James Fowler
2019-May-02 18:44 UTC
[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO
I have read that so many times. I started out with the simple, prompted 'samba-tool domain join' and built up from there. Version is: Samba 4.7.6 from Ubuntu (18.04.2) Interesting what happens when I take out --site directive (see below). root at DC2:~# samba-tool domain join DOMAIN1.DOMAIN DC --username='DOMAIN1\EnterpriseAdminUser' --realm='DOMAIN1.DOMAIN' --server='DC1' --dns-backend=BIND9_DLZ --workgroup='DOMAIN1' -d 3 GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered resolve_lmhosts: Attempting lmhosts lookup for name DC1<0x20> Password for [DOMAIN1\EnterpriseAdminUser]: workgroup is DOMAIN1 realm is DOMAIN1.DOMAIN Adding CN=DC2,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN Adding CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN Join failed - cleaning up ldb_wrap open of secrets.ldb Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN1 from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN1)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4636) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO Deleted CN=DC2,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT - CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN <0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of: 'CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN'> <>File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in join_DC ctx.do_join() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in do_join ctx.join_add_objects() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 631, in join_add_objects ctx.samdb.add(rec) On Thu, May 2, 2019 at 2:25 PM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Thu, 2 May 2019 12:59:28 -0400 > James Fowler <fowlerj at adst.org> wrote: > > > root at DC2:~# samba-tool domain join DOMAIN1.DOMAIN DC > > --username='DOMAIN1\EnterpriseAdminUser' --realm='DOMAIN1.DOMAIN' > > --site='Default-First-Site' --server='DC1' --dns-backend=BIND9_DLZ > > --workgroup='DOMAIN1' -d 3 > > GENSEC backend 'gssapi_spnego' registered > > GENSEC backend 'gssapi_krb5' registered > > GENSEC backend 'gssapi_krb5_sasl' registered > > GENSEC backend 'spnego' registered > > GENSEC backend 'schannel' registered > > GENSEC backend 'naclrpc_as_system' registered > > GENSEC backend 'sasl-EXTERNAL' registered > > GENSEC backend 'ntlmssp' registered > > GENSEC backend 'ntlmssp_resume_ccache' registered > > GENSEC backend 'http_basic' registered > > GENSEC backend 'http_ntlm' registered > > GENSEC backend 'krb5' registered > > GENSEC backend 'fake_gssapi_krb5' registered > > resolve_lmhosts: Attempting lmhosts lookup for name DC1<0x20> > > Password for [DOMAIN1\EnterpriseAdminUser]: > > workgroup is DOMAIN1 > > realm is DOMAIN1.DOMAIN > > Adding CN=DC2,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN > > I take it, that it didn't work. > > You have this: > > --site='Default-First-Site' > > Have you created a site called 'Default-First-Site' ? by default it is > '--site='Default-First-Site-Name' > > If you are trying to join the site 'Default-First-Site-Name', then > there is no need to give the option. > > Have you read this: > > > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory > > What version of Samba are you using ? > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- James Fowler Chief Information Officer Association for Diplomatic Studies and Training http://adst.org Capturing, Preserving, Sharing - Oral Histories of US Diplomacy
Rowland Penny
2019-May-02 19:05 UTC
[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO
On Thu, 2 May 2019 14:44:18 -0400 James Fowler <fowlerj at adst.org> wrote:> I have read that so many times. I started out with the simple, > prompted 'samba-tool domain join' and built up from there. > > Version is: > Samba 4.7.6 from Ubuntu (18.04.2) > > Interesting what happens when I take out --site directive (see below). > > root at DC2:~# samba-tool domain join DOMAIN1.DOMAIN DC > --username='DOMAIN1\EnterpriseAdminUser' --realm='DOMAIN1.DOMAIN' > --server='DC1' --dns-backend=BIND9_DLZ --workgroup='DOMAIN1' -d 3 > Password for [DOMAIN1\EnterpriseAdminUser]: > workgroup is DOMAIN1 > realm is DOMAIN1.DOMAIN > Adding CN=DC2,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN > Adding > CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN > Join failed - cleaning up > ldb_wrap open of secrets.ldb > Could not find machine account in secrets database: Failed to fetch > machine account password for DOMAIN1 from both secrets.ldb (Could not > find entry to match filter: > '(&(flatname=DOMAIN1)(objectclass=primaryDomain))' base: 'cn=Primary > Domains': No such object: dsdb_search > at ../source4/dsdb/common/util.c:4636) and > from /var/lib/samba/private/secrets.tdb: > NT_STATUS_CANT_ACCESS_DOMAIN_INFO Deleted CN=DC2,OU=Domain > Controllers,DC=DOMAIN1,DC=DOMAIN ERROR(ldb): uncaught exception - > LDAP error 32 LDAP_NO_SUCH_OBJECT - > CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN <0000208D: NameErr: > DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of: > 'CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN' > > <> > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", > line 661, in run > machinepass=machinepass, use_ntvfs=use_ntvfs, > dns_backend=dns_backend) File > "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in > join_DC ctx.do_join() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in > do_join > ctx.join_add_objects() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 631, in > join_add_objects > ctx.samdb.add(rec)I wonder if it is a dns problem ? can you post the contents of the following files: /etc/resolv.conf /etc/hostname /etc/hosts /etc/krb5.conf 4.7.6 is EOL as far as Samba is concerned, you can find a later version here: http://apt.van-belle.nl/ Is bind9 installed, if so can you post the conf files. Rowland
James Fowler
2019-May-02 20:51 UTC
[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO
root at DC2:~# cat /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # and managed by Zentyal. # # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN # nameserver 192.168.1.254 #search domain1.domain /etc/hostname cat /etc/hostname DC2 /etc/hosts root at DC2:~cat /etc/hosts 127.0.0.1 localhost.localdomain localhost 127.0.1.1 DC2.DOMAIN1.DOMAIN DC2 192.168.1.19 otherserver.DOMAIN1.DOMAIN otherserver 192.168.1.20 DC2.DOMAIN1.DOMAIN DC2 192.168.1.254 DC1.DOMAIN1.local DC1 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters /etc/krb5.conf (and an earlier version) root at DC2:~# cat /etc/krb5.conf [libdefaults] default_realm = DOMAIN1.DOMAIN dns_lookup_realm = false dns_lookup_kdc = true root at DC2:~# cat /etc/krb5.conf.bak [libdefaults] default_realm = DOMAIN1.DOMAIN dns_lookup_kdc = true dns_lookup_realm = false rdns = no BIND9 (really long files here - only /etc/bind/named.conf +named.conf.*) root at DC2:/etc/bind# cat named.conf include "/etc/bind/named.conf.options"; include "/etc/bind/keys"; // prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; include "/etc/bind/named.conf.local"; root at DC2:/etc/bind# root at DC2:/etc/bind# cat named.conf.default-zones // prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; root at DC2:/etc/bind# root at DC2:/etc/bind# cat named.conf.local // Generated by Zentyal acl "trusted" { localhost; localnets; }; acl "internal-local-nets" { 192.168.1.0/24; }; zone "domain1.domain." IN { type master; file "/etc/bind/db.domain1.domain"; }; zone "1.168.192.in-addr.arpa" { type master; file "/etc/bind/db.1.168.192"; update-policy { // The only allowed dynamic updates are PTR records grant domain1.domain. subdomain 1.168.192.in-addr.arpa. PTR TXT; // Grant from localhost grant local-ddns zonesub any; }; }; zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; root at DC2:/etc/bind# root at DC2:/etc/bind# cat named.conf.options options { sortlist { { 192.168.1.0/24 ;{ 192.168.1.0/24 ; };}; }; directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you might need to uncomment the query-source // directive below. Previous versions of BIND always asked // questions using port 53, but BIND 8.1 and later use an unprivileged // port by default. //query-source address * port 53; //transfer-source * port 53; //notify-source * port 53; auth-nxdomain no; # conform to RFC1035 allow-query { any; }; allow-recursion { trusted; }; allow-query-cache { trusted; }; allow-transfer { internal-local-nets; }; }; logging { category lame-servers { null; }; }; root at DC2:/etc/bind# On Thu, May 2, 2019 at 3:06 PM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Thu, 2 May 2019 14:44:18 -0400 > James Fowler <fowlerj at adst.org> wrote: > > > I have read that so many times. I started out with the simple, > > prompted 'samba-tool domain join' and built up from there. > > > > Version is: > > Samba 4.7.6 from Ubuntu (18.04.2) > > > > Interesting what happens when I take out --site directive (see below). > > > > root at DC2:~# samba-tool domain join DOMAIN1.DOMAIN DC > > --username='DOMAIN1\EnterpriseAdminUser' --realm='DOMAIN1.DOMAIN' > > --server='DC1' --dns-backend=BIND9_DLZ --workgroup='DOMAIN1' -d 3 > > Password for [DOMAIN1\EnterpriseAdminUser]: > > workgroup is DOMAIN1 > > realm is DOMAIN1.DOMAIN > > Adding CN=DC2,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN > > Adding > > > CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN > > Join failed - cleaning up > > ldb_wrap open of secrets.ldb > > Could not find machine account in secrets database: Failed to fetch > > machine account password for DOMAIN1 from both secrets.ldb (Could not > > find entry to match filter: > > '(&(flatname=DOMAIN1)(objectclass=primaryDomain))' base: 'cn=Primary > > Domains': No such object: dsdb_search > > at ../source4/dsdb/common/util.c:4636) and > > from /var/lib/samba/private/secrets.tdb: > > NT_STATUS_CANT_ACCESS_DOMAIN_INFO Deleted CN=DC2,OU=Domain > > Controllers,DC=DOMAIN1,DC=DOMAIN ERROR(ldb): uncaught exception - > > LDAP error 32 LDAP_NO_SUCH_OBJECT - > > CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN <0000208D: NameErr: > > DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of: > > 'CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN' > > > <> > > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > > line 176, in _run > > return self.run(*args, **kwargs) > > File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", > > line 661, in run > > machinepass=machinepass, use_ntvfs=use_ntvfs, > > dns_backend=dns_backend) File > > "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in > > join_DC ctx.do_join() > > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in > > do_join > > ctx.join_add_objects() > > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 631, in > > join_add_objects > > ctx.samdb.add(rec) > > I wonder if it is a dns problem ? > > can you post the contents of the following files: > > /etc/resolv.conf > /etc/hostname > /etc/hosts > /etc/krb5.conf > > 4.7.6 is EOL as far as Samba is concerned, you can find a later version > here: > > http://apt.van-belle.nl/ > > Is bind9 installed, if so can you post the conf files. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- James Fowler Chief Information Officer Association for Diplomatic Studies and Training http://adst.org Capturing, Preserving, Sharing - Oral Histories of US Diplomacy
L.P.H. van Belle
2019-May-03 06:37 UTC
[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Hai James, An other question, is exchange installed in the windows environment? If not thats only good. Ok you need some rewriting some parts i see several things you need to fix. I'll comment below. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > James Fowler via samba > Verzonden: donderdag 2 mei 2019 22:51 > Aan: Rowland Penny > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or > NT_STATUS_CANT_ACCESS_DOMAIN_INFO > > root at DC2:~# cat /etc/resolv.conf > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by > resolvconf(8) > # and managed by Zentyal. > # > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE > OVERWRITTEN > # > nameserver 192.168.1.254 > #search domain1.domainRemove # and set that search to the the primary dnsdomain, should be ok.> > /etc/hostname > cat /etc/hostname > DC2 >I changed hosts ..> /etc/hosts > root at DC2:~cat /etc/hostsCorrect this part. 127.0.0.1 localhost localhost.localdomain 192.168.1.19 otherserver.DOMAIN1.DOMAIN otherserver 192.168.1.20 DC2.DOMAIN1.DOMAIN DC2 192.168.1.254 DC1.DOMAIN1.local DC1> > # The following lines are desirable for IPv6 capable hosts > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > /etc/krb5.conf (and an earlier version) > root at DC2:~# cat /etc/krb5.conf > [libdefaults] > default_realm = DOMAIN1.DOMAIN > dns_lookup_realm = false > dns_lookup_kdc = true > root at DC2:~# cat /etc/krb5.conf.bak > [libdefaults] > default_realm = DOMAIN1.DOMAIN > dns_lookup_kdc = true > dns_lookup_realm = false > rdns = no > > BIND9 (really long files here - only /etc/bind/named.conf > +named.conf.*) > > root at DC2:/etc/bind# cat named.conf > include "/etc/bind/named.conf.options"; > include "/etc/bind/keys"; > > // prime the server with knowledge of the root servers > zone "." { > type hint; > file "/etc/bind/db.root"; > }; > > // be authoritative for the localhost forward and reverse > zones, and for > // broadcast zones as per RFC 1912 > > zone "localhost" { > type master; > file "/etc/bind/db.local"; > }; > > zone "127.in-addr.arpa" { > type master; > file "/etc/bind/db.127"; > }; > > zone "0.in-addr.arpa" { > type master; > file "/etc/bind/db.0"; > }; > > zone "255.in-addr.arpa" { > type master; > file "/etc/bind/db.255"; > }; > > include "/etc/bind/named.conf.local"; > root at DC2:/etc/bind# > > root at DC2:/etc/bind# cat named.conf.default-zones > // prime the server with knowledge of the root servers > zone "." { > type hint; > file "/etc/bind/db.root"; > }; > > // be authoritative for the localhost forward and reverse > zones, and for > // broadcast zones as per RFC 1912 > > zone "localhost" { > type master; > file "/etc/bind/db.local"; > }; > > zone "127.in-addr.arpa" { > type master; > file "/etc/bind/db.127"; > }; > > zone "0.in-addr.arpa" { > type master; > file "/etc/bind/db.0"; > }; > > zone "255.in-addr.arpa" { > type master; > file "/etc/bind/db.255"; > }; > > > root at DC2:/etc/bind# > > root at DC2:/etc/bind# cat named.conf.local > // Generated by Zentyal > > acl "trusted" { > localhost; > localnets; > }; > > acl "internal-local-nets" { > 192.168.1.0/24; > }; > >Remove this part below thats your main problem.> zone "domain1.domain." IN { > type master; > file "/etc/bind/db.domain1.domain"; > }; > > > zone "1.168.192.in-addr.arpa" { > type master; > file "/etc/bind/db.1.168.192"; > update-policy { > // The only allowed dynamic updates are PTR records > grant domain1.domain. subdomain > 1.168.192.in-addr.arpa. PTR TXT; > // Grant from localhost > grant local-ddns zonesub any; > }; > }; >^^^^ Upto here.. Samba and bind9 flat files are not supported.> zone "10.in-addr.arpa" { > type master; > file "/etc/bind/db.empty"; > }; > zone "16.172.in-addr.arpa" { > type master; > file "/etc/bind/db.empty"; > }; > zone "17.172.in-addr.arpa" { > type master; > file "/etc/bind/db.empty"; > }; > zone "18.172.in-addr.arpa" { > type master; > file "/etc/bind/db.empty"; > }; > zone "19.172.in-addr.arpa" { > type master; > file "/etc/bind/db.empty"; > }; > zone "20.172.in-addr.arpa" { > type master; > file "/etc/bind/db.empty"; > }; > zone "21.172.in-addr.arpa" { > type master; > file "/etc/bind/db.empty"; > }; > zone "22.172.in-addr.arpa" { > type master; > file "/etc/bind/db.empty"; > }; > zone "23.172.in-addr.arpa" { > type master; > file "/etc/bind/db.empty"; > }; > zone "24.172.in-addr.arpa" { > type master; > file "/etc/bind/db.empty"; > }; > zone "25.172.in-addr.arpa" { > type master; > file "/etc/bind/db.empty"; > }; > zone "26.172.in-addr.arpa" { > type master; > file "/etc/bind/db.empty"; > }; > zone "27.172.in-addr.arpa" { > type master; > file "/etc/bind/db.empty"; > }; > zone "28.172.in-addr.arpa" { > type master; > file "/etc/bind/db.empty"; > }; > zone "29.172.in-addr.arpa" { > type master; > file "/etc/bind/db.empty"; > }; > zone "30.172.in-addr.arpa" { > type master; > file "/etc/bind/db.empty"; > }; > zone "31.172.in-addr.arpa" { > type master; > file "/etc/bind/db.empty"; > }; > zone "168.192.in-addr.arpa" { > type master; > file "/etc/bind/db.empty"; > }; > root at DC2:/etc/bind# > > root at DC2:/etc/bind# cat named.conf.options > > options { > sortlist { > { 192.168.1.0/24 ;{ 192.168.1.0/24 ; };}; > }; > directory "/var/cache/bind"; > > // If there is a firewall between you and nameservers you want > // to talk to, you might need to uncomment the query-source > // directive below. Previous versions of BIND always asked > // questions using port 53, but BIND 8.1 and later use an > unprivileged > // port by default. > > //query-source address * port 53; > //transfer-source * port 53; > //notify-source * port 53; > > >Here auth-nxdomain yes; # because this server is authorive for the domain in bind9_dlz.> > allow-query { any; }; > allow-recursion { trusted; }; > allow-query-cache { trusted; }; > allow-transfer { internal-local-nets; }; > }; > > logging { category lame-servers { null; }; }; > root at DC2:/etc/bind# > > > > On Thu, May 2, 2019 at 3:06 PM Rowland Penny via samba < > samba at lists.samba.org> wrote: > > > On Thu, 2 May 2019 14:44:18 -0400 > > James Fowler <fowlerj at adst.org> wrote: > > > > > I have read that so many times. I started out with the simple, > > > prompted 'samba-tool domain join' and built up from there. > > > > > > Version is: > > > Samba 4.7.6 from Ubuntu (18.04.2) > > > > > > Interesting what happens when I take out --site directive > (see below). > > > > > > root at DC2:~# samba-tool domain join DOMAIN1.DOMAIN DC > > > --username='DOMAIN1\EnterpriseAdminUser' --realm='DOMAIN1.DOMAIN' > > > --server='DC1' --dns-backend=BIND9_DLZ --workgroup='DOMAIN1' -d 3 > > > Password for [DOMAIN1\EnterpriseAdminUser]: > > > workgroup is DOMAIN1 > > > realm is DOMAIN1.DOMAIN > > > Adding CN=DC2,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN > > > Adding > > > > > > CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN> > > Join failed - cleaning up > > > ldb_wrap open of secrets.ldb > > > Could not find machine account in secrets database: > Failed to fetch > > > machine account password for DOMAIN1 from both > secrets.ldb (Could not > > > find entry to match filter: > > > '(&(flatname=DOMAIN1)(objectclass=primaryDomain))' base: > 'cn=Primary > > > Domains': No such object: dsdb_search > > > at ../source4/dsdb/common/util.c:4636) and > > > from /var/lib/samba/private/secrets.tdb: > > > NT_STATUS_CANT_ACCESS_DOMAIN_INFO Deleted CN=DC2,OU=Domain > > > Controllers,DC=DOMAIN1,DC=DOMAIN ERROR(ldb): uncaught exception - > > > LDAP error 32 LDAP_NO_SUCH_OBJECT - > > > CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN <0000208D: NameErr: > > > DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of: > > > 'CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN' > > > > <> > > > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > > > line 176, in _run > > > return self.run(*args, **kwargs) > > > File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", > > > line 661, in run > > > machinepass=machinepass, use_ntvfs=use_ntvfs, > > > dns_backend=dns_backend) File > > > "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in > > > join_DC ctx.do_join() > > > File "/usr/lib/python2.7/dist-packages/samba/join.py", > line 1375, in > > > do_join > > > ctx.join_add_objects() > > > File "/usr/lib/python2.7/dist-packages/samba/join.py", > line 631, in > > > join_add_objects > > > ctx.samdb.add(rec) > > > > I wonder if it is a dns problem ? > > > > can you post the contents of the following files: > > > > /etc/resolv.conf > > /etc/hostname > > /etc/hosts > > /etc/krb5.conf > > > > 4.7.6 is EOL as far as Samba is concerned, you can find a > later version > > here: > > > > http://apt.van-belle.nl/ > > > > Is bind9 installed, if so can you post the conf files. > > > > Rowland > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > -- > James Fowler > Chief Information Officer > Association for Diplomatic Studies and Training http://adst.org > Capturing, Preserving, Sharing - Oral Histories of US Diplomacy > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Reasonably Related Threads
- Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO
- Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO
- Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO
- Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO
- Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO