Good morning all! I have two DCs, both running Samba 4.7.3. I have just joined the second DC to the domain. The second DC is replicating AD objects perfectly, I verified this by running "samba-tool drs showrepl" as well as using the ADUC RSAT snapin and adding a user to one DC, then switching the DC that ADUC connects to and verifying that the user was properly replicated. The DNS objects are alos replicating properly. I checked this by running "samba-dnsupdate" as well as by running nslookup, switching the server to the new DC and doing a couple of lookups. Unfortunately, I can't access the DNS on the new DC thru the DNS Manager RSAT snapin. I get an "access denied" error. There are no entries in any of the samba logs when I attempt to open the DNS Manager snapin either. I CAN access the DNS on the original DC using the DNS Manager RSAT snapin. I'm hoping (and suspecting) this will just be an easy fix of chmodding/chowing something... I've spent the last hour googling and have come up with nada. Any help you can provide would be VERY appreciated! -- *Taylor Hammerling* | *IT Manager* 2800 Laura Lane | Middleton, WI 53562 *O *(608) 669-9070 *| C *(608) 512-7849 tcsbasys.com | ubiquistat.com
I cranked up the log level to 3 and found this in the log.samba file when trying to open the DNS Manager RSAT from my client machine (which is joined to the same domain as the DCs) [2017/12/12 09:59:30.601170, 2] ../source4/rpc_server/dcerpc_server.c:1804(dcesrv_request) dcesrv_request: restrict auth_level_connect access to [dnsserver] with auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:172.28.9.100:49960] On Tue, Dec 12, 2017 at 9:47 AM, Taylor Hammerling <thammerling at tcsbasys.com> wrote:> Good morning all! > > I have two DCs, both running Samba 4.7.3. I have just joined the second > DC to the domain. The second DC is replicating AD objects perfectly, I > verified this by running "samba-tool drs showrepl" as well as using the > ADUC RSAT snapin and adding a user to one DC, then switching the DC that > ADUC connects to and verifying that the user was properly replicated. > > The DNS objects are alos replicating properly. I checked this by running > "samba-dnsupdate" as well as by running nslookup, switching the server to > the new DC and doing a couple of lookups. > > Unfortunately, I can't access the DNS on the new DC thru the DNS Manager > RSAT snapin. I get an "access denied" error. There are no entries in any > of the samba logs when I attempt to open the DNS Manager snapin either. > > I CAN access the DNS on the original DC using the DNS Manager RSAT snapin. > > I'm hoping (and suspecting) this will just be an easy fix of > chmodding/chowing something... > I've spent the last hour googling and have come up with nada. > > Any help you can provide would be VERY appreciated! > > -- > *Taylor Hammerling* | *IT Manager* > 2800 Laura Lane | Middleton, WI 53562 > *O *(608) 669-9070 *| C *(608) 512-7849 > tcsbasys.com | ubiquistat.com >-- *Taylor Hammerling* | *IT Manager* 2800 Laura Lane | Middleton, WI 53562 *O *(608) 669-9070 *| C *(608) 512-7849 tcsbasys.com | ubiquistat.com
I found this page https://bugzilla.samba.org/show_bug.cgi?id=12807 which seemed to have someone experiencing the same issue I am. I tried adding "allow dcerpc auth level connect:dnsserver = yes" to my smb.conf, rebooted the server, but still I get the an access denied message in windows. However, what is logged in the log.samba files has changed since adding this option to my smb.conf. it now shows [2017/12/12 10:21:02.936834, 2] ../source4/rpc_server/dcerpc_server.c:1824(dcesrv_request) dcesrv_request: restrict access by min_auth_level[0x4] to [dnsserver] with auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4: 172.28.9.100:49994] when I try to open the DNS Management RSAT On Tue, Dec 12, 2017 at 10:04 AM, Taylor Hammerling < thammerling at tcsbasys.com> wrote:> I cranked up the log level to 3 and found this in the log.samba file when > trying to open the DNS Manager RSAT from my client machine (which is joined > to the same domain as the DCs) > > [2017/12/12 09:59:30.601170, 2] ../source4/rpc_server/dcerpc_ > server.c:1804(dcesrv_request) > dcesrv_request: restrict auth_level_connect access to [dnsserver] with > auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:172.28.9.100:49960] > > On Tue, Dec 12, 2017 at 9:47 AM, Taylor Hammerling < > thammerling at tcsbasys.com> wrote: > >> Good morning all! >> >> I have two DCs, both running Samba 4.7.3. I have just joined the second >> DC to the domain. The second DC is replicating AD objects perfectly, I >> verified this by running "samba-tool drs showrepl" as well as using the >> ADUC RSAT snapin and adding a user to one DC, then switching the DC that >> ADUC connects to and verifying that the user was properly replicated. >> >> The DNS objects are alos replicating properly. I checked this by running >> "samba-dnsupdate" as well as by running nslookup, switching the server to >> the new DC and doing a couple of lookups. >> >> Unfortunately, I can't access the DNS on the new DC thru the DNS Manager >> RSAT snapin. I get an "access denied" error. There are no entries in any >> of the samba logs when I attempt to open the DNS Manager snapin either. >> >> I CAN access the DNS on the original DC using the DNS Manager RSAT snapin. >> >> I'm hoping (and suspecting) this will just be an easy fix of >> chmodding/chowing something... >> I've spent the last hour googling and have come up with nada. >> >> Any help you can provide would be VERY appreciated! >> >> -- >> *Taylor Hammerling* | *IT Manager* >> 2800 Laura Lane | Middleton, WI 53562 >> *O *(608) 669-9070 *| C *(608) 512-7849 >> tcsbasys.com | ubiquistat.com >> > > > > -- > *Taylor Hammerling* | *IT Manager* > 2800 Laura Lane | Middleton, WI 53562 > *O *(608) 669-9070 *| C *(608) 512-7849 > tcsbasys.com | ubiquistat.com >-- *Taylor Hammerling* | *IT Manager* 2800 Laura Lane | Middleton, WI 53562 *O *(608) 669-9070 *| C *(608) 512-7849 tcsbasys.com | ubiquistat.com