thr3ads.net - samba - [Samba] Setup a Samba AD DC as an additional DC [Nov 2018]

If this information is useful, please help other people find it:
Share via:

L.P.H. van Belle

2018-Nov-27 08:23 UTC

[Samba] Setup a Samba AD DC as an additional DC

Hai, 

I had a quick look. 

Barry, can you get this script and run it.
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
Then post the results to the list.  
It collects all info i need to have a better look. 

I have a few ideas, this might be a resolving order problem, i've based on
the errors below.
Can you also post the output of bind from the point its starting up until samba
has started.

Greetz, 

Louis

P.s.
@Rowland, good morning, the one you got was send to soon... 

> 
> 
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> > Rowland Penny via samba
> > Verzonden: maandag 26 november 2018 18:45
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] Setup a Samba AD DC as an additional DC
> > 
> > 
> > OK, I have been trying to help Barry get Samba to join to a Windows
> > domain as a DC and we seem to have chased it down to this:
> > 
> >  ldb_wrap open of secrets.ldb
> > Could not find machine account in secrets database: Failed to fetch
> > machine account password for XXXXX from both secrets.ldb (Could not
> > find entry to match filter:
> > '(&(flatname=XXXXX)(objectclass=primaryDomain))' base:
'cn=Primary
> > Domains': No such object: dsdb_search
> > at ../source4/dsdb/common/util.c:4702) and
> > from /var/lib/samba/private/secrets.tdb:
> > NT_STATUS_CANT_ACCESS_DOMAIN_INFO ERROR(runtime): uncaught 
> exception -
> > (9005, 'WERR_DNS_ERROR_RCODE_REFUSED') File
> > 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
177,
> > in _run return self.run(*args, **kwargs) File
> > "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", 
> > line 716, in
> > run backend_store=backend_store) File
> > "/usr/lib/python2.7/dist-packages/samba/join.py", line 1500,
> > in join_DC
> > ctx.do_join() File
"/usr/lib/python2.7/dist-packages/samba/join.py",
> > line 1405, in do_join ctx.join_add_dns_records() File
> > "/usr/lib/python2.7/dist-packages/samba/join.py", line 1110,
in
> > join_add_dns_records del_rec_buf)
> > 
> > He has examined the secrets.ldb and it doesn't contain the '
dn:
> > flatname=XXXXX,cn=Primary Domains' object, even if he deletes it,
it
> > gets recreated without that object.
> > 
> > I have run out of ideas, I even joined a Samba machine to a
> > 2012 DC (2008 function level) without problem, anybody got 
> any ideas ?
> > 
> > Rowland
> > 
> > 
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> > 
>

Barry D. Adkins

2018-Nov-27 09:03 UTC

head link

[Samba] Setup a Samba AD DC as an additional DC

At this point I have started over with a VIRGIN Ubuntu 18.04 Server.

I am about to Start the: samba-tool domain join

Never the less... here I go...  I will run your script. Louis, and I am very
appreciative of all the help I have received!!

-Barry Adkins

-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of L.P.H. van
Belle via samba
Sent: Tuesday, November 27, 2018 2:24 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Setup a Samba AD DC as an additional DC

Hai, 

I had a quick look. 

Barry, can you get this script and run it.
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
Then post the results to the list.  
It collects all info i need to have a better look. 

I have a few ideas, this might be a resolving order problem, i've based on
the errors below.
Can you also post the output of bind from the point its starting up until samba
has started.

Greetz, 

Louis

P.s.
@Rowland, good morning, the one you got was send to soon... 

> 
> 
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland 
> > Penny via samba
> > Verzonden: maandag 26 november 2018 18:45
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] Setup a Samba AD DC as an additional DC
> > 
> > 
> > OK, I have been trying to help Barry get Samba to join to a Windows 
> > domain as a DC and we seem to have chased it down to this:
> > 
> >  ldb_wrap open of secrets.ldb
> > Could not find machine account in secrets database: Failed to fetch 
> > machine account password for XXXXX from both secrets.ldb (Could not 
> > find entry to match filter:
> > '(&(flatname=XXXXX)(objectclass=primaryDomain))' base:
'cn=Primary
> > Domains': No such object: dsdb_search at 
> > ../source4/dsdb/common/util.c:4702) and from 
> > /var/lib/samba/private/secrets.tdb:
> > NT_STATUS_CANT_ACCESS_DOMAIN_INFO ERROR(runtime): uncaught
> exception -
> > (9005, 'WERR_DNS_ERROR_RCODE_REFUSED') File
> > 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
177,
> > in _run return self.run(*args, **kwargs) File 
> > "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py",
> > line 716, in
> > run backend_store=backend_store) File 
> > "/usr/lib/python2.7/dist-packages/samba/join.py", line 1500,
in
> > join_DC
> > ctx.do_join() File
"/usr/lib/python2.7/dist-packages/samba/join.py",
> > line 1405, in do_join ctx.join_add_dns_records() File 
> > "/usr/lib/python2.7/dist-packages/samba/join.py", line 1110,
in
> > join_add_dns_records del_rec_buf)
> > 
> > He has examined the secrets.ldb and it doesn't contain the '
dn:
> > flatname=XXXXX,cn=Primary Domains' object, even if he deletes it,
it
> > gets recreated without that object.
> > 
> > I have run out of ideas, I even joined a Samba machine to a
> > 2012 DC (2008 function level) without problem, anybody got
> any ideas ?
> > 
> > Rowland
> > 
> > 
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> > 
> 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Barry D. Adkins

2018-Nov-27 21:06 UTC

head link

[Samba] Setup a Samba AD DC as an additional DC

??Can you also post the output of bind from the point its starting up until
samba has started??
I am not certain how to obtain this.  -- Barry

Collected config  --- 2018-11-27-14:54 -----------

Hostname: Sambadc1
DNS Domain: Mydomain.com
FQDN: Sambadc1.Mydomain.com
ipaddress: ##.##.##.##

-----------
Samba is not being run as a DC or a Unix domain member.
Checking file: /etc/os-release 
NAME="Ubuntu"
VERSION="18.04.1 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.1 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic

-----------

Warning, /etc/devuan_version does not exist

-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
2: ens2f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
group default qlen 1000
    link/ether 00:1e:67:79:11:b8 brd ff:ff:ff:ff:ff:ff
    inet 131.192.176.40/24 brd 131.192.176.255 scope global ens2f0
    inet6 fe80::21e:67ff:fe79:11b8/64 scope link 
3: ens2f1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group
default qlen 1000
    link/ether 00:1e:67:79:11:b9 brd ff:ff:ff:ff:ff:ff
-----------
Checking file: /etc/hosts 
127.0.0.1	localhost
::1		localhost6

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

-----------
Checking file: /etc/resolv.conf 
search daram.com
nameserver ##.##.##.20


-----------
Checking file: /etc/krb5.conf 
[libdefaults]
	default_realm = MYDOMAIN.COM

# The following krb5.conf variables are only for MIT Kerberos.
	kdc_timesync = 1
	ccache_type = 4
	forwardable = true
	proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#	default_tgs_enctypes = des3-hmac-sha1
#	default_tkt_enctypes = des3-hmac-sha1
#	permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
	fcc-mit-ticketflags = true

[realms]
	ATHENA.MIT.EDU = {
		kdc = kerberos.mit.edu
		kdc = kerberos-1.mit.edu
		kdc = kerberos-2.mit.edu:88
		admin_server = kerberos.mit.edu
		default_domain = mit.edu
	}
	ZONE.MIT.EDU = {
		kdc = casio.mit.edu
		kdc = seiko.mit.edu
		admin_server = casio.mit.edu
	}
	CSAIL.MIT.EDU = {
		admin_server = kerberos.csail.mit.edu
		default_domain = csail.mit.edu
	}
	IHTFP.ORG = {
		kdc = kerberos.ihtfp.org
		admin_server = kerberos.ihtfp.org
	}
	1TS.ORG = {
		kdc = kerberos.1ts.org
		admin_server = kerberos.1ts.org
	}
	ANDREW.CMU.EDU = {
		admin_server = kerberos.andrew.cmu.edu
		default_domain = andrew.cmu.edu
	}
        CS.CMU.EDU = {
                kdc = kerberos-1.srv.cs.cmu.edu
                kdc = kerberos-2.srv.cs.cmu.edu
                kdc = kerberos-3.srv.cs.cmu.edu
                admin_server = kerberos.cs.cmu.edu
        }
	DEMENTIA.ORG = {
		kdc = kerberos.dementix.org
		kdc = kerberos2.dementix.org
		admin_server = kerberos.dementix.org
	}
	stanford.edu = {
		kdc = krb5auth1.stanford.edu
		kdc = krb5auth2.stanford.edu
		kdc = krb5auth3.stanford.edu
		master_kdc = krb5auth1.stanford.edu
		admin_server = krb5-admin.stanford.edu
		default_domain = stanford.edu
	}
        UTORONTO.CA = {
                kdc = kerberos1.utoronto.ca
                kdc = kerberos2.utoronto.ca
                kdc = kerberos3.utoronto.ca
                admin_server = kerberos1.utoronto.ca
                default_domain = utoronto.ca
	}

