The user is a member of "Domain Admins" so they should be able to access the DNS (as is evident by the fact that they can access the DNS thru RSAT on the initial DC). But just to be thorough I have added "Domain Admins" to the group "DnsAdmins" and tested again, still get the "access denied" error from within windows. On Tue, Dec 12, 2017 at 11:01 AM, lingpanda101 via samba < samba at lists.samba.org> wrote:> On 12/12/2017 11:24 AM, Taylor Hammerling via samba wrote: > >> I found this page https://bugzilla.samba.org/show_bug.cgi?id=12807 which >> seemed to have someone experiencing the same issue I am. >> I tried adding "allow dcerpc auth level connect:dnsserver = yes" to my >> smb.conf, rebooted the server, but still I get the an access denied >> message >> in windows. >> However, what is logged in the log.samba files has changed since adding >> this option to my smb.conf. it now shows >> >> [2017/12/12 10:21:02.936834, 2] >> ../source4/rpc_server/dcerpc_server.c:1824(dcesrv_request) >> dcesrv_request: restrict access by min_auth_level[0x4] to [dnsserver] >> with auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4: >> 172.28.9.100:49994] >> >> when I try to open the DNS Management RSAT >> >> On Tue, Dec 12, 2017 at 10:04 AM, Taylor Hammerling < >> thammerling at tcsbasys.com> wrote: >> >> I cranked up the log level to 3 and found this in the log.samba file when >>> trying to open the DNS Manager RSAT from my client machine (which is >>> joined >>> to the same domain as the DCs) >>> >>> [2017/12/12 09:59:30.601170, 2] ../source4/rpc_server/dcerpc_ >>> server.c:1804(dcesrv_request) >>> dcesrv_request: restrict auth_level_connect access to [dnsserver] with >>> auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:172.28.9.100:49960 >>> ] >>> >>> On Tue, Dec 12, 2017 at 9:47 AM, Taylor Hammerling < >>> thammerling at tcsbasys.com> wrote: >>> >>> Good morning all! >>>> >>>> I have two DCs, both running Samba 4.7.3. I have just joined the second >>>> DC to the domain. The second DC is replicating AD objects perfectly, I >>>> verified this by running "samba-tool drs showrepl" as well as using the >>>> ADUC RSAT snapin and adding a user to one DC, then switching the DC that >>>> ADUC connects to and verifying that the user was properly replicated. >>>> >>>> The DNS objects are alos replicating properly. I checked this by >>>> running >>>> "samba-dnsupdate" as well as by running nslookup, switching the server >>>> to >>>> the new DC and doing a couple of lookups. >>>> >>>> Unfortunately, I can't access the DNS on the new DC thru the DNS Manager >>>> RSAT snapin. I get an "access denied" error. There are no entries in >>>> any >>>> of the samba logs when I attempt to open the DNS Manager snapin either. >>>> >>>> I CAN access the DNS on the original DC using the DNS Manager RSAT >>>> snapin. >>>> >>>> I'm hoping (and suspecting) this will just be an easy fix of >>>> chmodding/chowing something... >>>> I've spent the last hour googling and have come up with nada. >>>> >>>> Any help you can provide would be VERY appreciated! >>>> >>>> -- >>>> *Taylor Hammerling* | *IT Manager* >>>> 2800 Laura Lane | Middleton, WI 53562 >>>> *O *(608) 669-9070 *| C *(608) 512-7849 >>>> tcsbasys.com | ubiquistat.com >>>> >>>> >>> >>> -- >>> *Taylor Hammerling* | *IT Manager* >>> 2800 Laura Lane | Middleton, WI 53562 >>> *O *(608) 669-9070 *| C *(608) 512-7849 >>> tcsbasys.com | ubiquistat.com >>> >>> >> >> Is your user part of the DNS admins group? > > -- > -- > James > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- *Taylor Hammerling* | *IT Manager* 2800 Laura Lane | Middleton, WI 53562 *O *(608) 669-9070 *| C *(608) 512-7849 tcsbasys.com | ubiquistat.com
Are you using the default ssl certs in samba?. I had a similar issue, and after create my own certificate with all common names used on my domain (for example domain.com, dc1.domain.com and dc2.domain.com), I'm able to manage the dns using RSAT using that named. With ip address still failing. Greetings!! El 12 dic. 2017 6:13 p. m., "Taylor Hammerling via samba" < samba at lists.samba.org> escribió:> The user is a member of "Domain Admins" so they should be able to access > the DNS (as is evident by the fact that they can access the DNS thru RSAT > on the initial DC). > But just to be thorough I have added "Domain Admins" to the group > "DnsAdmins" and tested again, still get the "access denied" error from > within windows. > > On Tue, Dec 12, 2017 at 11:01 AM, lingpanda101 via