Hai Barry,> Onderwerp: [Samba] Setup a Samba AD DC as an additional DC > > >What is the running AD DC its os version/build, it was an MS server? > 2 AD DCs Windows 2012, 1 is 2008, but the DC for the join is > a 2012 windows DCYes, but win 2012 which one? 2012 or 2012R2 Can you open a dosbox (cmd) and type : ver The build nummer is?> > Then question after this. > ERROR(runtime): uncaught exception - (9601, > 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST') > > This DC your adding, are you useing bind9_DLZ or internal DNS from samba itself? > I suspect resolving problems.And these are confirmed below.> > From the collected info. ( commented inbetween the lines ) > > > ----------- > > Checking file: /etc/hosts > > 127.0.0.1 localhost > > ::1 localhost6 > > >IP_HERE sambadc1.mydomain.tld sambadc1 # for this DC ( > optional you can add the other DC also, but wait dont add it now. ) > > I added this already but it did not change the result. > > >> # The following lines are desirable for IPv6 capable hosts > >> ::1 localhost ip6-localhost ip6-loopback > >> fe00::0 ip6-localnet > >> ff02::1 ip6-allnodes > >> ff02::2 ip6-allrouters > >> ff02::3 ip6-allhosts > > >> Checking file: /etc/resolv.conf > >> search daram.com > >> nameserver ##.##.##.20 > > >Here the ip shown above, where is this one resolving to, i > hope the ADDC server. > > Yes to the ADDC Server > > >If you dont use systemd-resolved, thats fine, but make sure > you removed it correctly. > >Thats a choice, the howto shown, works fine with it enabled. > >But here are the steps to remove it, if you want to remove it. > ># but PLEASE, keep this for the last, if we change to much > not im not able to find you problem. > ># i do suspect resolving problem, yes. > ># systemctl disable systemd-resolved > ># systemctl stop systemd-resolved > ># systemctl mask systemd-resolved > ># rm /etc/resolv.conf and create a new one ( you already did > this ) # if exists, edit /etc/NetworkManager/NetworkManager.conf > ># in the main section, add : dns=none > ># reboot. > > > >but again, i want to know all outcomes first before you > change this all. > > I did not do the "mask" but did the other and I purged the > resolved... per Roland's instructions... > > > >nslookup hostname > >nslookup hostname.domain.tld > > :~$ nslookup sambaDC.domain.com > Server: 131.192.176.20 > Address: 131.192.176.20#53 > > Name: sambaDC.domain.com > Address: 131.192.176.40 > > >What do you see if you run: > >host IP_OF_OTHERDC > > 20.176.192.131.in-addr.arpa domain name pointer > WindowsADDC.domain.com. > > >host IP_OF_THIS_DC > > Host 40.176.192.131.in-addr.arpa domain name pointer > sambaDC.domain.com. > > >And > >dig a $(hostname -s) > > ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> a ThisDC-SambaDC-we-want-to-join > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 20641 > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ; COOKIE: 852b24514a370e2a (echoed) > ;; QUESTION SECTION: > ; sambaDC. IN A > > ;; Query time: 0 msec > ;; SERVER: 131.192.176.20#53(131.192.176.20) > <<<Windows ADDC>>> > ;; WHEN: Wed Nov 28 02:57:50 CST 2018 > ;; MSG SIZE rcvd: 51 > > >dig a $(hostname -f) > > ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> a sambaDC.domain.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 1568 > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ; COOKIE: 6f82a8d3d3d97f1d (echoed) > ;; QUESTION SECTION: > ; sambaDC.domain.com. IN A > > ;; Query time: 0 msec > ;; SERVER: 131.192.176.20#53(131.192.176.20) > <<<Windows ADDC>>> > ;; WHEN: Wed Nov 28 03:05:39 CST 2018 > ;; MSG SIZE rcvd: 61 > > >Repeat but now with @ip_of_OTHER-DC at the end. dig > > > >dig -x ip_of_this_DC > > dig -x 131.192.176.40 (sambaDC) > ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> -x 131.192.176.40 > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 44930 > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ; COOKIE: 53854d1f16d34420 (echoed) > ;; QUESTION SECTION: > ;40.176.192.131.in-addr.arpa. IN PTR > > ;; Query time: 1 msec > ;; SERVER: 131.192.176.20#53(131.192.176.20) > ;; WHEN: Wed Nov 28 13:19:14 CST 2018 > ;; MSG SIZE rcvd: 68 > > >dig -x ip_of_OTHER-DC > >Repeat but now with @ip_of_OTHER-DC at the end. > > dig -x 131.192.176.20 (WinADDC) > ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> -x 131.192.176.20 > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 25161 > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ; COOKIE: 9aee9cb762be5fc3 (echoed) > ;; QUESTION SECTION: > ;20.176.192.131.in-addr.arpa. IN PTR > > ;; Query time: 0 msec > ;; SERVER: 131.192.176.20#53(131.192.176.20) > ;; WHEN: Wed Nov 28 13:21:20 CST 2018 > ;; MSG SIZE rcvd: 68 >Ok here are lots of things missing or not working. What i did see here for example are.> ;; WARNING: recursion requested but not available > > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1ANSWER: 0 << thats not good. PTR checks on the DC its records are failing also. You dont get answers from the DNS server(s)... Look, what i wanted to see was. dig -x 192.168.0.1 ; <<>> DiG 9.6-ESV-R4 <<>> -x 192.168.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6253 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;1.0.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 1.0.168.192.in-addr.arpa. 900 IN PTR dc1.internal.domain.tld. ;; AUTHORITY SECTION: 0.168.192.in-addr.arpa. 1308 IN NS dc1.internal.domain.tld. ;; Query time: 25 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Nov 29 11:11:19 2018 ;; MSG SIZE rcvd: 101 At least we have a thing to look/check now. I dont know much about the internal DNS of samba, i only use Bind9_DLZ, so i would say upgrade the DNS to bind9_DLZ. But now we know where to look, Rowland may be able to say things about the internal DNS. Everything below here is atm, not really relevant, above needs to be fixed first. Few other questions, are you running a Cert server on the MS server, if so, make sure you export the CARoot cert and add it on you samba servers and create the samba client certificates. After thats done, and the dns is checked again then we can look at:> '(&(flatname=DARAM)(objectclass=primaryDomain))' base: > 'cn=Primary Domains': No such object: dsdb_search at > ../source4/dsdb/common/util.c:4705) and from > /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO > ERROR(ldb): uncaught exception - LDAP error 1> > > > > > ----------- > > Checking file: /etc/krb5.conf > > [libdefaults] > > default_realm = MYDOMAIN.COM > > #Here add : > ; for Windows 2008 with AES this make sure its matches better > with the windows. > default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac > des-cbc-crc des-cbc-md5 > default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac > des-cbc-crc des-cbc-md5 > permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac > des-cbc-crc des-cbc-md5 > > > > > # The following krb5.conf variables are only for MIT Kerberos. > > kdc_timesync = 1 > > ccache_type = 4 > > forwardable = true > > proxiable = true > > > > # The following encryption type specification will be used by MIT > > Kerberos .... Removed a bit to shorten the e-mail. > > > > > > ----------- > > Checking file: /etc/nsswitch.conf > > # /etc/nsswitch.conf > > # > > # Example configuration of GNU Name Service Switch functionality. > > # If you have the `glibc-doc-reference' and `info' packages > installed, > > try: > > # `info libc "Name Service Switch"' for information about this file. > > > > passwd: compat systemd > > group: compat systemd > > shadow: compat > > gshadow: files > > > > hosts: files dns > > networks: files > > > > protocols: db files > > services: db files > > ethers: db files > > rpc: db files > > > > netgroup: nis > > > > ----------- > > Warning, does not exist > > >I was expecting output here for the command. > >Check_file_exists "${SMBCONF}" > > I have been deleting smb.conf before I run the samba-tool. > It creates a new one even though the join fails. > > >Can you run these 2 commands : > samba -b | grep 'CONFIGFILE' | awk '{print $NF}' > > /etc/samba/smb.conf (because I made an attempt to join the > domain with samba-tool) > > smbd -b | grep 'CONFIGFILE' | awk '{print $NF}' > > /etc/samba/smb.conf > > >> ----------- > >> No username map detected. > >Fine for a AD DC. > > >> > >> ----------- > >> > >> Installed packages, running: dpkg -l | egrep > >>"samba|winbind|krb5|smb|acl|xattr" > >> ii acl 2.2.52-3build1 > >> amd64 Access control list utilities > >>.......... Removed part to shorten mail. > >> SMB/CIFS clients for Unix > >> ii winbind > >> 2:4.9.3+nmu-1~ubuntu1804 amd64 service to > >> resolve user and group information from Windows NT servers > >> ----------- > > > >This looks ok to me. > > >Last, i'll add this script into the other script in some time. > > >Get and run this one on the DC. > >https://raw.githubusercontent.com/thctlo/samba4/master/samba-info.sh > The Windows DC..? Well with bash it doesn't work... so I > assume you mean the DC we're trying to setup. > > 1:~$ sudo /tmp/samba-info.sh > Could not find machine account in secrets database: Failed to > fetch machine account password for DARAM from both > secrets.ldb (Could not find entry to match filter: > '(&(flatname=DARAM)(objectclass=primaryDomain))' base: > 'cn=Primary Domains': No such object: dsdb_search at > ../source4/dsdb/common/util.c:4705) and from > /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO > ERROR(ldb): uncaught exception - LDAP error 1 > LDAP_OPERATIONS_ERROR - <000004DC: LdapErr: DSID-0C09079A, > comment: In order to perform this operation a successful bind > must be completed on the connection., data 0, v23f0> <> > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 177, in _run > return self.run(*args, **kwargs) > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line > 469, in run > master = get_fsmo_roleowner(samdb, dn, short_name) > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line > 42, in get_fsmo_roleowner > scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"]) > Could not find machine account in secrets database: Failed to > fetch machine account password for DARAM from both > secrets.ldb (Could not find entry to match filter: > '(&(flatname=DARAM)(objectclass=primaryDomain))' base: > 'cn=Primary Domains': No such object: dsdb_search at > ../source4/dsdb/common/util.c:4705) and from > /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO > ERROR(ldb): uncaught exception - LDAP error 1 > LDAP_OPERATIONS_ERROR - <000004DC: LdapErr: DSID-0C09079A, > comment: In order to perform this operation a successful bind > must be completed on the connection., data 0, v23f0> <> > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 177, in _run > return self.run(*args, **kwargs) > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line > 469, in run > master = get_fsmo_roleowner(samdb, dn, short_name) > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line > 42, in get_fsmo_roleowner > scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"]) > Could not find machine account in secrets database: Failed to > fetch machine account password for DARAM from both > secrets.ldb (Could not find entry to match filter: > '(&(flatname=DARAM)(objectclass=primaryDomain))' base: > 'cn=Primary Domains': No such object: dsdb_search at > ../source4/dsdb/common/util.c:4705) and from > /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO > ERROR(ldb): uncaught exception - LDAP error 1 > LDAP_OPERATIONS_ERROR - <000004DC: LdapErr: DSID-0C09073B, > comment: In order to perform this operation a successful bind > must be completed on the connection., data 0, v1772> <> > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 177, in _run > return self.run(*args, **kwargs) > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line > 469, in run > master = get_fsmo_roleowner(samdb, dn, short_name) > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line > 42, in get_fsmo_roleowner > scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"]) > This script was tested with Debian Jessie and Stretch > Server info: detected (command > and where to look) > This server hostname = sambaDC (hostname > -s and /etc/hosts and DNS server) > This server FQDN (hostname) = sambaDC.domain.com (hostname > -f and /etc/hosts and DNS server) > This server primary dnsdomain = domain.com (hostname -d > and /etc/resolv.conf and DNS server) > This server IP address(ses) = 131.192.176.40 (hostname -i > (-I) and /etc/networking/interfaces and DNS server > The DC with FSMO roles = (samba-tool fsmo show) > The DC (with FSMO) Site name = (samba-tool fsmo show) > The Default Naming Context = (samba-tool fsmo show) > The Kerberos REALM name used = DOMAIN.COM (kinit and > /etc/krb5.conf and resolving) > The Ipadres of DC win2012DC-Site2.domain.com = 131.192.180.22 > The Ipadres of DC win2012DC-Site1.domain.com = 131.192.176.20 > 131.192.176.18And again, we are missing info here. I did keep all of the original post so its more easy to track this problem. Rowland, you any more suggestions, im pro for. - fix the dns resolving. - cleanup the current join, remove from the domain. - setup/join samba with bind9_dlz. For sofar, Louis
On Thu, 29 Nov 2018 11:27:12 +0100 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hai Barry, > > > Onderwerp: [Samba] Setup a Samba AD DC as an additional DC > > > > >What is the running AD DC its os version/build, it was an MS > > >server? > > 2 AD DCs Windows 2012, 1 is 2008, but the DC for the join is > > a 2012 windows DC > > Yes, but win 2012 which one? 2012 or 2012R2 > Can you open a dosbox (cmd) and type : ver > The build nummer is? > > > > > Then question after this. > > ERROR(runtime): uncaught exception - (9601, > > 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST') > > > > This DC your adding, are you useing bind9_DLZ or internal DNS from > > samba itself? I suspect resolving problems. > > And these are confirmed below. > > > > > From the collected info. ( commented inbetween the lines ) > > > > > ----------- > > > Checking file: /etc/hosts > > > 127.0.0.1 localhost > > > ::1 localhost6 > > > > >IP_HERE sambadc1.mydomain.tld sambadc1 # for this DC ( > > optional you can add the other DC also, but wait dont add it now. ) > > > > I added this already but it did not change the result. > > > > >> # The following lines are desirable for IPv6 capable hosts > > >> ::1 localhost ip6-localhost ip6-loopback > > >> fe00::0 ip6-localnet > > >> ff02::1 ip6-allnodes > > >> ff02::2 ip6-allrouters > > >> ff02::3 ip6-allhosts > > > > >> Checking file: /etc/resolv.conf > > >> search daram.com > > >> nameserver ##.##.##.20 > > > > >Here the ip shown above, where is this one resolving to, i > > hope the ADDC server. > > > > Yes to the ADDC Server > > > > >If you dont use systemd-resolved, thats fine, but make sure > > you removed it correctly. > > >Thats a choice, the howto shown, works fine with it enabled. > > >But here are the steps to remove it, if you want to remove it. > > ># but PLEASE, keep this for the last, if we change to much > > not im not able to find you problem. > > ># i do suspect resolving problem, yes. > > ># systemctl disable systemd-resolved > > ># systemctl stop systemd-resolved > > ># systemctl mask systemd-resolved > > ># rm /etc/resolv.conf and create a new one ( you already did > > this ) # if exists, edit /etc/NetworkManager/NetworkManager.conf > > ># in the main section, add : dns=none > > ># reboot. > > > > > >but again, i want to know all outcomes first before you > > change this all. > > > > I did not do the "mask" but did the other and I purged the > > resolved... per Roland's instructions... > > > > > > >nslookup hostname > > >nslookup hostname.domain.tld > > > > :~$ nslookup sambaDC.domain.com > > Server: 131.192.176.20 > > Address: 131.192.176.20#53 > > > > Name: sambaDC.domain.com > > Address: 131.192.176.40 > > > > >What do you see if you run: > > >host IP_OF_OTHERDC > > > > 20.176.192.131.in-addr.arpa domain name pointer > > WindowsADDC.domain.com. > > > > >host IP_OF_THIS_DC > > > > Host 40.176.192.131.in-addr.arpa domain name pointer > > sambaDC.domain.com. > > > > >And > > >dig a $(hostname -s) > > > > ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> a > > ThisDC-SambaDC-we-want-to-join ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 20641 > > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; WARNING: recursion requested but not available > > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags:; udp: 4096 > > ; COOKIE: 852b24514a370e2a (echoed) > > ;; QUESTION SECTION: > > ; sambaDC. IN A > > > > ;; Query time: 0 msec > > ;; SERVER: 131.192.176.20#53(131.192.176.20) > > <<<Windows ADDC>>> > > ;; WHEN: Wed Nov 28 02:57:50 CST 2018 > > ;; MSG SIZE rcvd: 51 > > > > >dig a $(hostname -f) > > > > ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> a sambaDC.domain.com > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 1568 > > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; WARNING: recursion requested but not available > > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags:; udp: 4096 > > ; COOKIE: 6f82a8d3d3d97f1d (echoed) > > ;; QUESTION SECTION: > > ; sambaDC.domain.com. IN A > > > > ;; Query time: 0 msec > > ;; SERVER: 131.192.176.20#53(131.192.176.20) > > <<<Windows ADDC>>> > > ;; WHEN: Wed Nov 28 03:05:39 CST 2018 > > ;; MSG SIZE rcvd: 61 > > > > >Repeat but now with @ip_of_OTHER-DC at the end. dig > > > > > >dig -x ip_of_this_DC > > > > dig -x 131.192.176.40 (sambaDC) > > ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> -x 131.192.176.40 > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 44930 > > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; WARNING: recursion requested but not available > > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags:; udp: 4096 > > ; COOKIE: 53854d1f16d34420 (echoed) > > ;; QUESTION SECTION: > > ;40.176.192.131.in-addr.arpa. IN PTR > > > > ;; Query time: 1 msec > > ;; SERVER: 131.192.176.20#53(131.192.176.20) > > ;; WHEN: Wed Nov 28 13:19:14 CST 2018 > > ;; MSG SIZE rcvd: 68 > > > > >dig -x ip_of_OTHER-DC > > >Repeat but now with @ip_of_OTHER-DC at the end. > > > > dig -x 131.192.176.20 (WinADDC) > > ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> -x 131.192.176.20 > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 25161 > > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; WARNING: recursion requested but not available > > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags:; udp: 4096 > > ; COOKIE: 9aee9cb762be5fc3 (echoed) > > ;; QUESTION SECTION: > > ;20.176.192.131.in-addr.arpa. IN PTR > > > > ;; Query time: 0 msec > > ;; SERVER: 131.192.176.20#53(131.192.176.20) > > ;; WHEN: Wed Nov 28 13:21:20 CST 2018 > > ;; MSG SIZE rcvd: 68 > > > > Ok here are lots of things missing or not working. > What i did see here for example are. > > ;; WARNING: recursion requested but not available > > > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > ANSWER: 0 << thats not good. > > PTR checks on the DC its records are failing also. > You dont get answers from the DNS server(s)... > > Look, what i wanted to see was. > dig -x 192.168.0.1 > ; <<>> DiG 9.6-ESV-R4 <<>> -x 192.168.0.1 > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6253 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;1.0.168.192.in-addr.arpa. IN PTR > > ;; ANSWER SECTION: > 1.0.168.192.in-addr.arpa. 900 IN PTR dc1.internal.domain.tld. > > ;; AUTHORITY SECTION: > 0.168.192.in-addr.arpa. 1308 IN NS dc1.internal.domain.tld. > > ;; Query time: 25 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Thu Nov 29 11:11:19 2018 > ;; MSG SIZE rcvd: 101 > > At least we have a thing to look/check now. > I dont know much about the internal DNS of samba, i only use > Bind9_DLZ, so i would say upgrade the DNS to bind9_DLZ. But now we > know where to look, Rowland may be able to say things about the > internal DNS. > > Everything below here is atm, not really relevant, above needs to be > fixed first. > > Few other questions, are you running a Cert server on the MS server, > if so, make sure you export the CARoot cert and add it on you samba > servers and create the samba client certificates. After thats done, > and the dns is checked again then we can look at: > > > '(&(flatname=DARAM)(objectclass=primaryDomain))' base: > > 'cn=Primary Domains': No such object: dsdb_search at > > ../source4/dsdb/common/util.c:4705) and from > > /var/lib/samba/private/secrets.tdb: > > NT_STATUS_CANT_ACCESS_DOMAIN_INFO ERROR(ldb): uncaught exception - > > LDAP error 1 > > > > > > > > > > > > ----------- > > > Checking file: /etc/krb5.conf > > > [libdefaults] > > > default_realm = MYDOMAIN.COM > > > > #Here add : > > ; for Windows 2008 with AES this make sure its matches better > > with the windows. > > default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac > > des-cbc-crc des-cbc-md5 > > default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac > > des-cbc-crc des-cbc-md5 > > permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac > > des-cbc-crc des-cbc-md5 > > > > > > > > # The following krb5.conf variables are only for MIT Kerberos. > > > kdc_timesync = 1 > > > ccache_type = 4 > > > forwardable = true > > > proxiable = true > > > > > > # The following encryption type specification will be used by MIT > > > Kerberos .... Removed a bit to shorten the e-mail. > > > > > > > > > ----------- > > > Checking file: /etc/nsswitch.conf > > > # /etc/nsswitch.conf > > > # > > > # Example configuration of GNU Name Service Switch functionality. > > > # If you have the `glibc-doc-reference' and `info' packages > > installed, > > > try: > > > # `info libc "Name Service Switch"' for information about this > > > file. > > > > > > passwd: compat systemd > > > group: compat systemd > > > shadow: compat > > > gshadow: files > > > > > > hosts: files dns > > > networks: files > > > > > > protocols: db files > > > services: db files > > > ethers: db files > > > rpc: db files > > > > > > netgroup: nis > > > > > > ----------- > > > Warning, does not exist > > > > >I was expecting output here for the command. > > >Check_file_exists "${SMBCONF}" > > > > I have been deleting smb.conf before I run the samba-tool. > > It creates a new one even though the join fails. > > > > >Can you run these 2 commands : > > samba -b | grep 'CONFIGFILE' | awk '{print $NF}' > > > > /etc/samba/smb.conf (because I made an attempt to join the > > domain with samba-tool) > > > > smbd -b | grep 'CONFIGFILE' | awk '{print $NF}' > > > > /etc/samba/smb.conf > > > > >> ----------- > > >> No username map detected. > > >Fine for a AD DC. > > > > >> > > >> ----------- > > >> > > >> Installed packages, running: dpkg -l | egrep > > >>"samba|winbind|krb5|smb|acl|xattr" > > >> ii acl 2.2.52-3build1 > > >> amd64 Access control list utilities > > >>.......... Removed part to shorten mail. > > >> SMB/CIFS clients for Unix > > >> ii winbind > > >> 2:4.9.3+nmu-1~ubuntu1804 amd64 service to > > >> resolve user and group information from Windows NT servers > > >> ----------- > > > > > >This looks ok to me. > > > > >Last, i'll add this script into the other script in some time. > > > > >Get and run this one on the DC. > > >https://raw.githubusercontent.com/thctlo/samba4/master/samba-info.sh > > The Windows DC..? Well with bash it doesn't work... so I > > assume you mean the DC we're trying to setup. > > > > 1:~$ sudo /tmp/samba-info.sh > > Could not find machine account in secrets database: Failed to > > fetch machine account password for DARAM from both > > secrets.ldb (Could not find entry to match filter: > > '(&(flatname=DARAM)(objectclass=primaryDomain))' base: > > 'cn=Primary Domains': No such object: dsdb_search at > > ../source4/dsdb/common/util.c:4705) and from > > /var/lib/samba/private/secrets.tdb: > > NT_STATUS_CANT_ACCESS_DOMAIN_INFO ERROR(ldb): uncaught exception - > > LDAP error 1 LDAP_OPERATIONS_ERROR - <000004DC: LdapErr: > > DSID-0C09079A, comment: In order to perform this operation a > > successful bind must be completed on the connection., data 0, > > v23f0> <> File > > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > > line 177, in _run > > return self.run(*args, **kwargs) > > File > > "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line > > 469, in run > > master = get_fsmo_roleowner(samdb, dn, short_name) > > File > > "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line > > 42, in get_fsmo_roleowner > > scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"]) > > Could not find machine account in secrets database: Failed to > > fetch machine account password for DARAM from both > > secrets.ldb (Could not find entry to match filter: > > '(&(flatname=DARAM)(objectclass=primaryDomain))' base: > > 'cn=Primary Domains': No such object: dsdb_search at > > ../source4/dsdb/common/util.c:4705) and from > > /var/lib/samba/private/secrets.tdb: > > NT_STATUS_CANT_ACCESS_DOMAIN_INFO ERROR(ldb): uncaught exception - > > LDAP error 1 LDAP_OPERATIONS_ERROR - <000004DC: LdapErr: > > DSID-0C09079A, comment: In order to perform this operation a > > successful bind must be completed on the connection., data 0, > > v23f0> <> File > > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > > line 177, in _run > > return self.run(*args, **kwargs) > > File > > "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line > > 469, in run > > master = get_fsmo_roleowner(samdb, dn, short_name) > > File > > "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line > > 42, in get_fsmo_roleowner > > scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"]) > > Could not find machine account in secrets database: Failed to > > fetch machine account password for DARAM from both > > secrets.ldb (Could not find entry to match filter: > > '(&(flatname=DARAM)(objectclass=primaryDomain))' base: > > 'cn=Primary Domains': No such object: dsdb_search at > > ../source4/dsdb/common/util.c:4705) and from > > /var/lib/samba/private/secrets.tdb: > > NT_STATUS_CANT_ACCESS_DOMAIN_INFO ERROR(ldb): uncaught exception - > > LDAP error 1 LDAP_OPERATIONS_ERROR - <000004DC: LdapErr: > > DSID-0C09073B, comment: In order to perform this operation a > > successful bind must be completed on the connection., data 0, > > v1772> <> File > > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > > line 177, in _run > > return self.run(*args, **kwargs) > > File > > "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line > > 469, in run > > master = get_fsmo_roleowner(samdb, dn, short_name) > > File > > "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line > > 42, in get_fsmo_roleowner > > scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"]) > > This script was tested with Debian Jessie and Stretch > > Server info: detected (command > > and where to look) > > This server hostname = sambaDC (hostname > > -s and /etc/hosts and DNS server) > > This server FQDN (hostname) = sambaDC.domain.com (hostname > > -f and /etc/hosts and DNS server) > > This server primary dnsdomain = domain.com (hostname -d > > and /etc/resolv.conf and DNS server) > > This server IP address(ses) = 131.192.176.40 (hostname -i > > (-I) and /etc/networking/interfaces and DNS server > > The DC with FSMO roles = (samba-tool fsmo show) > > The DC (with FSMO) Site name = (samba-tool fsmo show) > > The Default Naming Context = (samba-tool fsmo show) > > The Kerberos REALM name used = DOMAIN.COM (kinit and > > /etc/krb5.conf and resolving) > > The Ipadres of DC win2012DC-Site2.domain.com = 131.192.180.22 > > The Ipadres of DC win2012DC-Site1.domain.com = 131.192.176.20 > > 131.192.176.18 > > And again, we are missing info here. > > I did keep all of the original post so its more easy to track this > problem. > > Rowland, you any more suggestions, im pro for. > - fix the dns resolving.That definitely needs to work> - cleanup the current join, remove from the domain.I don't think he ever joined, but cleaning out anything to do with the new DC from the Windows DC should't harm anything and cleaning out /var/lib/samba will also help.> - setup/join samba with bind9_dlz.You do not actually have to set up Bind9 before a provision/join, it just needs to be installed, then add '--dns-backend=BIND9_DLZ' to the join command, he can worry about setting up Bind9 once the DC actually joins ;-) Rowland
Thanks Rowland/Louis for your assistance,> >What is the running AD DC its os version/build, it was an MS server? > 2 AD DCs Windows 2012, 1 is 2008, but the DC for the join is a 2012 > windows DC>Yes, but win 2012 which one? 2012 or 2012R2 Can you open a dosbox (cmd) and type : ver The build nummer is?It is just 2012, not R2. Here is the ver output: Microsoft Windows [Version 6.2.9200] The 2008 DC is also NOT R2: Microsoft Windows [Version 6.0.6002] The Windows Certificate Server is running on the 2008 DC.>and add it on you samba serversI assume it will need to be added to the Intermediate & Trusted Authorities. I will have to search for doing this on Ubuntu/Linux. I assume it is simple.>create the samba client certificatesNot sure what you mean here. Do you mean to request a client certificate for the samba DC from the Windows Certificate Authority?>I don't think he ever joined, but cleaning out anything to do with the >new DC from the Windows DC should't harm anything and cleaning >out /var/lib/samba will also help.Never successfully joined. From ADSI Edit samba-tool seems to clean up after itself when the join fails. I see entries added for the Samba DC and then they have later been removed.>> - setup/join samba with bind9_dlz.>You do not actually have to set up Bind9 before a provision/join, it >just needs to be installed, then add '--dns-backend=BIND9_DLZ' to the >join command, he can worry about setting up Bind9 once the DC actually >joins ;-)I have not explicitly installed BIND9, perhaps Ubuntu 18.04 loads it already. I can certainly install it. At this point I have not implemented anything from your most recent post so-as to only do what you want me to do. I will research the Linux Certificate store so I can do that when you request it. -Barry Adkins
Hai Barry,> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Barry D. Adkins via samba > Verzonden: donderdag 29 november 2018 11:57 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Setup a Samba AD DC as an additional DC > > Thanks Rowland/Louis for your assistance, > > > >What is the running AD DC its os version/build, it was an > MS server? > > 2 AD DCs Windows 2012, 1 is 2008, but the DC for the join is a 2012 > > windows DC > > >Yes, but win 2012 which one? 2012 or 2012R2 Can you open a > dosbox (cmd) and type : ver The build nummer is? > > It is just 2012, not R2. Here is the ver output: Microsoft Windows [Version 6.2.9200] > > The 2008 DC is also NOT R2: Microsoft Windows [Version 6.0.6002] > > The Windows Certificate Server is running on the 2008 DC. > > >and add it on you samba servers > > I assume it will need to be added to the Intermediate & > Trusted Authorities. I will have to search for doing this on > Ubuntu/Linux. I assume it is simple.Yes, thats not so hard. But before you start with the things todo. You network is expanding as we are asking questions.. ;-) So you have a : win2012 as AD DC Win2008 as ? Member or also AD DC? Any other windows servers? MSSQL Exchange things like that, because some of these are blocking replication. And before your waisting a lot more of time, lets make the info more complete first. And a bit ahead, the cert instructions, but above info first please. The root CA instructions. Use this https://www.brightbox.com/blog/2014/03/04/add-cacert-ubuntu-debian/> > >create the samba client certificates > > Not sure what you mean here. Do you mean to request a client > certificate for the samba DC from the Windows Certificate Authority?Yes Create the client certs and let samba use them. https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC Do note, use the created cert+key from the DC and check if its done correctly. How, is in the wiki link.> > >I don't think he ever joined, but cleaning out anything to > do with the > >new DC from the Windows DC should't harm anything and cleaning > >out /var/lib/samba will also help. > > Never successfully joined. From ADSI Edit samba-tool seems > to clean up after itself when the join fails. I see entries > added for the Samba DC and then they have later been removed. > > >> - setup/join samba with bind9_dlz. > > >You do not actually have to set up Bind9 before a provision/join, it > >just needs to be installed, then add '--dns-backend=BIND9_DLZ' to the > >join command, he can worry about setting up Bind9 once the > DC actually > >joins ;-) > > I have not explicitly installed BIND9, perhaps Ubuntu 18.04 > loads it already. I can certainly install it. > > At this point I have not implemented anything from your most > recent post so-as to only do what you want me to do. > > I will research the Linux Certificate store so I can do that > when you request it. > > -Barry Adkins > --Greetz, Louis
> > >What is the running AD DC its os version/build, it was an > MS server? > > 2 AD DCs Windows 2012, 1 is 2008, but the DC for the join is a 2012 > > windows DC > > >Yes, but win 2012 which one? 2012 or 2012R2 Can you open a > dosbox (cmd) and type : ver The build nummer is? > > It is just 2012, not R2. Here is the ver output: Microsoft Windows > [Version 6.2.9200] > > The 2008 DC is also NOT R2: Microsoft Windows [Version 6.0.6002] > > The Windows Certificate Server is running on the 2008 DC. > > >and add it on you samba servers > > I assume it will need to be added to the Intermediate & Trusted > Authorities. I will have to search for doing this on Ubuntu/Linux. I > assume it is simple.>But before you start with the things todo. >You network is expanding as we are asking questions.. ;-) So you have a : >win2012 as AD DC >?Win2008 as ? Member or also AD DC? >?Any other windows servers? MSSQL Exchange things like that, because some of these are blocking replication. >?And before your waisting a lot more of time, lets make the info more complete first.> > 2 AD DCs Windows 2012, 1 is 2008, but the DC for the join is a 2012 > > windows DCSite 1 2012 ADDC + DNS 2008 ADDC + Certificate Service + DNS + DHCP 2012 Member - file server & running MS SQL Server 2012 Member - file server 2008 Member - MS Exchange 2010 Site 2 2012 ADDC + file server All are NOT Windows 20xx R2, just Windows Standard Server 2008 or 2012.