[domain_realm]
	.mit.edu = ATHENA.MIT.EDU
	mit.edu = ATHENA.MIT.EDU
	.media.mit.edu = MEDIA-LAB.MIT.EDU
	media.mit.edu = MEDIA-LAB.MIT.EDU
	.csail.mit.edu = CSAIL.MIT.EDU
	csail.mit.edu = CSAIL.MIT.EDU
	.whoi.edu = ATHENA.MIT.EDU
	whoi.edu = ATHENA.MIT.EDU
	.stanford.edu = stanford.edu
	.slac.stanford.edu = SLAC.STANFORD.EDU
        .toronto.edu = UTORONTO.CA
        .utoronto.ca = UTORONTO.CA


-----------
Checking file: /etc/nsswitch.conf 
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.

passwd:         compat systemd
group:          compat systemd
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

-----------
Warning,  does not exist

-----------
No username map detected.

-----------

Installed packages, running: dpkg -l | egrep
"samba|winbind|krb5|smb|acl|xattr"
ii  acl                                   2.2.52-3build1                   
amd64        Access control list utilities
ii  krb5-config                           2.6                               all 
Configuration files for Kerberos Version 5
ii  krb5-locales                          1.16-2build1                      all 
internationalization support for MIT Kerberos
ii  krb5-user                             1.16-2build1                     
amd64        basic programs to authenticate using MIT Kerberos
ii  libacl1:amd64                         2.2.52-3build1                   
amd64        Access control list shared library
ii  libacl1-dev                           2.2.52-3build1                   
amd64        Access control list static libraries and headers
ii  libgssapi-krb5-2:amd64                1.16-2build1                     
amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-26-heimdal:amd64              7.5.0+dfsg-1                     
amd64        Heimdal Kerberos - libraries
ii  libkrb5-3:amd64                       1.16-2build1                     
amd64        MIT Kerberos runtime libraries
ii  libkrb5support0:amd64                 1.16-2build1                     
amd64        MIT Kerberos runtime libraries - Support library
ii  libnss-winbind:amd64                  2:4.9.3+nmu-1~ubuntu1804         
amd64        Samba nameservice integration plugins
ii  libpam-krb5:amd64                     4.8-1                            
amd64        PAM module for MIT Kerberos
ii  libpam-winbind:amd64                  2:4.9.3+nmu-1~ubuntu1804         
amd64        Windows domain authentication integration plugin
ii  libsmbclient:amd64                    2:4.9.3+nmu-1~ubuntu1804         
amd64        shared library for communication with SMB/CIFS servers
ii  libwbclient0:amd64                    2:4.9.3+nmu-1~ubuntu1804         
amd64        Samba winbind client library
ii  python-samba                          2:4.9.3+nmu-1~ubuntu1804         
amd64        Python bindings for Samba
ii  samba                                 2:4.9.3+nmu-1~ubuntu1804         
amd64        SMB/CIFS file, print, and login server for Unix
ii  samba-common                          2:4.9.3+nmu-1~ubuntu1804          all 
common files used by both the Samba server and client
ii  samba-common-bin                      2:4.9.3+nmu-1~ubuntu1804         
amd64        Samba common files used by both the server and the client
ii  samba-dsdb-modules:amd64              2:4.9.3+nmu-1~ubuntu1804         
amd64        Samba Directory Services Database
ii  samba-libs:amd64                      2:4.9.3+nmu-1~ubuntu1804         
amd64        Samba core libraries
ii  samba-vfs-modules:amd64               2:4.9.3+nmu-1~ubuntu1804         
amd64        Samba Virtual FileSystem plugins
ii  smbclient                             2:4.9.3+nmu-1~ubuntu1804         
amd64        command-line SMB/CIFS clients for Unix
ii  winbind                               2:4.9.3+nmu-1~ubuntu1804         
amd64        service to resolve user and group information from Windows NT
servers
-----------

Regards,
Barry D. Adkins

Rowland Penny

2018-Nov-27 21:25 UTC

head link

[Samba] Setup a Samba AD DC as an additional DC

On Tue, 27 Nov 2018 21:06:19 +0000
"Barry D. Adkins via samba" <samba at lists.samba.org> wrote:
> ??Can you also post the output of bind from the point its starting up
> until samba has started?? I am not certain how to obtain this.  --
> Barry
No, I don't understand that either ;-)
> -----------
> Checking file: /etc/hosts 
> 127.0.0.1	localhost
> ::1		localhost6
> 
> # The following lines are desirable for IPv6 capable hosts
> ::1     localhost ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> ff02::3 ip6-allhosts
> 
> -----------
The only problem I could see with your files is the above, there should
be a line like this:

YOUR_SAMBA_DCS_IPADDRESS YOUR_SAMBA_DCS_FQDN
YOUR_SAMBA_DCS_SHORT_HOSTNAME

Or with sample data:

192.168..0.2 dc1.samdom.example.com dc1

You could also try adding the Windows DCs data as well.

Rowland

L.P.H. van Belle

2018-Nov-27 22:35 UTC

head link

[Samba] Setup a Samba AD DC as an additional DC

I'll give an update tomorrow i've seen some questional things.
But typing on my phone s.ck.

Grz.zz... 

Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: dinsdag 27 november 2018 22:25
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Setup a Samba AD DC as an additional DC
> 
> On Tue, 27 Nov 2018 21:06:19 +0000
> "Barry D. Adkins via samba" <samba at lists.samba.org>
wrote:
> 
> > ??Can you also post the output of bind from the point its 
> starting up
> > until samba has started?? I am not certain how to obtain this.  --
> > Barry
> 
> No, I don't understand that either ;-)
> 
> > -----------
> > Checking file: /etc/hosts 
> > 127.0.0.1	localhost
> > ::1		localhost6
> > 
> > # The following lines are desirable for IPv6 capable hosts
> > ::1     localhost ip6-localhost ip6-loopback
> > fe00::0 ip6-localnet
> > ff02::1 ip6-allnodes
> > ff02::2 ip6-allrouters
> > ff02::3 ip6-allhosts
> > 
> > -----------
> 
> The only problem I could see with your files is the above, 
> there should
> be a line like this:
> 
> YOUR_SAMBA_DCS_IPADDRESS YOUR_SAMBA_DCS_FQDN
> YOUR_SAMBA_DCS_SHORT_HOSTNAME
> 
> Or with sample data:
> 
> 192.168..0.2 dc1.samdom.example.com dc1
> 
> You could also try adding the Windows DCs data as well.
> 
> Rowland
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

L.P.H. van Belle

2018-Nov-28 08:41 UTC

head link

[Samba] Setup a Samba AD DC as an additional DC

Hai, 

I did some re-reading heer and the things i did see. 

Ive'commented some parts below, and some older question i could find it in
the thread.

First my question. 
What is the running AD DC its os version/build, it was an MS server? 
>From a previous question. 
> I did this and the domain join with a Samba DC succeeded.
> Well these "errors/warnings" were reported even though the
command succeeded:
> 
> A Kerberos configuration suitable for Samba AD has been generated at
/var/lib/samba/private/krb5.conf
> Merge the contents of this file with your system krb5.conf or replace it
with this one. Do not create a symlink!
> 
> I don't know why this warning because the system krb5.conf has the
entries in that file they want to be merged.  Maybe the install examined the
file in /usr/shar/samba/setup  ??
You can ignore this safely.
The file created is the same as the defaults in /etc/krb5.conf

Then question after this.
ERROR(runtime): uncaught exception - (9601,
'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST')

This DC your adding, are you useing bind9_DLZ or internal DNS from samba itself?
I suspect resolving problems. 
>From the collected info. ( commented inbetween the lines ) 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Barry D. Adkins via samba
> Verzonden: dinsdag 27 november 2018 22:06
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Setup a Samba AD DC as an additional DC
> 
> ??Can you also post the output of bind from the point its 
> starting up until samba has started??
> I am not certain how to obtain this.  -- Barry
> 
> Collected config  --- 2018-11-27-14:54 -----------
> 
> Hostname: Sambadc1
> DNS Domain: Mydomain.com
> FQDN: Sambadc1.Mydomain.com
> ipaddress: ##.##.##.##
> -----------
> Samba is not being run as a DC or a Unix domain member.
> Checking file: /etc/os-release 
> NAME="Ubuntu"
> VERSION="18.04.1 LTS (Bionic Beaver)"
> ID=ubuntu
> ID_LIKE=debian
> PRETTY_NAME="Ubuntu 18.04.1 LTS"
> VERSION_ID="18.04"
> HOME_URL="https://www.ubuntu.com/"
> SUPPORT_URL="https://help.ubuntu.com/"
> BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
> PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-pol
> icies/privacy-policy"
> VERSION_CODENAME=bionic
> UBUNTU_CODENAME=bionic
> 
> -----------
> 
> Warning, /etc/devuan_version does not exist
> 
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state 
> UNKNOWN group default qlen 1000
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
>     inet6 ::1/128 scope host 
> 2: ens2f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc 
> mq state UP group default qlen 1000
>     link/ether 00:1e:67:79:11:b8 brd ff:ff:ff:ff:ff:ff
>     inet 131.192.176.40/24 brd 131.192.176.255 scope global ens2f0
>     inet6 fe80::21e:67ff:fe79:11b8/64 scope link 
> 3: ens2f1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state 
> DOWN group default qlen 1000
>     link/ether 00:1e:67:79:11:b9 brd ff:ff:ff:ff:ff:ff
> -----------
> Checking file: /etc/hosts 
> 127.0.0.1	localhost
> ::1		localhost6
IP_HERE sambadc1.mydomain.tld sambadc1   # for this DC ( optional you can add
the other DC also, but wait dont add it now. )
> 
> # The following lines are desirable for IPv6 capable hosts
> ::1     localhost ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> ff02::3 ip6-allhosts
> 
> -----------
> Checking file: /etc/resolv.conf 
> search daram.com
> nameserver ##.##.##.20
Here the ip shown above, where is this one resolving to, i hope the ADDC server.
If you dont use systemd-resolved, thats fine, but make sure you removed it
correctly.
Thats a choice, the howto shown, works fine with it enabled. 
But here are the steps to remove it, if you want to remove it. 
# but PLEASE, keep this for the last, if we change to much not im not able to
find you problem.
# i do suspect resolving problem, yes. 
# systemctl disable systemd-resolved
# systemctl stop systemd-resolved
# systemctl mask systemd-resolved
# rm /etc/resolv.conf and create a new one ( you already did this ) 
# if exists, edit /etc/NetworkManager/NetworkManager.conf 
# in the main section, add : dns=none 
# reboot. 

but again, i want to know all outcomes first before you change this all. 

nslookup hostname
nslookup hostname.domain.tld

What do you see if you run: 
host IP_OF_OTHERDC
host IP_OF_THIS_DC

And 
dig a $(hostname -s)
dig a $(hostname -f)
Repeat but now with @ip_of_OTHER-DC at the end. dig 

dig -x ip_of_this_DC
dig -x ip_of_OTHER-DC
Repeat but now with @ip_of_OTHER-DC at the end.
> 
> 
> -----------
> Checking file: /etc/krb5.conf 
> [libdefaults]
> 	default_realm = MYDOMAIN.COM
#Here add : 
; for Windows 2008 with AES this make sure its matches better with the windows.
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
> 
> # The following krb5.conf variables are only for MIT Kerberos.
> 	kdc_timesync = 1
> 	ccache_type = 4
> 	forwardable = true
> 	proxiable = true
> 
> # The following encryption type specification will be used by 
> MIT Kerberos
> .... Removed a bit to shorten the e-mail.
> 
> 
> -----------
> Checking file: /etc/nsswitch.conf 
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages 
> installed, try:
> # `info libc "Name Service Switch"' for information about
this file.
> 
> passwd:         compat systemd
> group:          compat systemd
> shadow:         compat
> gshadow:        files
> 
> hosts:          files dns
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup:       nis
> 
> -----------
> Warning,  does not exist
I was expecting output here for the command.
Check_file_exists "${SMBCONF}" 
Can you run these 2 commands : 
samba -b | grep 'CONFIGFILE' | awk '{print $NF}'

smbd -b | grep 'CONFIGFILE' | awk '{print $NF}'


> 
> -----------
> No username map detected.Fine for a AD DC.

> 
> -----------
> 
> Installed packages, running: dpkg -l | egrep 
> "samba|winbind|krb5|smb|acl|xattr"
> ii  acl                                   2.2.52-3build1      
>               amd64        Access control list utilities
>.......... Removed part to shorten mail.
> SMB/CIFS clients for Unix
> ii  winbind                               
> 2:4.9.3+nmu-1~ubuntu1804          amd64        service to 
> resolve user and group information from Windows NT servers
> -----------
This looks ok to me. 


Last, i'll add this script into the other script in some time.

Get and run this one on the DC. 
https://raw.githubusercontent.com/thctlo/samba4/master/samba-info.sh 


Now, very important, please dont change to much in the current running config,
except where i told to.
If you change more, im unable to find  you problem. 

Basicly, first i want to know how the resolving is setup and working. 


Greetz, 

Louis

Rowland Penny

2018-Nov-28 08:59 UTC

head link

[Samba] Setup a Samba AD DC as an additional DC

On Wed, 28 Nov 2018 09:41:09 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Hai, 
> 
> I did some re-reading heer and the things i did see. 
> 
> Ive'commented some parts below, and some older question i could find
> it in the thread.
> 
> First my question. 
> What is the running AD DC its os version/build, it was an MS server? 
Yes it is Windows DC, the OP wants to change to Samba DC's
> 
> Then question after this.
> ERROR(runtime): uncaught exception - (9601,
> 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST') 
I personally have come to the conclusion that, whilst the DNS records
are in his Windows AD, they are not being replicated because he isn't
running a DNS server on any of his Windows DC's, I could be wrong, but
that's what I now think.
> 
> This DC your adding, are you useing bind9_DLZ or internal DNS from
> samba itself? I suspect resolving problems. 
As far as I am aware, he is using the internal dns server.

Rowland

Barry D. Adkins

2018-Nov-28 20:08 UTC

head link

[Samba] Setup a Samba AD DC as an additional DC

>What is the running AD DC its os version/build, it was an MS server? 2 AD DCs Windows 2012, 1 is 2008, but the DC for the join is a 2012 windows DC

Then question after this.
ERROR(runtime): uncaught exception - (9601,
'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST')

This DC your adding, are you useing bind9_DLZ or internal DNS from samba itself?
I suspect resolving problems. 
>From the collected info. ( commented inbetween the lines ) 
> -----------
> Checking file: /etc/hosts 
> 127.0.0.1	localhost
> ::1		localhost6
>IP_HERE sambadc1.mydomain.tld sambadc1   # for this DC ( optional you can
add the other DC also, but wait dont add it now. )
I added this already but it did not change the result.
>> # The following lines are desirable for IPv6 capable hosts
>> ::1     localhost ip6-localhost ip6-loopback
>> fe00::0 ip6-localnet
>> ff02::1 ip6-allnodes
>> ff02::2 ip6-allrouters
>> ff02::3 ip6-allhosts
>> Checking file: /etc/resolv.conf
>> search daram.com
>> nameserver ##.##.##.20
>Here the ip shown above, where is this one resolving to, i hope the ADDC
server.
Yes to the ADDC Server
>If you dont use systemd-resolved, thats fine, but make sure you removed it
correctly.
>Thats a choice, the howto shown, works fine with it enabled. 
>But here are the steps to remove it, if you want to remove it. 
># but PLEASE, keep this for the last, if we change to much not im not able
to find you problem.
># i do suspect resolving problem, yes. 
># systemctl disable systemd-resolved
># systemctl stop systemd-resolved
># systemctl mask systemd-resolved
># rm /etc/resolv.conf and create a new one ( you already did this ) # if
exists, edit /etc/NetworkManager/NetworkManager.conf
># in the main section, add : dns=none
># reboot. 
>
>but again, i want to know all outcomes first before you change this all. 
I did not do the "mask" but did the other and I purged the resolved...
per Roland's instructions...

>nslookup hostname
>nslookup hostname.domain.tld
:~$ nslookup sambaDC.domain.com
Server:         131.192.176.20
Address:        131.192.176.20#53

Name:   sambaDC.domain.com
Address: 131.192.176.40
>What do you see if you run: 
>host IP_OF_OTHERDC
20.176.192.131.in-addr.arpa domain name pointer WindowsADDC.domain.com.
>host IP_OF_THIS_DC
Host 40.176.192.131.in-addr.arpa  domain name pointer sambaDC.domain.com.
>And
>dig a $(hostname -s)
; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> a
ThisDC-SambaDC-we-want-to-join
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 20641
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 852b24514a370e2a (echoed)
;; QUESTION SECTION:
; sambaDC.                    IN      A

;; Query time: 0 msec
;; SERVER: 131.192.176.20#53(131.192.176.20)                <<<Windows
ADDC>>>
;; WHEN: Wed Nov 28 02:57:50 CST 2018
;; MSG SIZE  rcvd: 51
>dig a $(hostname -f)
; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> a
sambaDC.domain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 1568
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 6f82a8d3d3d97f1d (echoed)
;; QUESTION SECTION:
; sambaDC.domain.com.          IN      A

;; Query time: 0 msec
;; SERVER: 131.192.176.20#53(131.192.176.20)                                  
<<<Windows ADDC>>>
;; WHEN: Wed Nov 28 03:05:39 CST 2018
;; MSG SIZE  rcvd: 61
>Repeat but now with @ip_of_OTHER-DC at the end. dig 
>
>dig -x ip_of_this_DC
dig -x 131.192.176.40  (sambaDC)
; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> -x
131.192.176.40
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 44930
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 53854d1f16d34420 (echoed)
;; QUESTION SECTION:
;40.176.192.131.in-addr.arpa.   IN      PTR

;; Query time: 1 msec
;; SERVER: 131.192.176.20#53(131.192.176.20)
;; WHEN: Wed Nov 28 13:19:14 CST 2018
;; MSG SIZE  rcvd: 68
>dig -x ip_of_OTHER-DC
>Repeat but now with @ip_of_OTHER-DC at the end.
dig -x 131.192.176.20  (WinADDC)
; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> -x
131.192.176.20
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 25161
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 9aee9cb762be5fc3 (echoed)
;; QUESTION SECTION:
;20.176.192.131.in-addr.arpa.   IN      PTR

;; Query time: 0 msec
;; SERVER: 131.192.176.20#53(131.192.176.20)
;; WHEN: Wed Nov 28 13:21:20 CST 2018
;; MSG SIZE  rcvd: 68
> 
> 
> -----------
> Checking file: /etc/krb5.conf
> [libdefaults]
> 	default_realm = MYDOMAIN.COM
#Here add : 
; for Windows 2008 with AES this make sure its matches better with the windows.
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
> 
> # The following krb5.conf variables are only for MIT Kerberos.
> 	kdc_timesync = 1
> 	ccache_type = 4
> 	forwardable = true
> 	proxiable = true
> 
> # The following encryption type specification will be used by MIT 
> Kerberos .... Removed a bit to shorten the e-mail.
> 
> 
> -----------
> Checking file: /etc/nsswitch.conf
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages
installed,
> try:
> # `info libc "Name Service Switch"' for information about
this file.
> 
> passwd:         compat systemd
> group:          compat systemd
> shadow:         compat
> gshadow:        files
> 
> hosts:          files dns
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup:       nis
> 
> -----------
> Warning,  does not exist
>I was expecting output here for the command.
>Check_file_exists "${SMBCONF}"
I have been deleting smb.conf before I run the samba-tool.  It creates a new one
even though the join fails.
>Can you run these 2 commands : samba -b | grep 'CONFIGFILE' | awk '{print $NF}'

/etc/samba/smb.conf  (because I made an attempt to join the domain with
samba-tool)

smbd -b | grep 'CONFIGFILE' | awk '{print $NF}'

/etc/samba/smb.conf
>> -----------
>> No username map detected.
>Fine for a AD DC.
>> 
>> -----------
>> 
>> Installed packages, running: dpkg -l | egrep  
>>"samba|winbind|krb5|smb|acl|xattr"
>> ii  acl                                   2.2.52-3build1      
>>               amd64        Access control list utilities
>>.......... Removed part to shorten mail.
>> SMB/CIFS clients for Unix
>> ii  winbind                               
>> 2:4.9.3+nmu-1~ubuntu1804          amd64        service to 
>> resolve user and group information from Windows NT servers
>> -----------
>
>This looks ok to me. 
>Last, i'll add this script into the other script in some time.
>Get and run this one on the DC. 
>https://raw.githubusercontent.com/thctlo/samba4/master/samba-info.sh The Windows DC..?  Well with bash it doesn't work... so I assume you mean
the DC we're trying to setup.

1:~$ sudo /tmp/samba-info.sh
Could not find machine account in secrets database: Failed to fetch machine
account password for DARAM from both secrets.ldb (Could not find entry to match
filter: '(&(flatname=DARAM)(objectclass=primaryDomain))' base:
'cn=Primary Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4705) and from /var/lib/samba/private/secrets.tdb:
NT_STATUS_CANT_ACCESS_DOMAIN_INFO
ERROR(ldb): uncaught exception - LDAP error 1 LDAP_OPERATIONS_ERROR - 
<000004DC: LdapErr: DSID-0C09079A, comment: In order to perform this
operation a successful bind must be completed on the connection., data 0,
v23f0> <>
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 177, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
469, in run
    master = get_fsmo_roleowner(samdb, dn, short_name)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
42, in get_fsmo_roleowner
    scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
Could not find machine account in secrets database: Failed to fetch machine
account password for DARAM from both secrets.ldb (Could not find entry to match
filter: '(&(flatname=DARAM)(objectclass=primaryDomain))' base:
'cn=Primary Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4705) and from /var/lib/samba/private/secrets.tdb:
NT_STATUS_CANT_ACCESS_DOMAIN_INFO
ERROR(ldb): uncaught exception - LDAP error 1 LDAP_OPERATIONS_ERROR - 
<000004DC: LdapErr: DSID-0C09079A, comment: In order to perform this
operation a successful bind must be completed on the connection., data 0,
v23f0> <>
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 177, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
469, in run
    master = get_fsmo_roleowner(samdb, dn, short_name)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
42, in get_fsmo_roleowner
    scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
Could not find machine account in secrets database: Failed to fetch machine
account password for DARAM from both secrets.ldb (Could not find entry to match
filter: '(&(flatname=DARAM)(objectclass=primaryDomain))' base:
'cn=Primary Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4705) and from /var/lib/samba/private/secrets.tdb:
NT_STATUS_CANT_ACCESS_DOMAIN_INFO
ERROR(ldb): uncaught exception - LDAP error 1 LDAP_OPERATIONS_ERROR - 
<000004DC: LdapErr: DSID-0C09073B, comment: In order to perform this
operation a successful bind must be completed on the connection., data 0,
v1772> <>
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 177, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
469, in run
    master = get_fsmo_roleowner(samdb, dn, short_name)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
42, in get_fsmo_roleowner
    scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
This script was tested with Debian Jessie and Stretch
Server info:                    detected           (command and where to look)
This server hostname          = sambaDC            (hostname -s and /etc/hosts
and DNS server)
This server FQDN (hostname)   = sambaDC.domain.com  (hostname -f and /etc/hosts
and DNS server)
This server primary dnsdomain = domain.com      (hostname -d and
/etc/resolv.conf and DNS server)
This server IP address(ses)   = 131.192.176.40  (hostname -i (-I) and
/etc/networking/interfaces and DNS server
The DC with FSMO roles        =         (samba-tool fsmo show)
The DC (with FSMO) Site name  =         (samba-tool fsmo show)
The Default Naming Context    =         (samba-tool fsmo show)
The Kerberos REALM name used  = DOMAIN.COM       (kinit and /etc/krb5.conf and
resolving)
The Ipadres of DC win2012DC-Site2.domain.com        = 131.192.180.22
The Ipadres of DC win2012DC-Site1.domain.com        = 131.192.176.20
131.192.176.18


--Barry Adkins

L.P.H. van Belle

2018-Nov-29 10:27 UTC

head link

[Samba] Setup a Samba AD DC as an additional DC

Hai Barry, 
> Onderwerp: [Samba] Setup a Samba AD DC as an additional DC
> 
> >What is the running AD DC its os version/build, it was an MS server? 
> 2 AD DCs Windows 2012, 1 is 2008, but the DC for the join is 
> a 2012 windows DC
Yes, but win 2012 which one?  2012 or 2012R2 
Can you open a dosbox (cmd) and type : ver
The build nummer is? 
> 
> Then question after this.
> ERROR(runtime): uncaught exception - (9601, 
> 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST') 
> 
> This DC your adding, are you useing bind9_DLZ or internal DNS  from samba
itself?
> I suspect resolving problems. 
And these are confirmed below. 
> 
> From the collected info. ( commented inbetween the lines ) 
> 
> > -----------
> > Checking file: /etc/hosts 
> > 127.0.0.1	localhost
> > ::1		localhost6
> 
> >IP_HERE sambadc1.mydomain.tld sambadc1   # for this DC ( 
> optional you can add the other DC also, but wait dont add it now. )
> 
> I added this already but it did not change the result.
> 
> >> # The following lines are desirable for IPv6 capable hosts
> >> ::1     localhost ip6-localhost ip6-loopback
> >> fe00::0 ip6-localnet
> >> ff02::1 ip6-allnodes
> >> ff02::2 ip6-allrouters
> >> ff02::3 ip6-allhosts
> 
> >> Checking file: /etc/resolv.conf
> >> search daram.com
> >> nameserver ##.##.##.20
> 
> >Here the ip shown above, where is this one resolving to, i 
> hope the ADDC server. 
> 
> Yes to the ADDC Server
> 
> >If you dont use systemd-resolved, thats fine, but make sure 
> you removed it correctly. 
> >Thats a choice, the howto shown, works fine with it enabled. 
> >But here are the steps to remove it, if you want to remove it. 
> ># but PLEASE, keep this for the last, if we change to much 
> not im not able to find you problem.
> ># i do suspect resolving problem, yes. 
> ># systemctl disable systemd-resolved
> ># systemctl stop systemd-resolved
> ># systemctl mask systemd-resolved
> ># rm /etc/resolv.conf and create a new one ( you already did 
> this ) # if exists, edit /etc/NetworkManager/NetworkManager.conf
> ># in the main section, add : dns=none
> ># reboot. 
> >
> >but again, i want to know all outcomes first before you 
> change this all. 
> 
> I did not do the "mask" but did the other and I purged the 
> resolved... per Roland's instructions...
> 
> 
> >nslookup hostname
> >nslookup hostname.domain.tld
> 
> :~$ nslookup sambaDC.domain.com
> Server:         131.192.176.20
> Address:        131.192.176.20#53
> 
> Name:   sambaDC.domain.com
> Address: 131.192.176.40
> 
> >What do you see if you run: 
> >host IP_OF_OTHERDC
> 
> 20.176.192.131.in-addr.arpa domain name pointer 
> WindowsADDC.domain.com.
> 
> >host IP_OF_THIS_DC
> 
> Host 40.176.192.131.in-addr.arpa  domain name pointer 
> sambaDC.domain.com.
> 
> >And
> >dig a $(hostname -s)
> 
> ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> a
ThisDC-SambaDC-we-want-to-join
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 20641
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available	
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: 852b24514a370e2a (echoed)
> ;; QUESTION SECTION:
> ; sambaDC.                    IN      A
> 
> ;; Query time: 0 msec
> ;; SERVER: 131.192.176.20#53(131.192.176.20)                
> <<<Windows ADDC>>>
> ;; WHEN: Wed Nov 28 02:57:50 CST 2018
> ;; MSG SIZE  rcvd: 51
> 
> >dig a $(hostname -f)
> 
> ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> a
sambaDC.domain.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 1568
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: 6f82a8d3d3d97f1d (echoed)
> ;; QUESTION SECTION:
> ; sambaDC.domain.com.          IN      A
> 
> ;; Query time: 0 msec
> ;; SERVER: 131.192.176.20#53(131.192.176.20)                  
>                  <<<Windows ADDC>>>
> ;; WHEN: Wed Nov 28 03:05:39 CST 2018
> ;; MSG SIZE  rcvd: 61
> 
> >Repeat but now with @ip_of_OTHER-DC at the end. dig 
> >
> >dig -x ip_of_this_DC
> 
> dig -x 131.192.176.40  (sambaDC)
> ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> -x
131.192.176.40
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 44930
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: 53854d1f16d34420 (echoed)
> ;; QUESTION SECTION:
> ;40.176.192.131.in-addr.arpa.   IN      PTR
> 
> ;; Query time: 1 msec
> ;; SERVER: 131.192.176.20#53(131.192.176.20)
> ;; WHEN: Wed Nov 28 13:19:14 CST 2018
> ;; MSG SIZE  rcvd: 68
> 
> >dig -x ip_of_OTHER-DC
> >Repeat but now with @ip_of_OTHER-DC at the end.
> 
> dig -x 131.192.176.20  (WinADDC)
> ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> -x
131.192.176.20
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 25161
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: 9aee9cb762be5fc3 (echoed)
> ;; QUESTION SECTION:
> ;20.176.192.131.in-addr.arpa.   IN      PTR
> 
> ;; Query time: 0 msec
> ;; SERVER: 131.192.176.20#53(131.192.176.20)
> ;; WHEN: Wed Nov 28 13:21:20 CST 2018
> ;; MSG SIZE  rcvd: 68
> 
Ok here are lots of things missing or not working. 
What i did see here for example are. > ;; WARNING: recursion requested but not available 
> > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1ANSWER: 0   << thats not good. 

PTR checks on the DC its records are failing also. 
You dont get answers from the DNS server(s)... 

Look, what i wanted to see was. 
dig -x 192.168.0.1
; <<>> DiG 9.6-ESV-R4 <<>> -x 192.168.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6253
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;1.0.168.192.in-addr.arpa.  IN      PTR

;; ANSWER SECTION:
1.0.168.192.in-addr.arpa. 900 IN    PTR     dc1.internal.domain.tld.

;; AUTHORITY SECTION:
0.168.192.in-addr.arpa. 1308  IN      NS      dc1.internal.domain.tld.

;; Query time: 25 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Nov 29 11:11:19 2018
;; MSG SIZE  rcvd: 101

At least we have a thing to look/check now. 
I dont know much about the internal DNS of samba, i only use Bind9_DLZ, so i
would say upgrade the DNS to bind9_DLZ.
But now we know where to look, Rowland may be able to say things about the
internal DNS.

Everything below here is atm, not really relevant, above needs to be fixed
first.

Few other questions, are you running a Cert server on the MS server, if so, make
sure you export the CARoot cert
and add it on you samba servers and create the samba client certificates. 
After thats done, and the dns is checked again then we can look at: 
> '(&(flatname=DARAM)(objectclass=primaryDomain))' base: 
> 'cn=Primary Domains': No such object: dsdb_search at 
> ../source4/dsdb/common/util.c:4705) and from 
> /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> ERROR(ldb): uncaught exception - LDAP error 1 

> > 
> > 
> > -----------
> > Checking file: /etc/krb5.conf
> > [libdefaults]
> > 	default_realm = MYDOMAIN.COM
> 
> #Here add : 
> ; for Windows 2008 with AES this make sure its matches better 
> with the windows.
>     default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac 
> des-cbc-crc des-cbc-md5
>     default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac 
> des-cbc-crc des-cbc-md5
>     permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac 
> des-cbc-crc des-cbc-md5
> 
> > 
> > # The following krb5.conf variables are only for MIT Kerberos.
> > 	kdc_timesync = 1
> > 	ccache_type = 4
> > 	forwardable = true
> > 	proxiable = true
> > 
> > # The following encryption type specification will be used by MIT 
> > Kerberos .... Removed a bit to shorten the e-mail.
> > 
> > 
> > -----------
> > Checking file: /etc/nsswitch.conf
> > # /etc/nsswitch.conf
> > #
> > # Example configuration of GNU Name Service Switch functionality.
> > # If you have the `glibc-doc-reference' and `info' packages 
> installed, 
> > try:
> > # `info libc "Name Service Switch"' for information
about this file.
> > 
> > passwd:         compat systemd
> > group:          compat systemd
> > shadow:         compat
> > gshadow:        files
> > 
> > hosts:          files dns
> > networks:       files
> > 
> > protocols:      db files
> > services:       db files
> > ethers:         db files
> > rpc:            db files
> > 
> > netgroup:       nis
> > 
> > -----------
> > Warning,  does not exist
> 
> >I was expecting output here for the command.
> >Check_file_exists "${SMBCONF}"
> 
> I have been deleting smb.conf before I run the samba-tool.  
> It creates a new one even though the join fails.
> 
> >Can you run these 2 commands : 
> samba -b | grep 'CONFIGFILE' | awk '{print $NF}'
> 
> /etc/samba/smb.conf  (because I made an attempt to join the 
> domain with samba-tool)
> 
> smbd -b | grep 'CONFIGFILE' | awk '{print $NF}'
> 
> /etc/samba/smb.conf
> 
> >> -----------
> >> No username map detected.
> >Fine for a AD DC.
> 
> >> 
> >> -----------
> >> 
> >> Installed packages, running: dpkg -l | egrep  
> >>"samba|winbind|krb5|smb|acl|xattr"
> >> ii  acl                                   2.2.52-3build1      
> >>               amd64        Access control list utilities
> >>.......... Removed part to shorten mail.
> >> SMB/CIFS clients for Unix
> >> ii  winbind                               
> >> 2:4.9.3+nmu-1~ubuntu1804          amd64        service to 
> >> resolve user and group information from Windows NT servers
> >> -----------
> >
> >This looks ok to me. 
> 
> >Last, i'll add this script into the other script in some time.
> 
> >Get and run this one on the DC. 
> >https://raw.githubusercontent.com/thctlo/samba4/master/samba-info.sh 
> The Windows DC..?  Well with bash it doesn't work... so I 
> assume you mean the DC we're trying to setup.
> 
> 1:~$ sudo /tmp/samba-info.sh
> Could not find machine account in secrets database: Failed to 
> fetch machine account password for DARAM from both 
> secrets.ldb (Could not find entry to match filter: 
> '(&(flatname=DARAM)(objectclass=primaryDomain))' base: 
> 'cn=Primary Domains': No such object: dsdb_search at 
> ../source4/dsdb/common/util.c:4705) and from 
> /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> ERROR(ldb): uncaught exception - LDAP error 1 
> LDAP_OPERATIONS_ERROR -  <000004DC: LdapErr: DSID-0C09079A, 
> comment: In order to perform this operation a successful bind 
> must be completed on the connection., data 0, v23f0> <>
>   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
> line 177, in _run
>     return self.run(*args, **kwargs)
>   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 
> 469, in run
>     master = get_fsmo_roleowner(samdb, dn, short_name)
>   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 
> 42, in get_fsmo_roleowner
>     scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
> Could not find machine account in secrets database: Failed to 
> fetch machine account password for DARAM from both 
> secrets.ldb (Could not find entry to match filter: 
> '(&(flatname=DARAM)(objectclass=primaryDomain))' base: 
> 'cn=Primary Domains': No such object: dsdb_search at 
> ../source4/dsdb/common/util.c:4705) and from 
> /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> ERROR(ldb): uncaught exception - LDAP error 1 
> LDAP_OPERATIONS_ERROR -  <000004DC: LdapErr: DSID-0C09079A, 
> comment: In order to perform this operation a successful bind 
> must be completed on the connection., data 0, v23f0> <>
>   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
> line 177, in _run
>     return self.run(*args, **kwargs)
>   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 
> 469, in run
>     master = get_fsmo_roleowner(samdb, dn, short_name)
>   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 
> 42, in get_fsmo_roleowner
>     scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
> Could not find machine account in secrets database: Failed to 
> fetch machine account password for DARAM from both 
> secrets.ldb (Could not find entry to match filter: 
> '(&(flatname=DARAM)(objectclass=primaryDomain))' base: 
> 'cn=Primary Domains': No such object: dsdb_search at 
> ../source4/dsdb/common/util.c:4705) and from 
> /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> ERROR(ldb): uncaught exception - LDAP error 1 
> LDAP_OPERATIONS_ERROR -  <000004DC: LdapErr: DSID-0C09073B, 
> comment: In order to perform this operation a successful bind 
> must be completed on the connection., data 0, v1772> <>
>   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
> line 177, in _run
>     return self.run(*args, **kwargs)
>   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 
> 469, in run
>     master = get_fsmo_roleowner(samdb, dn, short_name)
>   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 
> 42, in get_fsmo_roleowner
>     scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
> This script was tested with Debian Jessie and Stretch
> Server info:                    detected           (command 
> and where to look)
> This server hostname          = sambaDC            (hostname 
> -s and /etc/hosts and DNS server)
> This server FQDN (hostname)   = sambaDC.domain.com  (hostname 
> -f and /etc/hosts and DNS server)
> This server primary dnsdomain = domain.com      (hostname -d 
> and /etc/resolv.conf and DNS server)
> This server IP address(ses)   = 131.192.176.40  (hostname -i 
> (-I) and /etc/networking/interfaces and DNS server
> The DC with FSMO roles        =         (samba-tool fsmo show)
> The DC (with FSMO) Site name  =         (samba-tool fsmo show)
> The Default Naming Context    =         (samba-tool fsmo show)
> The Kerberos REALM name used  = DOMAIN.COM       (kinit and 
> /etc/krb5.conf and resolving)
> The Ipadres of DC win2012DC-Site2.domain.com        = 131.192.180.22
> The Ipadres of DC win2012DC-Site1.domain.com        = 131.192.176.20
> 131.192.176.18
And again, we are missing info here. 

I did keep all of the original post so its more easy to track this problem. 

Rowland, you any more suggestions, im pro for. 
- fix the dns resolving.
- cleanup the current join, remove from the domain.
- setup/join  samba with bind9_dlz. 

For sofar, 

Louis

Barry D. Adkins

2018-Dec-01 21:51 UTC

head link

[Samba] Setup a Samba AD DC as an additional DC

Here are the ouputs of the previous diagnostics you asked for:

:~$ nslookup sambaDC
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
Name:   sambaDC.domain.com
Address: 131.192.176.40

:~$ nslookup sambaDC.domain.com
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
Name:   sambaDC.domain.com
Address: 131.192.176.40

:~$ host 131.192.176.20
20.176.192.131.in-addr.arpa domain name pointer Win2012DC.domain.com.

:~$ host 131.192.176.40
40.176.192.131.in-addr.arpa domain name pointer sambaDC.
40.176.192.131.in-addr.arpa domain name pointer sambaDC.local.
>>> Barry Comment: the name server for the Win Domain is set in Ubuntu
Netplan.  I don't know why it did not find "pointer
sambaDC.domain.com."
>>> I did not create a HOSTS file or make any entries as it was not on
your "how-to".  Tried to follow exactly as you mentioned.  I'm
working on getting this corrected.
:~$ dig a $(sambaDC -s)
sambaDC: command not found

; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64202
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;.                              IN      NS

;; ANSWER SECTION:
.                       73734   IN      NS      l.root-servers.net.
.                       73734   IN      NS      d.root-servers.net.
.                       73734   IN      NS      h.root-servers.net.
.                       73734   IN      NS      j.root-servers.net.
.                       73734   IN      NS      f.root-servers.net.
.                       73734   IN      NS      i.root-servers.net.
.                       73734   IN      NS      k.root-servers.net.
.                       73734   IN      NS      e.root-servers.net.
.                       73734   IN      NS      a.root-servers.net.
.                       73734   IN      NS      b.root-servers.net.
.                       73734   IN      NS      g.root-servers.net.
.                       73734   IN      NS      m.root-servers.net.
.                       73734   IN      NS      c.root-servers.net.

;; Query time: 8 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sat Dec 01 15:17:54 CST 2018
;; MSG SIZE  rcvd: 239

:~$ dig a $(sambaDC -f)
sambaDC: command not found

; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37248
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;.                              IN      NS

;; ANSWER SECTION:
.                       7168    IN      NS      c.root-servers.net.
.                       7168    IN      NS      m.root-servers.net.
.                       7168    IN      NS      g.root-servers.net.
.                       7168    IN      NS      b.root-servers.net.
.                       7168    IN      NS      a.root-servers.net.
.                       7168    IN      NS      e.root-servers.net.
.                       7168    IN      NS      k.root-servers.net.
.                       7168    IN      NS      i.root-servers.net.
.                       7168    IN      NS      f.root-servers.net.
.                       7168    IN      NS      j.root-servers.net.
.                       7168    IN      NS      h.root-servers.net.
.                       7168    IN      NS      d.root-servers.net.
.                       7168    IN      NS      l.root-servers.net.

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sat Dec 01 15:18:26 CST 2018
;; MSG SIZE  rcvd: 239

:~$ dig -x 131.192.176.40

; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> -x
131.192.176.40
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44804
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;40.176.192.131.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
40.176.192.131.in-addr.arpa. 0  IN      PTR     sambaDC.
40.176.192.131.in-addr.arpa. 0  IN      PTR     sambaDC.local.

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sat Dec 01 15:20:02 CST 2018
;; MSG SIZE  rcvd: 106

:~$ dig -x 131.192.176.20

; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> -x
131.192.176.20
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13875
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;20.176.192.131.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
20.176.192.131.in-addr.arpa. 983 IN     PTR     Win2012DC.domain.com.

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sat Dec 01 15:20:29 CST 2018
;; MSG SIZE  rcvd: 89

****************
SAMBA-DEBUG-INFO
****************

Collected config  --- 2018-12-01-13:30 -----------

Hostname: houdcu01
DNS Domain: daram.com
FQDN: sambaDC.domain.com
ipaddress: 131.192.176.40

-----------
Samba is not being run as a DC or a Unix domain member.
Checking file: /etc/os-release 
NAME="Ubuntu"
VERSION="18.04.1 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.1 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic

-----------

Warning, /etc/devuan_version does not exist

-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
2: ens2f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
group default qlen 1000
    link/ether 00:1e:67:79:11:b8 brd ff:ff:ff:ff:ff:ff
    inet 131.192.176.40/24 brd 131.192.176.255 scope global ens2f0
    inet6 fe80::21e:67ff:fe79:11b8/64 scope link 
3: ens2f1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group
default qlen 1000
    link/ether 00:1e:67:79:11:b9 brd ff:ff:ff:ff:ff:ff
-----------
Checking file: /etc/hosts 
127.0.0.1	localhost.localdomain	localhost
::1		localhost6.localdomain6	localhost6

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

-----------
Checking file: /etc/resolv.conf 
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "systemd-resolve --status" to see details about the uplink DNS
servers
# currently in use.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
search domain.com

-----------
Checking file: /etc/krb5.conf 
[libdefaults]
	default_realm = DOMAIN.COM

; Note, this is added because other software may need it.
; Some recommend to remove : des-cbc-crc des-cbc-md5 but for compatibility leave
it in.
; For Windows 2008 with AES
        default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5
        default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5
        permitted_enctypes   = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5


-----------
Checking file: /etc/nsswitch.conf 
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.

passwd:         compat systemd
group:          compat systemd
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

-----------
Warning,  does not exist

-----------
No username map detected.

-----------

Installed packages, running: dpkg -l | egrep
"samba|winbind|krb5|smb|acl|xattr"
ii  acl                                   2.2.52-3build1                   
amd64        Access control list utilities
ii  krb5-config                           2.6                               all 
Configuration files for Kerberos Version 5
ii  krb5-locales                          1.16-2build1                      all 
internationalization support for MIT Kerberos
ii  krb5-user                             1.16-2build1                     
amd64        basic programs to authenticate using MIT Kerberos
ii  libacl1:amd64                         2.2.52-3build1                   
amd64        Access control list shared library
ii  libacl1-dev                           2.2.52-3build1                   
amd64        Access control list static libraries and headers
ii  libgssapi-krb5-2:amd64                1.16-2build1                     
amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-26-heimdal:amd64              7.5.0+dfsg-1                     
amd64        Heimdal Kerberos - libraries
ii  libkrb5-3:amd64                       1.16-2build1                     
amd64        MIT Kerberos runtime libraries
ii  libkrb5support0:amd64                 1.16-2build1                     
amd64        MIT Kerberos runtime libraries - Support library
ii  libnss-winbind:amd64                  2:4.9.3+nmu-1~ubuntu1804         
amd64        Samba nameservice integration plugins
ii  libpam-winbind:amd64                  2:4.9.3+nmu-1~ubuntu1804         
amd64        Windows domain authentication integration plugin
ii  libwbclient0:amd64                    2:4.9.3+nmu-1~ubuntu1804         
amd64        Samba winbind client library
ii  python-samba                          2:4.9.3+nmu-1~ubuntu1804         
amd64        Python bindings for Samba
ii  samba                                 2:4.9.3+nmu-1~ubuntu1804         
amd64        SMB/CIFS file, print, and login server for Unix
ii  samba-common                          2:4.9.3+nmu-1~ubuntu1804          all 
common files used by both the Samba server and client
ii  samba-common-bin                      2:4.9.3+nmu-1~ubuntu1804         
amd64        Samba common files used by both the server and the client
ii  samba-dsdb-modules:amd64              2:4.9.3+nmu-1~ubuntu1804         
amd64        Samba Directory Services Database
ii  samba-libs:amd64                      2:4.9.3+nmu-1~ubuntu1804         
amd64        Samba core libraries
ii  samba-vfs-modules:amd64               2:4.9.3+nmu-1~ubuntu1804         
amd64        Samba Virtual FileSystem plugins
ii  winbind                               2:4.9.3+nmu-1~ubuntu1804         
amd64        service to resolve user and group information from Windows NT
servers
-----------

****************
SAMBA-INFO
****************

:~$ sudo ./samba-info.sh
INFO: Current debug levels:
  all: 8
  tdb: 8
  printdrivers: 8
  lanman: 8
  smb: 8
  rpc_parse: 8
  rpc_srv: 8
  rpc_cli: 8
  passdb: 8
  sam: 8
  auth: 8
  winbind: 8
  vfs: 8
  idmap: 8
  quota: 8
  acls: 8
  locking: 8
  msdfs: 8
  dmapi: 8
  registry: 8
  scavenger: 8
  dns: 8
  ldb: 8
  tevent: 8
  auth_audit: 8
  auth_json_audit: 8
  kerberos: 8
  drs_repl: 8
  smb2: 8
  smb2_credits: 8
  dsdb_audit: 8
  dsdb_json_audit: 8
  dsdb_password_audit: 8
  dsdb_password_json_audit: 8
  dsdb_transaction_audit: 8
  dsdb_transaction_json_audit: 8
  dsdb_group_audit: 8
  dsdb_group_json_audit: 8
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch machine
account password for DOMAIN from both secrets.ldb (Could not find entry to match
filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base:
'cn=Primary Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4705) and from /var/lib/samba/private/secrets.tdb:
NT_STATUS_CANT_ACCESS_DOMAIN_INFO
added interface ens2f0 ip=131.192.176.40 bcast=131.192.176.255
netmask=255.255.255.0
added interface ens2f0 ip=131.192.176.40 bcast=131.192.176.255
netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name daram.com<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such
file or directory
ERROR(ldb): uncaught exception - LDAP error 1 LDAP_OPERATIONS_ERROR - 
<000004DC: LdapErr: DSID-0C09079A, comment: In order to perform this
operation a successful bind must be completed on the connection., data 0,
v23f0> <>
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 177, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
469, in run
    master = get_fsmo_roleowner(samdb, dn, short_name)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
42, in get_fsmo_roleowner
    scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
INFO: Current debug levels:
  all: 8
  tdb: 8
  printdrivers: 8
  lanman: 8
  smb: 8
  rpc_parse: 8
  rpc_srv: 8
  rpc_cli: 8
  passdb: 8
  sam: 8
  auth: 8
  winbind: 8
  vfs: 8
  idmap: 8
  quota: 8
  acls: 8
  locking: 8
  msdfs: 8
  dmapi: 8
  registry: 8
  scavenger: 8
  dns: 8
  ldb: 8
  tevent: 8
  auth_audit: 8
  auth_json_audit: 8
  kerberos: 8
  drs_repl: 8
  smb2: 8
  smb2_credits: 8
  dsdb_audit: 8
  dsdb_json_audit: 8
  dsdb_password_audit: 8
  dsdb_password_json_audit: 8
  dsdb_transaction_audit: 8
  dsdb_transaction_json_audit: 8
  dsdb_group_audit: 8
  dsdb_group_json_audit: 8
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch machine
account password for DOMAIN from both secrets.ldb (Could not find entry to match
filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base:
'cn=Primary Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4705) and from /var/lib/samba/private/secrets.tdb:
NT_STATUS_CANT_ACCESS_DOMAIN_INFO
added interface ens2f0 ip=131.192.176.40 bcast=131.192.176.255
netmask=255.255.255.0
added interface ens2f0 ip=131.192.176.40 bcast=131.192.176.255
netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name daram.com<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such
file or directory
ERROR(ldb): uncaught exception - LDAP error 1 LDAP_OPERATIONS_ERROR - 
<000004DC: LdapErr: DSID-0C09079A, comment: In order to perform this
operation a successful bind must be completed on the connection., data 0,
v23f0> <>
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 177, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
469, in run
    master = get_fsmo_roleowner(samdb, dn, short_name)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
42, in get_fsmo_roleowner
    scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
INFO: Current debug levels:
  all: 8
  tdb: 8
  printdrivers: 8
  lanman: 8
  smb: 8
  rpc_parse: 8
  rpc_srv: 8
  rpc_cli: 8
  passdb: 8
  sam: 8
  auth: 8
  winbind: 8
  vfs: 8
  idmap: 8
  quota: 8
  acls: 8
  locking: 8
  msdfs: 8
  dmapi: 8
  registry: 8
  scavenger: 8
  dns: 8
  ldb: 8
  tevent: 8
  auth_audit: 8
  auth_json_audit: 8
  kerberos: 8
  drs_repl: 8
  smb2: 8
  smb2_credits: 8
  dsdb_audit: 8
  dsdb_json_audit: 8
  dsdb_password_audit: 8
  dsdb_password_json_audit: 8
  dsdb_transaction_audit: 8
  dsdb_transaction_json_audit: 8
  dsdb_group_audit: 8
  dsdb_group_json_audit: 8
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch machine
account password for DOMAIN from both secrets.ldb (Could not find entry to match
filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base:
'cn=Primary Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4705) and from /var/lib/samba/private/secrets.tdb:
NT_STATUS_CANT_ACCESS_DOMAIN_INFO
added interface ens2f0 ip=131.192.176.40 bcast=131.192.176.255
netmask=255.255.255.0
added interface ens2f0 ip=131.192.176.40 bcast=131.192.176.255
netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name daram.com<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such
file or directory
ERROR(ldb): uncaught exception - LDAP error 1 LDAP_OPERATIONS_ERROR - 
<000004DC: LdapErr: DSID-0C09079A, comment: In order to perform this
operation a successful bind must be completed on the connection., data 0,
v23f0> <>
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 177, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
469, in run
    master = get_fsmo_roleowner(samdb, dn, short_name)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
42, in get_fsmo_roleowner
    scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
INFO: Current debug levels:
  all: 8
  tdb: 8
  printdrivers: 8
  lanman: 8
  smb: 8
  rpc_parse: 8
  rpc_srv: 8
  rpc_cli: 8
  passdb: 8
  sam: 8
  auth: 8
  winbind: 8
  vfs: 8
  idmap: 8
  quota: 8
  acls: 8
  locking: 8
  msdfs: 8
  dmapi: 8
  registry: 8
  scavenger: 8
  dns: 8
  ldb: 8
  tevent: 8
  auth_audit: 8
  auth_json_audit: 8
  kerberos: 8
  drs_repl: 8
  smb2: 8
  smb2_credits: 8
  dsdb_audit: 8
  dsdb_json_audit: 8
  dsdb_password_audit: 8
  dsdb_password_json_audit: 8
  dsdb_transaction_audit: 8
  dsdb_transaction_json_audit: 8
  dsdb_group_audit: 8
  dsdb_group_json_audit: 8
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
added interface ens2f0 ip=131.192.176.40 bcast=131.192.176.255
netmask=255.255.255.0
added interface ens2f0 ip=131.192.176.40 bcast=131.192.176.255
netmask=255.255.255.0
added interface ens2f0 ip=131.192.176.40 bcast=131.192.176.255
netmask=255.255.255.0
added interface ens2f0 ip=131.192.176.40 bcast=131.192.176.255
netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name
houdc01.daram.com<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such
file or directory
finddcs: response 0 at '131.192.176.6'
finddcs: response 1 at '2002:83c0:b007::83c0:b007'
finddcs: response 2 at '2002:83c0:b006::83c0:b006'
finddcs: response 3 at '2002:83c0:b015::83c0:b015'
finddcs: response 4 at '2002:83c0:b008::83c0:b008'
finddcs: performing CLDAP query on 131.192.176.6
finddcs: Found matching DC 131.192.176.6 with server_type=0x000011fc

>>>> Very frustrating
-Barry Adkins

L.P.H. van Belle

2018-Dec-03 15:22 UTC

head link

[Samba] Setup a Samba AD DC as an additional DC

Hai Barry, 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Barry D. Adkins via samba
> Verzonden: zaterdag 1 december 2018 22:52
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Setup a Samba AD DC as an additional DC
> 
> Here are the ouputs of the previous diagnostics you asked for:
> 
> :~$ nslookup sambaDC
> Server:         127.0.0.53
> Address:        127.0.0.53#53
> 
> Non-authoritative answer:
> Name:   sambaDC.domain.com
> Address: 131.192.176.40
> 
> :~$ nslookup sambaDC.domain.com
> Server:         127.0.0.53
> Address:        127.0.0.53#53
> 
> Non-authoritative answer:
> Name:   sambaDC.domain.com
> Address: 131.192.176.40
> 
> :~$ host 131.192.176.20
> 20.176.192.131.in-addr.arpa domain name pointer Win2012DC.domain.com.
> 
> :~$ host 131.192.176.40
> 40.176.192.131.in-addr.arpa domain name pointer sambaDC.
> 40.176.192.131.in-addr.arpa domain name pointer sambaDC.local.
Hm,, why is this server resolvng outside the domain your joining? 
I would have expected :  
40.176.192.131.in-addr.arpa domain name pointer sambaDC.domain.com 

But not a .local 
Did you start with DHCP ip and changed it later on maybe? 

> 
> >>> Barry Comment: the name server for the Win Domain is set 
> in Ubuntu Netplan.  I don't know why it did not find "pointer 
> sambaDC.domain.com."
> >>> I did not create a HOSTS file or make any entries as it 
> was not on your "how-to".  Tried to follow exactly as you 
> mentioned.  I'm working on getting this corrected.
> 
> :~$ dig a $(sambaDC -s)
> sambaDC: command not found
Ok, thats a line i might have missed in the late changes for the join i gave. 
You need at least one of these 2: 
Set in /etc/hosts the correct hostname and ip for the server. 
And/or Set in the DC the hostname and ip ( so A/AAAA and PTR ) record. 

Normaly, we set the /etc/hosts file and the A records is automaticly created by
join.
Manual check the PTR after a join. 
> 
> 
> >>>> Very frustrating
> 
> -Barry Adkins
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
Yeah, understandable.  
And also remember, you might be able to join correclty and be unable replicate
the AD due to the Exchange schema.

I'll go test a DC join tomorrow on a MS W2008 server. 
I'll keep you posted when its done. 


Greetz, 

Louis

Possibly Parallel Threads

Search for more reasonably related threads

samba - Nov 2018 - Setup a Samba AD DC as an additional DC

[Samba] Setup a Samba AD DC as an additional DC

[Samba] Setup a Samba AD DC as an additional DC

[Samba] Setup a Samba AD DC as an additional DC

[Samba] Setup a Samba AD DC as an additional DC

[Samba] Setup a Samba AD DC as an additional DC

[Samba] Setup a Samba AD DC as an additional DC

[Samba] Setup a Samba AD DC as an additional DC

[Samba] Setup a Samba AD DC as an additional DC

[Samba] Setup a Samba AD DC as an additional DC

[Samba] Setup a Samba AD DC as an additional DC

[Samba] Setup a Samba AD DC as an additional DC

Possibly Parallel Threads