samba < > samba at lists.samba.org> wrote: > > > On 12/12/2017 11:24 AM, Taylor Hammerling via samba wrote: > > > >> I found this page https://bugzilla.samba.org/show_bug.cgi?id=12807 > which > >> seemed to have someone experiencing the same issue I am. > >> I tried adding "allow dcerpc auth level connect:dnsserver = yes" to my > >> smb.conf, rebooted the server, but still I get the an access denied > >> message > >> in windows. > >> However, what is logged in the log.samba files has changed since adding > >> this option to my smb.conf. it now shows > >> > >> [2017/12/12 10:21:02.936834, 2] > >> ../source4/rpc_server/dcerpc_server.c:1824(dcesrv_request) > >> dcesrv_request: restrict access by min_auth_level[0x4] to [dnsserver] > >> with auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4: > >> 172.28.9.100:49994] > >> > >> when I try to open the DNS Management RSAT > >> > >> On Tue, Dec 12, 2017 at 10:04 AM, Taylor Hammerling < > >> thammerling at tcsbasys.com> wrote: > >> > >> I cranked up the log level to 3 and found this in the log.samba file > when > >>> trying to open the DNS Manager RSAT from my client machine (which is > >>> joined > >>> to the same domain as the DCs) > >>> > >>> [2017/12/12 09:59:30.601170, 2] ../source4/rpc_server/dcerpc_ > >>> server.c:1804(dcesrv_request) > >>> dcesrv_request: restrict auth_level_connect access to [dnsserver] > with > >>> auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4: > 172.28.9.100:49960 > >>> ] > >>> > >>> On Tue, Dec 12, 2017 at 9:47 AM, Taylor Hammerling < > >>> thammerling at tcsbasys.com> wrote: > >>> > >>> Good morning all! > >>>> > >>>> I have two DCs, both running Samba 4.7.3. I have just joined the > second > >>>> DC to the domain. The second DC is replicating AD objects perfectly, > I > >>>> verified this by running "samba-tool drs showrepl" as well as using > the > >>>> ADUC RSAT snapin and adding a user to one DC, then switching the DC > that > >>>> ADUC connects to and verifying that the user was properly replicated. > >>>> > >>>> The DNS objects are alos replicating properly. I checked this by > >>>> running > >>>> "samba-dnsupdate" as well as by running nslookup, switching the server > >>>> to > >>>> the new DC and doing a couple of lookups. > >>>> > >>>> Unfortunately, I can't access the DNS on the new DC thru the DNS > Manager > >>>> RSAT snapin. I get an "access denied" error. There are no entries in > >>>> any > >>>> of the samba logs when I attempt to open the DNS Manager snapin > either. > >>>> > >>>> I CAN access the DNS on the original DC using the DNS Manager RSAT > >>>> snapin. > >>>> > >>>> I'm hoping (and suspecting) this will just be an easy fix of > >>>> chmodding/chowing something... > >>>> I've spent the last hour googling and have come up with nada. > >>>> > >>>> Any help you can provide would be VERY appreciated! > >>>> > >>>> -- > >>>> *Taylor Hammerling* | *IT Manager* > >>>> 2800 Laura Lane | Middleton, WI 53562 > >>>> *O *(608) 669-9070 *| C *(608) 512-7849 > >>>> tcsbasys.com | ubiquistat.com > >>>> > >>>> > >>> > >>> -- > >>> *Taylor Hammerling* | *IT Manager* > >>> 2800 Laura Lane | Middleton, WI 53562 > >>> *O *(608) 669-9070 *| C *(608) 512-7849 > >>> tcsbasys.com | ubiquistat.com > >>> > >>> > >> > >> Is your user part of the DNS admins group? > > > > -- > > -- > > James > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > -- > *Taylor Hammerling* | *IT Manager* > 2800 Laura Lane | Middleton, WI 53562 > *O *(608) 669-9070 *| C *(608) 512-7849 > tcsbasys.com | ubiquistat.com > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Daniel, I could kiss you :D I am using the default SSL certs in samba. I tried connecting to the new DC using it's FQDN instead of it's IP, and BAM, it connected just fine. Couldn't really tell you why, but as long as I can access it I'm happy! On Tue, Dec 12, 2017 at 11:20 AM, Daniel Carrasco <d.carrasco at i2tic.com> wrote:> Are you using the default ssl certs in samba?. > > I had a similar issue, and after create my own certificate with all common > names used on my domain (for example domain.com, dc1.domain.com and > dc2.domain.com), I'm able to manage the dns using RSAT using that named. > With ip address still failing. > > Greetings!! > > El 12 dic. 2017 6:13 p. m., "Taylor Hammerling via samba" < > samba at lists.samba.org> escribió: > >> The user is a member of "Domain Admins" so they should be able to access >> the DNS (as is evident by the fact that they can access the DNS thru