,DC=local >> instanceType: 5 >> objectClass: top >> objectClass: domaindns >> objectGUID: ffc42d7d-2d34-486d-ab9b-0741871ca1d9 >> objectSid: S-1-5-21-2026243258-1306757702-3697109298 >> distinguishedName: DC=domain,DC=local >> >> >> This directory is completely missing on the Samba dc which >was added to >> the Server 2003 domain. >> >> How can I get this files ? Can I manually force the creation >? Sounds to >> me like this could be the problem ? >> >> Regards >> Peter >Is bind installed? >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >