Hai, I had a quick look. Barry, can you get this script and run it. https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh Then post the results to the list. It collects all info i need to have a better look. I have a few ideas, this might be a resolving order problem, i've based on the errors below. Can you also post the output of bind from the point its starting up until samba has started. Greetz, Louis P.s. @Rowland, good morning, the one you got was send to soon...> > > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > Rowland Penny via samba > > Verzonden: maandag 26 november 2018 18:45 > > Aan: samba at lists.samba.org > > Onderwerp: Re: [Samba] Setup a Samba AD DC as an additional DC > > > > > > OK, I have been trying to help Barry get Samba to join to a Windows > > domain as a DC and we seem to have chased it down to this: > > > > ldb_wrap open of secrets.ldb > > Could not find machine account in secrets database: Failed to fetch > > machine account password for XXXXX from both secrets.ldb (Could not > > find entry to match filter: > > '(&(flatname=XXXXX)(objectclass=primaryDomain))' base: 'cn=Primary > > Domains': No such object: dsdb_search > > at ../source4/dsdb/common/util.c:4702) and > > from /var/lib/samba/private/secrets.tdb: > > NT_STATUS_CANT_ACCESS_DOMAIN_INFO ERROR(runtime): uncaught > exception - > > (9005, 'WERR_DNS_ERROR_RCODE_REFUSED') File > > > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, > > in _run return self.run(*args, **kwargs) File > > "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", > > line 716, in > > run backend_store=backend_store) File > > "/usr/lib/python2.7/dist-packages/samba/join.py", line 1500, > > in join_DC > > ctx.do_join() File "/usr/lib/python2.7/dist-packages/samba/join.py", > > line 1405, in do_join ctx.join_add_dns_records() File > > "/usr/lib/python2.7/dist-packages/samba/join.py", line 1110, in > > join_add_dns_records del_rec_buf) > > > > He has examined the secrets.ldb and it doesn't contain the ' dn: > > flatname=XXXXX,cn=Primary Domains' object, even if he deletes it, it > > gets recreated without that object. > > > > I have run out of ideas, I even joined a Samba machine to a > > 2012 DC (2008 function level) without problem, anybody got > any ideas ? > > > > Rowland > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > >
At this point I have started over with a VIRGIN Ubuntu 18.04 Server. I am about to Start the: samba-tool domain join Never the less... here I go... I will run your script. Louis, and I am very appreciative of all the help I have received!! -Barry Adkins -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of L.P.H. van Belle via samba Sent: Tuesday, November 27, 2018 2:24 AM To: samba at lists.samba.org Subject: Re: [Samba] Setup a Samba AD DC as an additional DC Hai, I had a quick look. Barry, can you get this script and run it. https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh Then post the results to the list. It collects all info i need to have a better look. I have a few ideas, this might be a resolving order problem, i've based on the errors below. Can you also post the output of bind from the point its starting up until samba has started. Greetz, Louis P.s. @Rowland, good morning, the one you got was send to soon...> > > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland > > Penny via samba > > Verzonden: maandag 26 november 2018 18:45 > > Aan: samba at lists.samba.org > > Onderwerp: Re: [Samba] Setup a Samba AD DC as an additional DC > > > > > > OK, I have been trying to help Barry get Samba to join to a Windows > > domain as a DC and we seem to have chased it down to this: > > > > ldb_wrap open of secrets.ldb > > Could not find machine account in secrets database: Failed to fetch > > machine account password for XXXXX from both secrets.ldb (Could not > > find entry to match filter: > > '(&(flatname=XXXXX)(objectclass=primaryDomain))' base: 'cn=Primary > > Domains': No such object: dsdb_search at > > ../source4/dsdb/common/util.c:4702) and from > > /var/lib/samba/private/secrets.tdb: > > NT_STATUS_CANT_ACCESS_DOMAIN_INFO ERROR(runtime): uncaught > exception - > > (9005, 'WERR_DNS_ERROR_RCODE_REFUSED') File > > > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, > > in _run return self.run(*args, **kwargs) File > > "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", > > line 716, in > > run backend_store=backend_store) File > > "/usr/lib/python2.7/dist-packages/samba/join.py", line 1500, in > > join_DC > > ctx.do_join() File "/usr/lib/python2.7/dist-packages/samba/join.py", > > line 1405, in do_join ctx.join_add_dns_records() File > > "/usr/lib/python2.7/dist-packages/samba/join.py", line 1110, in > > join_add_dns_records del_rec_buf) > > > > He has examined the secrets.ldb and it doesn't contain the ' dn: > > flatname=XXXXX,cn=Primary Domains' object, even if he deletes it, it > > gets recreated without that object. > > > > I have run out of ideas, I even joined a Samba machine to a > > 2012 DC (2008 function level) without problem, anybody got > any ideas ? > > > > Rowland > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
??Can you also post the output of bind from the point its starting up until samba has started?? I am not certain how to obtain this. -- Barry Collected config --- 2018-11-27-14:54 ----------- Hostname: Sambadc1 DNS Domain: Mydomain.com FQDN: Sambadc1.Mydomain.com ipaddress: ##.##.##.## ----------- Samba is not being run as a DC or a Unix domain member. Checking file: /etc/os-release NAME="Ubuntu" VERSION="18.04.1 LTS (Bionic Beaver)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 18.04.1 LTS" VERSION_ID="18.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=bionic UBUNTU_CODENAME=bionic ----------- Warning, /etc/devuan_version does not exist ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host 2: ens2f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:1e:67:79:11:b8 brd ff:ff:ff:ff:ff:ff inet 131.192.176.40/24 brd 131.192.176.255 scope global ens2f0 inet6 fe80::21e:67ff:fe79:11b8/64 scope link 3: ens2f1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 00:1e:67:79:11:b9 brd ff:ff:ff:ff:ff:ff ----------- Checking file: /etc/hosts 127.0.0.1 localhost ::1 localhost6 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts ----------- Checking file: /etc/resolv.conf search daram.com nameserver ##.##.##.20 ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = MYDOMAIN.COM # The following krb5.conf variables are only for MIT Kerberos. kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # # The only time when you might need to uncomment these lines and change # the enctypes is if you have local software that will break on ticket # caches containing ticket encryption types it doesn't know about (such as # old versions of Sun Java). # default_tgs_enctypes = des3-hmac-sha1 # default_tkt_enctypes = des3-hmac-sha1 # permitted_enctypes = des3-hmac-sha1 # The following libdefaults parameters are only for Heimdal Kerberos. fcc-mit-ticketflags = true [realms] ATHENA.MIT.EDU = { kdc = kerberos.mit.edu kdc = kerberos-1.mit.edu kdc = kerberos-2.mit.edu:88 admin_server = kerberos.mit.edu default_domain = mit.edu } ZONE.MIT.EDU = { kdc = casio.mit.edu kdc = seiko.mit.edu admin_server = casio.mit.edu } CSAIL.MIT.EDU = { admin_server = kerberos.csail.mit.edu default_domain = csail.mit.edu } IHTFP.ORG = { kdc = kerberos.ihtfp.org admin_server = kerberos.ihtfp.org } 1TS.ORG = { kdc = kerberos.1ts.org admin_server = kerberos.1ts.org } ANDREW.CMU.EDU = { admin_server = kerberos.andrew.cmu.edu default_domain = andrew.cmu.edu } CS.CMU.EDU = { kdc = kerberos-1.srv.cs.cmu.edu kdc = kerberos-2.srv.cs.cmu.edu kdc = kerberos-3.srv.cs.cmu.edu admin_server = kerberos.cs.cmu.edu } DEMENTIA.ORG = { kdc = kerberos.dementix.org kdc = kerberos2.dementix.org admin_server = kerberos.dementix.org } stanford.edu = { kdc = krb5auth1.stanford.edu kdc = krb5auth2.stanford.edu kdc = krb5auth3.stanford.edu master_kdc = krb5auth1.stanford.edu admin_server = krb5-admin.stanford.edu default_domain = stanford.edu } UTORONTO.CA = { kdc = kerberos1.utoronto.ca kdc = kerberos2.utoronto.ca kdc = kerberos3.utoronto.ca admin_server = kerberos1.utoronto.ca default_domain = utoronto.ca } [domain_realm] .mit.edu = ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU .media.mit.edu = MEDIA-LAB.MIT.EDU media.mit.edu = MEDIA-LAB.MIT.EDU .csail.mit.edu = CSAIL.MIT.EDU csail.mit.edu = CSAIL.MIT.EDU .whoi.edu = ATHENA.MIT.EDU whoi.edu = ATHENA.MIT.EDU .stanford.edu = stanford.edu .slac.stanford.edu = SLAC.STANFORD.EDU .toronto.edu = UTORONTO.CA .utoronto.ca = UTORONTO.CA ----------- Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat systemd group: compat systemd shadow: compat gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ----------- Warning, does not exist ----------- No username map detected. ----------- Installed packages, running: dpkg -l | egrep "samba|winbind|krb5|smb|acl|xattr" ii acl 2.2.52-3build1 amd64 Access control list utilities ii krb5-config 2.6 all Configuration files for Kerberos Version 5 ii krb5-locales 1.16-2build1 all internationalization support for MIT Kerberos ii krb5-user 1.16-2build1 amd64 basic programs to authenticate using MIT Kerberos ii libacl1:amd64 2.2.52-3build1 amd64 Access control list shared library ii libacl1-dev 2.2.52-3build1 amd64 Access control list static libraries and headers ii libgssapi-krb5-2:amd64 1.16-2build1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-26-heimdal:amd64 7.5.0+dfsg-1 amd64 Heimdal Kerberos - libraries ii libkrb5-3:amd64 1.16-2build1 amd64 MIT Kerberos runtime libraries ii libkrb5support0:amd64 1.16-2build1 amd64 MIT Kerberos runtime libraries - Support library ii libnss-winbind:amd64 2:4.9.3+nmu-1~ubuntu1804 amd64 Samba nameservice integration plugins ii libpam-krb5:amd64 4.8-1 amd64 PAM module for MIT Kerberos ii libpam-winbind:amd64 2:4.9.3+nmu-1~ubuntu1804 amd64 Windows domain authentication integration plugin ii libsmbclient:amd64 2:4.9.3+nmu-1~ubuntu1804 amd64 shared library for communication with SMB/CIFS servers ii libwbclient0:amd64 2:4.9.3+nmu-1~ubuntu1804 amd64 Samba winbind client library ii python-samba 2:4.9.3+nmu-1~ubuntu1804 amd64 Python bindings for Samba ii samba 2:4.9.3+nmu-1~ubuntu1804 amd64 SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.9.3+nmu-1~ubuntu1804 all common files used by both the Samba server and client ii samba-common-bin 2:4.9.3+nmu-1~ubuntu1804 amd64 Samba common files used by both the server and the client ii samba-dsdb-modules:amd64 2:4.9.3+nmu-1~ubuntu1804 amd64 Samba Directory Services Database ii samba-libs:amd64 2:4.9.3+nmu-1~ubuntu1804 amd64 Samba core libraries ii samba-vfs-modules:amd64 2:4.9.3+nmu-1~ubuntu1804 amd64 Samba Virtual FileSystem plugins ii smbclient 2:4.9.3+nmu-1~ubuntu1804 amd64 command-line SMB/CIFS clients for Unix ii winbind 2:4.9.3+nmu-1~ubuntu1804 amd64 service to resolve user and group information from Windows NT servers ----------- Regards, Barry D. Adkins
On Tue, 27 Nov 2018 21:06:19 +0000 "Barry D. Adkins via samba" <samba at lists.samba.org> wrote:> ??Can you also post the output of bind from the point its starting up > until samba has started?? I am not certain how to obtain this. -- > BarryNo, I don't understand that either ;-)> ----------- > Checking file: /etc/hosts > 127.0.0.1 localhost > ::1 localhost6 > > # The following lines are desirable for IPv6 capable hosts > ::1 localhost ip6-localhost ip6-loopback > fe00::0 ip6-localnet > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > ff02::3 ip6-allhosts > > -----------The only problem I could see with your files is the above, there should be a line like this: YOUR_SAMBA_DCS_IPADDRESS YOUR_SAMBA_DCS_FQDN YOUR_SAMBA_DCS_SHORT_HOSTNAME Or with sample data: 192.168..0.2 dc1.samdom.example.com dc1 You could also try adding the Windows DCs data as well. Rowland
I'll give an update tomorrow i've seen some questional things. But typing on my phone s.ck. Grz.zz... Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: dinsdag 27 november 2018 22:25 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Setup a Samba AD DC as an additional DC > > On Tue, 27 Nov 2018 21:06:19 +0000 > "Barry D. Adkins via samba" <samba at lists.samba.org> wrote: > > > ??Can you also post the output of bind from the point its > starting up > > until samba has started?? I am not certain how to obtain this. -- > > Barry > > No, I don't understand that either ;-) > > > ----------- > > Checking file: /etc/hosts > > 127.0.0.1 localhost > > ::1 localhost6 > > > > # The following lines are desirable for IPv6 capable hosts > > ::1 localhost ip6-localhost ip6-loopback > > fe00::0 ip6-localnet > > ff02::1 ip6-allnodes > > ff02::2 ip6-allrouters > > ff02::3 ip6-allhosts > > > > ----------- > > The only problem I could see with your files is the above, > there should > be a line like this: > > YOUR_SAMBA_DCS_IPADDRESS YOUR_SAMBA_DCS_FQDN > YOUR_SAMBA_DCS_SHORT_HOSTNAME > > Or with sample data: > > 192.168..0.2 dc1.samdom.example.com dc1 > > You could also try adding the Windows DCs data as well. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hai, I did some re-reading heer and the things i did see. Ive'commented some parts below, and some older question i could find it in the thread. First my question. What is the running AD DC its os version/build, it was an MS server?>From a previous question. > I did this and the domain join with a Samba DC succeeded. > Well these "errors/warnings" were reported even though the command succeeded: > > A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf > Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink! > > I don't know why this warning because the system krb5.conf has the entries in that file they want to be merged. Maybe the install examined the file in /usr/shar/samba/setup ??You can ignore this safely. The file created is the same as the defaults in /etc/krb5.conf Then question after this. ERROR(runtime): uncaught exception - (9601, 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST') This DC your adding, are you useing bind9_DLZ or internal DNS from samba itself? I suspect resolving problems.>From the collected info. ( commented inbetween the lines )> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Barry D. Adkins via samba > Verzonden: dinsdag 27 november 2018 22:06 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Setup a Samba AD DC as an additional DC > > ??Can you also post the output of bind from the point its > starting up until samba has started?? > I am not certain how to obtain this. -- Barry > > Collected config --- 2018-11-27-14:54 ----------- > > Hostname: Sambadc1 > DNS Domain: Mydomain.com > FQDN: Sambadc1.Mydomain.com > ipaddress: ##.##.##.## > ----------- > Samba is not being run as a DC or a Unix domain member. > Checking file: /etc/os-release > NAME="Ubuntu" > VERSION="18.04.1 LTS (Bionic Beaver)" > ID=ubuntu > ID_LIKE=debian > PRETTY_NAME="Ubuntu 18.04.1 LTS" > VERSION_ID="18.04" > HOME_URL="https://www.ubuntu.com/" > SUPPORT_URL="https://help.ubuntu.com/" > BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" > PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-pol > icies/privacy-policy" > VERSION_CODENAME=bionic > UBUNTU_CODENAME=bionic > > ----------- > > Warning, /etc/devuan_version does not exist > > ----------- > running command : ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state > UNKNOWN group default qlen 1000 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > 2: ens2f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc > mq state UP group default qlen 1000 > link/ether 00:1e:67:79:11:b8 brd ff:ff:ff:ff:ff:ff > inet 131.192.176.40/24 brd 131.192.176.255 scope global ens2f0 > inet6 fe80::21e:67ff:fe79:11b8/64 scope link > 3: ens2f1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state > DOWN group default qlen 1000 > link/ether 00:1e:67:79:11:b9 brd ff:ff:ff:ff:ff:ff > ----------- > Checking file: /etc/hosts > 127.0.0.1 localhost > ::1 localhost6IP_HERE sambadc1.mydomain.tld sambadc1 # for this DC ( optional you can add the other DC also, but wait dont add it now. )> > # The following lines are desirable for IPv6 capable hosts > ::1 localhost ip6-localhost ip6-loopback > fe00::0 ip6-localnet > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > ff02::3 ip6-allhosts > > ----------- > Checking file: /etc/resolv.conf > search daram.com > nameserver ##.##.##.20Here the ip shown above, where is this one resolving to, i hope the ADDC server. If you dont use systemd-resolved, thats fine, but make sure you removed it correctly. Thats a choice, the howto shown, works fine with it enabled. But here are the steps to remove it, if you want to remove it. # but PLEASE, keep this for the last, if we change to much not im not able to find you problem. # i do suspect resolving problem, yes. # systemctl disable systemd-resolved # systemctl stop systemd-resolved # systemctl mask systemd-resolved # rm /etc/resolv.conf and create a new one ( you already did this ) # if exists, edit /etc/NetworkManager/NetworkManager.conf # in the main section, add : dns=none # reboot. but again, i want to know all outcomes first before you change this all. nslookup hostname nslookup hostname.domain.tld What do you see if you run: host IP_OF_OTHERDC host IP_OF_THIS_DC And dig a $(hostname -s) dig a $(hostname -f) Repeat but now with @ip_of_OTHER-DC at the end. dig dig -x ip_of_this_DC dig -x ip_of_OTHER-DC Repeat but now with @ip_of_OTHER-DC at the end.> > > ----------- > Checking file: /etc/krb5.conf > [libdefaults] > default_realm = MYDOMAIN.COM#Here add : ; for Windows 2008 with AES this make sure its matches better with the windows. default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5> > # The following krb5.conf variables are only for MIT Kerberos. > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > > # The following encryption type specification will be used by > MIT Kerberos > .... Removed a bit to shorten the e-mail. > > > ----------- > Checking file: /etc/nsswitch.conf > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages > installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat systemd > group: compat systemd > shadow: compat > gshadow: files > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > ----------- > Warning, does not existI was expecting output here for the command. Check_file_exists "${SMBCONF}" Can you run these 2 commands : samba -b | grep 'CONFIGFILE' | awk '{print $NF}' smbd -b | grep 'CONFIGFILE' | awk '{print $NF}'> > ----------- > No username map detected.Fine for a AD DC.> > ----------- > > Installed packages, running: dpkg -l | egrep > "samba|winbind|krb5|smb|acl|xattr" > ii acl 2.2.52-3build1 > amd64 Access control list utilities >.......... Removed part to shorten mail. > SMB/CIFS clients for Unix > ii winbind > 2:4.9.3+nmu-1~ubuntu1804 amd64 service to > resolve user and group information from Windows NT servers > -----------This looks ok to me. Last, i'll add this script into the other script in some time. Get and run this one on the DC. https://raw.githubusercontent.com/thctlo/samba4/master/samba-info.sh Now, very important, please dont change to much in the current running config, except where i told to. If you change more, im unable to find you problem. Basicly, first i want to know how the resolving is setup and working. Greetz, Louis
On Wed, 28 Nov 2018 09:41:09 +0100 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hai, > > I did some re-reading heer and the things i did see. > > Ive'commented some parts below, and some older question i could find > it in the thread. > > First my question. > What is the running AD DC its os version/build, it was an MS server?Yes it is Windows DC, the OP wants to change to Samba DC's> > Then question after this. > ERROR(runtime): uncaught exception - (9601, > 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST')I personally have come to the conclusion that, whilst the DNS records are in his Windows AD, they are not being replicated because he isn't running a DNS server on any of his Windows DC's, I could be wrong, but that's what I now think.> > This DC your adding, are you useing bind9_DLZ or internal DNS from > samba itself? I suspect resolving problems.As far as I am aware, he is using the internal dns server. Rowland
>What is the running AD DC its os version/build, it was an MS server?2 AD DCs Windows 2012, 1 is 2008, but the DC for the join is a 2012 windows DC Then question after this. ERROR(runtime): uncaught exception - (9601, 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST') This DC your adding, are you useing bind9_DLZ or internal DNS from samba itself? I suspect resolving problems.>From the collected info. ( commented inbetween the lines )> ----------- > Checking file: /etc/hosts > 127.0.0.1 localhost > ::1 localhost6>IP_HERE sambadc1.mydomain.tld sambadc1 # for this DC ( optional you can add the other DC also, but wait dont add it now. )I added this already but it did not change the result.>> # The following lines are desirable for IPv6 capable hosts >> ::1 localhost ip6-localhost ip6-loopback >> fe00::0 ip6-localnet >> ff02::1 ip6-allnodes >> ff02::2 ip6-allrouters >> ff02::3 ip6-allhosts>> Checking file: /etc/resolv.conf >> search daram.com >> nameserver ##.##.##.20>Here the ip shown above, where is this one resolving to, i hope the ADDC server.Yes to the ADDC Server>If you dont use systemd-resolved, thats fine, but make sure you removed it correctly. >Thats a choice, the howto shown, works fine with it enabled. >But here are the steps to remove it, if you want to remove it. ># but PLEASE, keep this for the last, if we change to much not im not able to find you problem. ># i do suspect resolving problem, yes. ># systemctl disable systemd-resolved ># systemctl stop systemd-resolved ># systemctl mask systemd-resolved ># rm /etc/resolv.conf and create a new one ( you already did this ) # if exists, edit /etc/NetworkManager/NetworkManager.conf ># in the main section, add : dns=none ># reboot. > >but again, i want to know all outcomes first before you change this all.I did not do the "mask" but did the other and I purged the resolved... per Roland's instructions...>nslookup hostname >nslookup hostname.domain.tld:~$ nslookup sambaDC.domain.com Server: 131.192.176.20 Address: 131.192.176.20#53 Name: sambaDC.domain.com Address: 131.192.176.40>What do you see if you run: >host IP_OF_OTHERDC20.176.192.131.in-addr.arpa domain name pointer WindowsADDC.domain.com.>host IP_OF_THIS_DCHost 40.176.192.131.in-addr.arpa domain name pointer sambaDC.domain.com.>And >dig a $(hostname -s); <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> a ThisDC-SambaDC-we-want-to-join ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 20641 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 852b24514a370e2a (echoed) ;; QUESTION SECTION: ; sambaDC. IN A ;; Query time: 0 msec ;; SERVER: 131.192.176.20#53(131.192.176.20) <<<Windows ADDC>>> ;; WHEN: Wed Nov 28 02:57:50 CST 2018 ;; MSG SIZE rcvd: 51>dig a $(hostname -f); <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> a sambaDC.domain.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 1568 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 6f82a8d3d3d97f1d (echoed) ;; QUESTION SECTION: ; sambaDC.domain.com. IN A ;; Query time: 0 msec ;; SERVER: 131.192.176.20#53(131.192.176.20) <<<Windows ADDC>>> ;; WHEN: Wed Nov 28 03:05:39 CST 2018 ;; MSG SIZE rcvd: 61>Repeat but now with @ip_of_OTHER-DC at the end. dig > >dig -x ip_of_this_DCdig -x 131.192.176.40 (sambaDC) ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> -x 131.192.176.40 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 44930 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 53854d1f16d34420 (echoed) ;; QUESTION SECTION: ;40.176.192.131.in-addr.arpa. IN PTR ;; Query time: 1 msec ;; SERVER: 131.192.176.20#53(131.192.176.20) ;; WHEN: Wed Nov 28 13:19:14 CST 2018 ;; MSG SIZE rcvd: 68>dig -x ip_of_OTHER-DC >Repeat but now with @ip_of_OTHER-DC at the end.dig -x 131.192.176.20 (WinADDC) ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> -x 131.192.176.20 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 25161 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 9aee9cb762be5fc3 (echoed) ;; QUESTION SECTION: ;20.176.192.131.in-addr.arpa. IN PTR ;; Query time: 0 msec ;; SERVER: 131.192.176.20#53(131.192.176.20) ;; WHEN: Wed Nov 28 13:21:20 CST 2018 ;; MSG SIZE rcvd: 68> > > ----------- > Checking file: /etc/krb5.conf > [libdefaults] > default_realm = MYDOMAIN.COM#Here add : ; for Windows 2008 with AES this make sure its matches better with the windows. default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5> > # The following krb5.conf variables are only for MIT Kerberos. > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > > # The following encryption type specification will be used by MIT > Kerberos .... Removed a bit to shorten the e-mail. > > > ----------- > Checking file: /etc/nsswitch.conf > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, > try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat systemd > group: compat systemd > shadow: compat > gshadow: files > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > ----------- > Warning, does not exist>I was expecting output here for the command. >Check_file_exists "${SMBCONF}"I have been deleting smb.conf before I run the samba-tool. It creates a new one even though the join fails.>Can you run these 2 commands :samba -b | grep 'CONFIGFILE' | awk '{print $NF}' /etc/samba/smb.conf (because I made an attempt to join the domain with samba-tool) smbd -b | grep 'CONFIGFILE' | awk '{print $NF}' /etc/samba/smb.conf>> ----------- >> No username map detected. >Fine for a AD DC.>> >> ----------- >> >> Installed packages, running: dpkg -l | egrep >>"samba|winbind|krb5|smb|acl|xattr" >> ii acl 2.2.52-3build1 >> amd64 Access control list utilities >>.......... Removed part to shorten mail. >> SMB/CIFS clients for Unix >> ii winbind >> 2:4.9.3+nmu-1~ubuntu1804 amd64 service to >> resolve user and group information from Windows NT servers >> ----------- > >This looks ok to me.>Last, i'll add this script into the other script in some time.>Get and run this one on the DC. >https://raw.githubusercontent.com/thctlo/samba4/master/samba-info.shThe Windows DC..? Well with bash it doesn't work... so I assume you mean the DC we're trying to setup. 1:~$ sudo /tmp/samba-info.sh Could not find machine account in secrets database: Failed to fetch machine account password for DARAM from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DARAM)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4705) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO ERROR(ldb): uncaught exception - LDAP error 1 LDAP_OPERATIONS_ERROR - <000004DC: LdapErr: DSID-0C09079A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v23f0> <> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 469, in run master = get_fsmo_roleowner(samdb, dn, short_name) File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 42, in get_fsmo_roleowner scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"]) Could not find machine account in secrets database: Failed to fetch machine account password for DARAM from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DARAM)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4705) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO ERROR(ldb): uncaught exception - LDAP error 1 LDAP_OPERATIONS_ERROR - <000004DC: LdapErr: DSID-0C09079A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v23f0> <> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 469, in run master = get_fsmo_roleowner(samdb, dn, short_name) File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 42, in get_fsmo_roleowner scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"]) Could not find machine account in secrets database: Failed to fetch machine account password for DARAM from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DARAM)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4705) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO ERROR(ldb): uncaught exception - LDAP error 1 LDAP_OPERATIONS_ERROR - <000004DC: LdapErr: DSID-0C09073B, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1772> <> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 469, in run master = get_fsmo_roleowner(samdb, dn, short_name) File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 42, in get_fsmo_roleowner scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"]) This script was tested with Debian Jessie and Stretch Server info: detected (command and where to look) This server hostname = sambaDC (hostname -s and /etc/hosts and DNS server) This server FQDN (hostname) = sambaDC.domain.com (hostname -f and /etc/hosts and DNS server) This server primary dnsdomain = domain.com (hostname -d and /etc/resolv.conf and DNS server) This server IP address(ses) = 131.192.176.40 (hostname -i (-I) and /etc/networking/interfaces and DNS server The DC with FSMO roles = (samba-tool fsmo show) The DC (with FSMO) Site name = (samba-tool fsmo show) The Default Naming Context = (samba-tool fsmo show) The Kerberos REALM name used = DOMAIN.COM (kinit and /etc/krb5.conf and resolving) The Ipadres of DC win2012DC-Site2.domain.com = 131.192.180.22 The Ipadres of DC win2012DC-Site1.domain.com = 131.192.176.20 131.192.176.18 --Barry Adkins
Hai Barry,> Onderwerp: [Samba] Setup a Samba AD DC as an additional DC > > >What is the running AD DC its os version/build, it was an MS server? > 2 AD DCs Windows 2012, 1 is 2008, but the DC for the join is > a 2012 windows DCYes, but win 2012 which one? 2012 or 2012R2 Can you open a dosbox (cmd) and type : ver The build nummer is?> > Then question after this. > ERROR(runtime): uncaught exception - (9601, > 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST') > > This DC your adding, are you useing bind9_DLZ or internal DNS from samba itself? > I suspect resolving problems.And these are confirmed below.> > From the collected info. ( commented inbetween the lines ) > > > ----------- > > Checking file: /etc/hosts > > 127.0.0.1 localhost > > ::1 localhost6 > > >IP_HERE sambadc1.mydomain.tld sambadc1 # for this DC ( > optional you can add the other DC also, but wait dont add it now. ) > > I added this already but it did not change the result. > > >> # The following lines are desirable for IPv6 capable hosts > >> ::1 localhost ip6-localhost ip6-loopback > >> fe00::0 ip6-localnet > >> ff02::1 ip6-allnodes > >> ff02::2 ip6-allrouters > >> ff02::3 ip6-allhosts > > >> Checking file: /etc/resolv.conf > >> search daram.com > >> nameserver ##.##.##.20 > > >Here the ip shown above, where is this one resolving to, i > hope the ADDC server. > > Yes to the ADDC Server > > >If you dont use systemd-resolved, thats fine, but make sure > you removed it correctly. > >Thats a choice, the howto shown, works fine with it enabled. > >But here are the steps to remove it, if you want to remove it. > ># but PLEASE, keep this for the last, if we change to much > not im not able to find you problem. > ># i do suspect resolving problem, yes. > ># systemctl disable systemd-resolved > ># systemctl stop systemd-resolved > ># systemctl mask systemd-resolved > ># rm /etc/resolv.conf and create a new one ( you already did > this ) # if exists, edit /etc/NetworkManager/NetworkManager.conf > ># in the main section, add : dns=none > ># reboot. > > > >but again, i want to know all outcomes first before you > change this all. > > I did not do the "mask" but did the other and I purged the > resolved... per Roland's instructions... > > > >nslookup hostname > >nslookup hostname.domain.tld > > :~$ nslookup sambaDC.domain.com > Server: 131.192.176.20 > Address: 131.192.176.20#53 > > Name: sambaDC.domain.com > Address: 131.192.176.40 > > >What do you see if you run: > >host IP_OF_OTHERDC > > 20.176.192.131.in-addr.arpa domain name pointer > WindowsADDC.domain.com. > > >host IP_OF_THIS_DC > > Host 40.176.192.131.in-addr.arpa domain name pointer > sambaDC.domain.com. > > >And > >dig a $(hostname -s) > > ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> a ThisDC-SambaDC-we-want-to-join > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 20641 > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ; COOKIE: 852b24514a370e2a (echoed) > ;; QUESTION SECTION: > ; sambaDC. IN A > > ;; Query time: 0 msec > ;; SERVER: 131.192.176.20#53(131.192.176.20) > <<<Windows ADDC>>> > ;; WHEN: Wed Nov 28 02:57:50 CST 2018 > ;; MSG SIZE rcvd: 51 > > >dig a $(hostname -f) > > ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> a sambaDC.domain.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 1568 > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ; COOKIE: 6f82a8d3d3d97f1d (echoed) > ;; QUESTION SECTION: > ; sambaDC.domain.com. IN A > > ;; Query time: 0 msec > ;; SERVER: 131.192.176.20#53(131.192.176.20) > <<<Windows ADDC>>> > ;; WHEN: Wed Nov 28 03:05:39 CST 2018 > ;; MSG SIZE rcvd: 61 > > >Repeat but now with @ip_of_OTHER-DC at the end. dig > > > >dig -x ip_of_this_DC > > dig -x 131.192.176.40 (sambaDC) > ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> -x 131.192.176.40 > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 44930 > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ; COOKIE: 53854d1f16d34420 (echoed) > ;; QUESTION SECTION: > ;40.176.192.131.in-addr.arpa. IN PTR > > ;; Query time: 1 msec > ;; SERVER: 131.192.176.20#53(131.192.176.20) > ;; WHEN: Wed Nov 28 13:19:14 CST 2018 > ;; MSG SIZE rcvd: 68 > > >dig -x ip_of_OTHER-DC > >Repeat but now with @ip_of_OTHER-DC at the end. > > dig -x 131.192.176.20 (WinADDC) > ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> -x 131.192.176.20 > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 25161 > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ; COOKIE: 9aee9cb762be5fc3 (echoed) > ;; QUESTION SECTION: > ;20.176.192.131.in-addr.arpa. IN PTR > > ;; Query time: 0 msec > ;; SERVER: 131.192.176.20#53(131.192.176.20) > ;; WHEN: Wed Nov 28 13:21:20 CST 2018 > ;; MSG SIZE rcvd: 68 >Ok here are lots of things missing or not working. What i did see here for example are.> ;; WARNING: recursion requested but not available > > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1ANSWER: 0 << thats not good. PTR checks on the DC its records are failing also. You dont get answers from the DNS server(s)... Look, what i wanted to see was. dig -x 192.168.0.1 ; <<>> DiG 9.6-ESV-R4 <<>> -x 192.168.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6253 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;1.0.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 1.0.168.192.in-addr.arpa. 900 IN PTR dc1.internal.domain.tld. ;; AUTHORITY SECTION: 0.168.192.in-addr.arpa. 1308 IN NS dc1.internal.domain.tld. ;; Query time: 25 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Nov 29 11:11:19 2018 ;; MSG SIZE rcvd: 101 At least we have a thing to look/check now. I dont know much about the internal DNS of samba, i only use Bind9_DLZ, so i would say upgrade the DNS to bind9_DLZ. But now we know where to look, Rowland may be able to say things about the internal DNS. Everything below here is atm, not really relevant, above needs to be fixed first. Few other questions, are you running a Cert server on the MS server, if so, make sure you export the CARoot cert and add it on you samba servers and create the samba client certificates. After thats done, and the dns is checked again then we can look at:> '(&(flatname=DARAM)(objectclass=primaryDomain))' base: > 'cn=Primary Domains': No such object: dsdb_search at > ../source4/dsdb/common/util.c:4705) and from > /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO > ERROR(ldb): uncaught exception - LDAP error 1> > > > > > ----------- > > Checking file: /etc/krb5.conf > > [libdefaults] > > default_realm = MYDOMAIN.COM > > #Here add : > ; for Windows 2008 with AES this make sure its matches better > with the windows. > default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac > des-cbc-crc des-cbc-md5 > default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac > des-cbc-crc des-cbc-md5 > permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac > des-cbc-crc des-cbc-md5 > > > > > # The following krb5.conf variables are only for MIT Kerberos. > > kdc_timesync = 1 > > ccache_type = 4 > > forwardable = true > > proxiable = true > > > > # The following encryption type specification will be used by MIT > > Kerberos .... Removed a bit to shorten the e-mail. > > > > > > ----------- > > Checking file: /etc/nsswitch.conf > > # /etc/nsswitch.conf > > # > > # Example configuration of GNU Name Service Switch functionality. > > # If you have the `glibc-doc-reference' and `info' packages > installed, > > try: > > # `info libc "Name Service Switch"' for information about this file. > > > > passwd: compat systemd > > group: compat systemd > > shadow: compat > > gshadow: files > > > > hosts: files dns > > networks: files > > > > protocols: db files > > services: db files > > ethers: db files > > rpc: db files > > > > netgroup: nis > > > > ----------- > > Warning, does not exist > > >I was expecting output here for the command. > >Check_file_exists "${SMBCONF}" > > I have been deleting smb.conf before I run the samba-tool. > It creates a new one even though the join fails. > > >Can you run these 2 commands : > samba -b | grep 'CONFIGFILE' | awk '{print $NF}' > > /etc/samba/smb.conf (because I made an attempt to join the > domain with samba-tool) > > smbd -b | grep 'CONFIGFILE' | awk '{print $NF}' > > /etc/samba/smb.conf > > >> ----------- > >> No username map detected. > >Fine for a AD DC. > > >> > >> ----------- > >> > >> Installed packages, running: dpkg -l | egrep > >>"samba|winbind|krb5|smb|acl|xattr" > >> ii acl 2.2.52-3build1 > >> amd64 Access control list utilities > >>.......... Removed part to shorten mail. > >> SMB/CIFS clients for Unix > >> ii winbind > >> 2:4.9.3+nmu-1~ubuntu1804 amd64 service to > >> resolve user and group information from Windows NT servers > >> ----------- > > > >This looks ok to me. > > >Last, i'll add this script into the other script in some time. > > >Get and run this one on the DC. > >https://raw.githubusercontent.com/thctlo/samba4/master/samba-info.sh > The Windows DC..? Well with bash it doesn't work... so I > assume you mean the DC we're trying to setup. > > 1:~$ sudo /tmp/samba-info.sh > Could not find machine account in secrets database: Failed to > fetch machine account password for DARAM from both > secrets.ldb (Could not find entry to match filter: > '(&(flatname=DARAM)(objectclass=primaryDomain))' base: > 'cn=Primary Domains': No such object: dsdb_search at > ../source4/dsdb/common/util.c:4705) and from > /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO > ERROR(ldb): uncaught exception - LDAP error 1 > LDAP_OPERATIONS_ERROR - <000004DC: LdapErr: DSID-0C09079A, > comment: In order to perform this operation a successful bind > must be completed on the connection., data 0, v23f0> <> > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 177, in _run > return self.run(*args, **kwargs) > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line > 469, in run > master = get_fsmo_roleowner(samdb, dn, short_name) > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line > 42, in get_fsmo_roleowner > scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"]) > Could not find machine account in secrets database: Failed to > fetch machine account password for DARAM from both > secrets.ldb (Could not find entry to match filter: > '(&(flatname=DARAM)(objectclass=primaryDomain))' base: > 'cn=Primary Domains': No such object: dsdb_search at > ../source4/dsdb/common/util.c:4705) and from > /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO > ERROR(ldb): uncaught exception - LDAP error 1 > LDAP_OPERATIONS_ERROR - <000004DC: LdapErr: DSID-0C09079A, > comment: In order to perform this operation a successful bind > must be completed on the connection., data 0, v23f0> <> > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 177, in _run > return self.run(*args, **kwargs) > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line > 469, in run > master = get_fsmo_roleowner(samdb, dn, short_name) > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line > 42, in get_fsmo_roleowner > scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"]) > Could not find machine account in secrets database: Failed to > fetch machine account password for DARAM from both > secrets.ldb (Could not find entry to match filter: > '(&(flatname=DARAM)(objectclass=primaryDomain))' base: > 'cn=Primary Domains': No such object: dsdb_search at > ../source4/dsdb/common/util.c:4705) and from > /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO > ERROR(ldb): uncaught exception - LDAP error 1 > LDAP_OPERATIONS_ERROR - <000004DC: LdapErr: DSID-0C09073B, > comment: In order to perform this operation a successful bind > must be completed on the connection., data 0, v1772> <> > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 177, in _run > return self.run(*args, **kwargs) > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line > 469, in run > master = get_fsmo_roleowner(samdb, dn, short_name) > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line > 42, in get_fsmo_roleowner > scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"]) > This script was tested with Debian Jessie and Stretch > Server info: detected (command > and where to look) > This server hostname = sambaDC (hostname > -s and /etc/hosts and DNS server) > This server FQDN (hostname) = sambaDC.domain.com (hostname > -f and /etc/hosts and DNS server) > This server primary dnsdomain = domain.com (hostname -d > and /etc/resolv.conf and DNS server) > This server IP address(ses) = 131.192.176.40 (hostname -i > (-I) and /etc/networking/interfaces and DNS server > The DC with FSMO roles = (samba-tool fsmo show) > The DC (with FSMO) Site name = (samba-tool fsmo show) > The Default Naming Context = (samba-tool fsmo show) > The Kerberos REALM name used = DOMAIN.COM (kinit and > /etc/krb5.conf and resolving) > The Ipadres of DC win2012DC-Site2.domain.com = 131.192.180.22 > The Ipadres of DC win2012DC-Site1.domain.com = 131.192.176.20 > 131.192.176.18And again, we are missing info here. I did keep all of the original post so its more easy to track this problem. Rowland, you any more suggestions, im pro for. - fix the dns resolving. - cleanup the current join, remove from the domain. - setup/join samba with bind9_dlz. For sofar, Louis
Here are the ouputs of the previous diagnostics you asked for: :~$ nslookup sambaDC Server: 127.0.0.53 Address: 127.0.0.53#53 Non-authoritative answer: Name: sambaDC.domain.com Address: 131.192.176.40 :~$ nslookup sambaDC.domain.com Server: 127.0.0.53 Address: 127.0.0.53#53 Non-authoritative answer: Name: sambaDC.domain.com Address: 131.192.176.40 :~$ host 131.192.176.20 20.176.192.131.in-addr.arpa domain name pointer Win2012DC.domain.com. :~$ host 131.192.176.40 40.176.192.131.in-addr.arpa domain name pointer sambaDC. 40.176.192.131.in-addr.arpa domain name pointer sambaDC.local.>>> Barry Comment: the name server for the Win Domain is set in Ubuntu Netplan. I don't know why it did not find "pointer sambaDC.domain.com." >>> I did not create a HOSTS file or make any entries as it was not on your "how-to". Tried to follow exactly as you mentioned. I'm working on getting this corrected.:~$ dig a $(sambaDC -s) sambaDC: command not found ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> a ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64202 ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 73734 IN NS l.root-servers.net. . 73734 IN NS d.root-servers.net. . 73734 IN NS h.root-servers.net. . 73734 IN NS j.root-servers.net. . 73734 IN NS f.root-servers.net. . 73734 IN NS i.root-servers.net. . 73734 IN NS k.root-servers.net. . 73734 IN NS e.root-servers.net. . 73734 IN NS a.root-servers.net. . 73734 IN NS b.root-servers.net. . 73734 IN NS g.root-servers.net. . 73734 IN NS m.root-servers.net. . 73734 IN NS c.root-servers.net. ;; Query time: 8 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) ;; WHEN: Sat Dec 01 15:17:54 CST 2018 ;; MSG SIZE rcvd: 239 :~$ dig a $(sambaDC -f) sambaDC: command not found ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> a ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37248 ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 7168 IN NS c.root-servers.net. . 7168 IN NS m.root-servers.net. . 7168 IN NS g.root-servers.net. . 7168 IN NS b.root-servers.net. . 7168 IN NS a.root-servers.net. . 7168 IN NS e.root-servers.net. . 7168 IN NS k.root-servers.net. . 7168 IN NS i.root-servers.net. . 7168 IN NS f.root-servers.net. . 7168 IN NS j.root-servers.net. . 7168 IN NS h.root-servers.net. . 7168 IN NS d.root-servers.net. . 7168 IN NS l.root-servers.net. ;; Query time: 0 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) ;; WHEN: Sat Dec 01 15:18:26 CST 2018 ;; MSG SIZE rcvd: 239 :~$ dig -x 131.192.176.40 ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> -x 131.192.176.40 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44804 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;40.176.192.131.in-addr.arpa. IN PTR ;; ANSWER SECTION: 40.176.192.131.in-addr.arpa. 0 IN PTR sambaDC. 40.176.192.131.in-addr.arpa. 0 IN PTR sambaDC.local. ;; Query time: 0 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) ;; WHEN: Sat Dec 01 15:20:02 CST 2018 ;; MSG SIZE rcvd: 106 :~$ dig -x 131.192.176.20 ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> -x 131.192.176.20 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13875 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;20.176.192.131.in-addr.arpa. IN PTR ;; ANSWER SECTION: 20.176.192.131.in-addr.arpa. 983 IN PTR Win2012DC.domain.com. ;; Query time: 0 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) ;; WHEN: Sat Dec 01 15:20:29 CST 2018 ;; MSG SIZE rcvd: 89 **************** SAMBA-DEBUG-INFO **************** Collected config --- 2018-12-01-13:30 ----------- Hostname: houdcu01 DNS Domain: daram.com FQDN: sambaDC.domain.com ipaddress: 131.192.176.40 ----------- Samba is not being run as a DC or a Unix domain member. Checking file: /etc/os-release NAME="Ubuntu" VERSION="18.04.1 LTS (Bionic Beaver)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 18.04.1 LTS" VERSION_ID="18.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=bionic UBUNTU_CODENAME=bionic ----------- Warning, /etc/devuan_version does not exist ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host 2: ens2f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:1e:67:79:11:b8 brd ff:ff:ff:ff:ff:ff inet 131.192.176.40/24 brd 131.192.176.255 scope global ens2f0 inet6 fe80::21e:67ff:fe79:11b8/64 scope link 3: ens2f1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 00:1e:67:79:11:b9 brd ff:ff:ff:ff:ff:ff ----------- Checking file: /etc/hosts 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts ----------- Checking file: /etc/resolv.conf # This file is managed by man:systemd-resolved(8). Do not edit. # # This is a dynamic resolv.conf file for connecting local clients to the # internal DNS stub resolver of systemd-resolved. This file lists all # configured search domains. # # Run "systemd-resolve --status" to see details about the uplink DNS servers # currently in use. # # Third party programs must not access this file directly, but only through the # symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way, # replace this symlink by a static file or a different symlink. # # See man:systemd-resolved.service(8) for details about the supported modes of # operation for /etc/resolv.conf. nameserver 127.0.0.53 search domain.com ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = DOMAIN.COM ; Note, this is added because other software may need it. ; Some recommend to remove : des-cbc-crc des-cbc-md5 but for compatibility leave it in. ; For Windows 2008 with AES default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ----------- Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat systemd group: compat systemd shadow: compat gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ----------- Warning, does not exist ----------- No username map detected. ----------- Installed packages, running: dpkg -l | egrep "samba|winbind|krb5|smb|acl|xattr" ii acl 2.2.52-3build1 amd64 Access control list utilities ii krb5-config 2.6 all Configuration files for Kerberos Version 5 ii krb5-locales 1.16-2build1 all internationalization support for MIT Kerberos ii krb5-user 1.16-2build1 amd64 basic programs to authenticate using MIT Kerberos ii libacl1:amd64 2.2.52-3build1 amd64 Access control list shared library ii libacl1-dev 2.2.52-3build1 amd64 Access control list static libraries and headers ii libgssapi-krb5-2:amd64 1.16-2build1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-26-heimdal:amd64 7.5.0+dfsg-1 amd64 Heimdal Kerberos - libraries ii libkrb5-3:amd64 1.16-2build1 amd64 MIT Kerberos runtime libraries ii libkrb5support0:amd64 1.16-2build1 amd64 MIT Kerberos runtime libraries - Support library ii libnss-winbind:amd64 2:4.9.3+nmu-1~ubuntu1804 amd64 Samba nameservice integration plugins ii libpam-winbind:amd64 2:4.9.3+nmu-1~ubuntu1804 amd64 Windows domain authentication integration plugin ii libwbclient0:amd64 2:4.9.3+nmu-1~ubuntu1804 amd64 Samba winbind client library ii python-samba 2:4.9.3+nmu-1~ubuntu1804 amd64 Python bindings for Samba ii samba 2:4.9.3+nmu-1~ubuntu1804 amd64 SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.9.3+nmu-1~ubuntu1804 all common files used by both the Samba server and client ii samba-common-bin 2:4.9.3+nmu-1~ubuntu1804 amd64 Samba common files used by both the server and the client ii samba-dsdb-modules:amd64 2:4.9.3+nmu-1~ubuntu1804 amd64 Samba Directory Services Database ii samba-libs:amd64 2:4.9.3+nmu-1~ubuntu1804 amd64 Samba core libraries ii samba-vfs-modules:amd64 2:4.9.3+nmu-1~ubuntu1804 amd64 Samba Virtual FileSystem plugins ii winbind 2:4.9.3+nmu-1~ubuntu1804 amd64 service to resolve user and group information from Windows NT servers ----------- **************** SAMBA-INFO **************** :~$ sudo ./samba-info.sh INFO: Current debug levels: all: 8 tdb: 8 printdrivers: 8 lanman: 8 smb: 8 rpc_parse: 8 rpc_srv: 8 rpc_cli: 8 passdb: 8 sam: 8 auth: 8 winbind: 8 vfs: 8 idmap: 8 quota: 8 acls: 8 locking: 8 msdfs: 8 dmapi: 8 registry: 8 scavenger: 8 dns: 8 ldb: 8 tevent: 8 auth_audit: 8 auth_json_audit: 8 kerberos: 8 drs_repl: 8 smb2: 8 smb2_credits: 8 dsdb_audit: 8 dsdb_json_audit: 8 dsdb_password_audit: 8 dsdb_password_json_audit: 8 dsdb_transaction_audit: 8 dsdb_transaction_json_audit: 8 dsdb_group_audit: 8 dsdb_group_json_audit: 8 Processing section "[netlogon]" Processing section "[sysvol]" pm_process() returned Yes ldb_wrap open of secrets.ldb Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4705) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO added interface ens2f0 ip=131.192.176.40 bcast=131.192.176.255 netmask=255.255.255.0 added interface ens2f0 ip=131.192.176.40 bcast=131.192.176.255 netmask=255.255.255.0 resolve_lmhosts: Attempting lmhosts lookup for name daram.com<0x20> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory ERROR(ldb): uncaught exception - LDAP error 1 LDAP_OPERATIONS_ERROR - <000004DC: LdapErr: DSID-0C09079A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v23f0> <> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 469, in run master = get_fsmo_roleowner(samdb, dn, short_name) File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 42, in get_fsmo_roleowner scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"]) INFO: Current debug levels: all: 8 tdb: 8 printdrivers: 8 lanman: 8 smb: 8 rpc_parse: 8 rpc_srv: 8 rpc_cli: 8 passdb: 8 sam: 8 auth: 8 winbind: 8 vfs: 8 idmap: 8 quota: 8 acls: 8 locking: 8 msdfs: 8 dmapi: 8 registry: 8 scavenger: 8 dns: 8 ldb: 8 tevent: 8 auth_audit: 8 auth_json_audit: 8 kerberos: 8 drs_repl: 8 smb2: 8 smb2_credits: 8 dsdb_audit: 8 dsdb_json_audit: 8 dsdb_password_audit: 8 dsdb_password_json_audit: 8 dsdb_transaction_audit: 8 dsdb_transaction_json_audit: 8 dsdb_group_audit: 8 dsdb_group_json_audit: 8 Processing section "[netlogon]" Processing section "[sysvol]" pm_process() returned Yes ldb_wrap open of secrets.ldb Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4705) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO added interface ens2f0 ip=131.192.176.40 bcast=131.192.176.255 netmask=255.255.255.0 added interface ens2f0 ip=131.192.176.40 bcast=131.192.176.255 netmask=255.255.255.0 resolve_lmhosts: Attempting lmhosts lookup for name daram.com<0x20> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory ERROR(ldb): uncaught exception - LDAP error 1 LDAP_OPERATIONS_ERROR - <000004DC: LdapErr: DSID-0C09079A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v23f0> <> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 469, in run master = get_fsmo_roleowner(samdb, dn, short_name) File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 42, in get_fsmo_roleowner scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"]) INFO: Current debug levels: all: 8 tdb: 8 printdrivers: 8 lanman: 8 smb: 8 rpc_parse: 8 rpc_srv: 8 rpc_cli: 8 passdb: 8 sam: 8 auth: 8 winbind: 8 vfs: 8 idmap: 8 quota: 8 acls: 8 locking: 8 msdfs: 8 dmapi: 8 registry: 8 scavenger: 8 dns: 8 ldb: 8 tevent: 8 auth_audit: 8 auth_json_audit: 8 kerberos: 8 drs_repl: 8 smb2: 8 smb2_credits: 8 dsdb_audit: 8 dsdb_json_audit: 8 dsdb_password_audit: 8 dsdb_password_json_audit: 8 dsdb_transaction_audit: 8 dsdb_transaction_json_audit: 8 dsdb_group_audit: 8 dsdb_group_json_audit: 8 Processing section "[netlogon]" Processing section "[sysvol]" pm_process() returned Yes ldb_wrap open of secrets.ldb Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4705) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO added interface ens2f0 ip=131.192.176.40 bcast=131.192.176.255 netmask=255.255.255.0 added interface ens2f0 ip=131.192.176.40 bcast=131.192.176.255 netmask=255.255.255.0 resolve_lmhosts: Attempting lmhosts lookup for name daram.com<0x20> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory ERROR(ldb): uncaught exception - LDAP error 1 LDAP_OPERATIONS_ERROR - <000004DC: LdapErr: DSID-0C09079A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v23f0> <> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 469, in run master = get_fsmo_roleowner(samdb, dn, short_name) File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 42, in get_fsmo_roleowner scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"]) INFO: Current debug levels: all: 8 tdb: 8 printdrivers: 8 lanman: 8 smb: 8 rpc_parse: 8 rpc_srv: 8 rpc_cli: 8 passdb: 8 sam: 8 auth: 8 winbind: 8 vfs: 8 idmap: 8 quota: 8 acls: 8 locking: 8 msdfs: 8 dmapi: 8 registry: 8 scavenger: 8 dns: 8 ldb: 8 tevent: 8 auth_audit: 8 auth_json_audit: 8 kerberos: 8 drs_repl: 8 smb2: 8 smb2_credits: 8 dsdb_audit: 8 dsdb_json_audit: 8 dsdb_password_audit: 8 dsdb_password_json_audit: 8 dsdb_transaction_audit: 8 dsdb_transaction_json_audit: 8 dsdb_group_audit: 8 dsdb_group_json_audit: 8 Processing section "[netlogon]" Processing section "[sysvol]" pm_process() returned Yes GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'http_negotiate' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered added interface ens2f0 ip=131.192.176.40 bcast=131.192.176.255 netmask=255.255.255.0 added interface ens2f0 ip=131.192.176.40 bcast=131.192.176.255 netmask=255.255.255.0 added interface ens2f0 ip=131.192.176.40 bcast=131.192.176.255 netmask=255.255.255.0 added interface ens2f0 ip=131.192.176.40 bcast=131.192.176.255 netmask=255.255.255.0 resolve_lmhosts: Attempting lmhosts lookup for name houdc01.daram.com<0x20> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory finddcs: response 0 at '131.192.176.6' finddcs: response 1 at '2002:83c0:b007::83c0:b007' finddcs: response 2 at '2002:83c0:b006::83c0:b006' finddcs: response 3 at '2002:83c0:b015::83c0:b015' finddcs: response 4 at '2002:83c0:b008::83c0:b008' finddcs: performing CLDAP query on 131.192.176.6 finddcs: Found matching DC 131.192.176.6 with server_type=0x000011fc>>>> Very frustrating-Barry Adkins
Hai Barry,> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Barry D. Adkins via samba > Verzonden: zaterdag 1 december 2018 22:52 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Setup a Samba AD DC as an additional DC > > Here are the ouputs of the previous diagnostics you asked for: > > :~$ nslookup sambaDC > Server: 127.0.0.53 > Address: 127.0.0.53#53 > > Non-authoritative answer: > Name: sambaDC.domain.com > Address: 131.192.176.40 > > :~$ nslookup sambaDC.domain.com > Server: 127.0.0.53 > Address: 127.0.0.53#53 > > Non-authoritative answer: > Name: sambaDC.domain.com > Address: 131.192.176.40 > > :~$ host 131.192.176.20 > 20.176.192.131.in-addr.arpa domain name pointer Win2012DC.domain.com. > > :~$ host 131.192.176.40 > 40.176.192.131.in-addr.arpa domain name pointer sambaDC. > 40.176.192.131.in-addr.arpa domain name pointer sambaDC.local.Hm,, why is this server resolvng outside the domain your joining? I would have expected : 40.176.192.131.in-addr.arpa domain name pointer sambaDC.domain.com But not a .local Did you start with DHCP ip and changed it later on maybe?> > >>> Barry Comment: the name server for the Win Domain is set > in Ubuntu Netplan. I don't know why it did not find "pointer > sambaDC.domain.com." > >>> I did not create a HOSTS file or make any entries as it > was not on your "how-to". Tried to follow exactly as you > mentioned. I'm working on getting this corrected. > > :~$ dig a $(sambaDC -s) > sambaDC: command not foundOk, thats a line i might have missed in the late changes for the join i gave. You need at least one of these 2: Set in /etc/hosts the correct hostname and ip for the server. And/or Set in the DC the hostname and ip ( so A/AAAA and PTR ) record. Normaly, we set the /etc/hosts file and the A records is automaticly created by join. Manual check the PTR after a join.> > > >>>> Very frustrating > > -Barry Adkins > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaYeah, understandable. And also remember, you might be able to join correclty and be unable replicate the AD due to the Exchange schema. I'll go test a DC join tomorrow on a MS W2008 server. I'll keep you posted when its done. Greetz, Louis