RSAT >> on the initial DC). >> But just to be thorough I have added "Domain Admins" to the group >> "DnsAdmins" and tested again, still get the "access denied" error from >> within windows. >> >> On Tue, Dec 12, 2017 at 11:01 AM, lingpanda101 via samba < >> samba at lists.samba.org> wrote: >> >> > On 12/12/2017 11:24 AM, Taylor Hammerling via samba wrote: >> > >> >> I found this page https://bugzilla.samba.org/show_bug.cgi?id=12807 >> which >> >> seemed to have someone experiencing the same issue I am. >> >> I tried adding "allow dcerpc auth level connect:dnsserver = yes" to my >> >> smb.conf, rebooted the server, but still I get the an access denied >> >> message >> >> in windows. >> >> However, what is logged in the log.samba files has changed since adding >> >> this option to my smb.conf. it now shows >> >> >> >> [2017/12/12 10:21:02.936834, 2] >> >> ../source4/rpc_server/dcerpc_server.c:1824(dcesrv_request) >> >> dcesrv_request: restrict access by min_auth_level[0x4] to >> [dnsserver] >> >> with auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4: >> >> 172.28.9.100:49994] >> >> >> >> when I try to open the DNS Management RSAT >> >> >> >> On Tue, Dec 12, 2017 at 10:04 AM, Taylor Hammerling < >> >> thammerling at tcsbasys.com> wrote: >> >> >> >> I cranked up the log level to 3 and found this in the log.samba file >> when >> >>> trying to open the DNS Manager RSAT from my client machine (which is >> >>> joined >> >>> to the same domain as the DCs) >> >>> >> >>> [2017/12/12 09:59:30.601170, 2] ../source4/rpc_server/dcerpc_ >> >>> server.c:1804(dcesrv_request) >> >>> dcesrv_request: restrict auth_level_connect access to [dnsserver] >> with >> >>> auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4: >> 172.28.9.100:49960 >> >>> ] >> >>> >> >>> On Tue, Dec 12, 2017 at 9:47 AM, Taylor Hammerling < >> >>> thammerling at tcsbasys.com> wrote: >> >>> >> >>> Good morning all! >> >>>> >> >>>> I have two DCs, both running Samba 4.7.3. I have just joined the >> second >> >>>> DC to the domain. The second DC is replicating AD objects >> perfectly, I >> >>>> verified this by running "samba-tool drs showrepl" as well as using >> the >> >>>> ADUC RSAT snapin and adding a user to one DC, then switching the DC >> that >> >>>> ADUC connects to and verifying that the user was properly replicated. >> >>>> >> >>>> The DNS objects are alos replicating properly. I checked this by >> >>>> running >> >>>> "samba-dnsupdate" as well as by running nslookup, switching the >> server >> >>>> to >> >>>> the new DC and doing a couple of lookups. >> >>>> >> >>>> Unfortunately, I can't access the DNS on the new DC thru the DNS >> Manager >> >>>> RSAT snapin. I get an "access denied" error. There are no entries >> in >> >>>> any >> >>>> of the samba logs when I attempt to open the DNS Manager snapin >> either. >> >>>> >> >>>> I CAN access the DNS on the original DC using the DNS Manager RSAT >> >>>> snapin. >> >>>> >> >>>> I'm hoping (and suspecting) this will just be an easy fix of >> >>>> chmodding/chowing something... >> >>>> I've spent the last hour googling and have come up with nada. >> >>>> >> >>>> Any help you can provide would be VERY appreciated! >> >>>> >> >>>> -- >> >>>> *Taylor Hammerling* | *IT Manager* >> >>>> 2800 Laura Lane | Middleton, WI 53562 >> <https://maps.google.com/?q=2800+Laura+Lane+%7C+Middleton,+WI+53562&entry=gmail&source=g> >> >>>> *O *(608) 669-9070 *| C *(608) 512-7849 >> >>>> tcsbasys.com | ubiquistat.com >> >>>> >> >>>> >> >>> >> >>> -- >> >>> *Taylor Hammerling* | *IT Manager* >> >>> 2800 Laura Lane | Middleton, WI 53562 >> <https://maps.google.com/?q=2800+Laura+Lane+%7C+Middleton,+WI+53562&entry=gmail&source=g> >> >>> *O *(608) 669-9070 *| C *(608) 512-7849 >> >>> tcsbasys.com | ubiquistat.com >> >>> >> >>> >> >> >> >> Is your user part of the DNS admins group? >> > >> > -- >> > -- >> > James >> > >> > >> > -- >> > To unsubscribe from this list go to the following URL and read the >> > instructions: https://lists.samba.org/mailman/options/samba >> > >> >> >> >> -- >> *Taylor Hammerling* | *IT Manager* >> 2800 Laura Lane | Middleton, WI 53562 >> <https://maps.google.com/?q=2800+Laura+Lane+%7C+Middleton,+WI+53562&entry=gmail&source=g> >> *O *(608) 669-9070 *| C *(608) 512-7849 >> tcsbasys.com | ubiquistat.com >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >-- *Taylor Hammerling* | *IT Manager* 2800 Laura Lane | Middleton, WI 53562 *O *(608) 669-9070 *| C *(608) 512-7849 tcsbasys.com | ubiquistat.com