James Fowler
2019-May-02 18:44 UTC
[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO
I have read that so many times. I started out with the simple, prompted
'samba-tool domain join' and built up from there.
Version is:
Samba 4.7.6 from Ubuntu (18.04.2)
Interesting what happens when I take out --site directive (see below).
root at DC2:~# samba-tool domain join DOMAIN1.DOMAIN DC
--username='DOMAIN1\EnterpriseAdminUser'
--realm='DOMAIN1.DOMAIN'
--server='DC1' --dns-backend=BIND9_DLZ --workgroup='DOMAIN1' -d
3
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
resolve_lmhosts: Attempting lmhosts lookup for name DC1<0x20>
Password for [DOMAIN1\EnterpriseAdminUser]:
workgroup is DOMAIN1
realm is DOMAIN1.DOMAIN
Adding CN=DC2,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN
Adding
CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN
Join failed - cleaning up
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch machine
account password for DOMAIN1 from both secrets.ldb (Could not find entry to
match filter: '(&(flatname=DOMAIN1)(objectclass=primaryDomain))'
base:
'cn=Primary Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4636) and from
/var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Deleted CN=DC2,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN
ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT -
CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN <0000208D: NameErr:
DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
'CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN'> <>
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line
176, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
661,
in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in
join_DC
ctx.do_join()
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in
do_join
ctx.join_add_objects()
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 631, in
join_add_objects
ctx.samdb.add(rec)
On Thu, May 2, 2019 at 2:25 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Thu, 2 May 2019 12:59:28 -0400
> James Fowler <fowlerj at adst.org> wrote:
>
> > root at DC2:~# samba-tool domain join DOMAIN1.DOMAIN DC
> > --username='DOMAIN1\EnterpriseAdminUser'
--realm='DOMAIN1.DOMAIN'
> > --site='Default-First-Site' --server='DC1'
--dns-backend=BIND9_DLZ
> > --workgroup='DOMAIN1' -d 3
> > GENSEC backend 'gssapi_spnego' registered
> > GENSEC backend 'gssapi_krb5' registered
> > GENSEC backend 'gssapi_krb5_sasl' registered
> > GENSEC backend 'spnego' registered
> > GENSEC backend 'schannel' registered
> > GENSEC backend 'naclrpc_as_system' registered
> > GENSEC backend 'sasl-EXTERNAL' registered
> > GENSEC backend 'ntlmssp' registered
> > GENSEC backend 'ntlmssp_resume_ccache' registered
> > GENSEC backend 'http_basic' registered
> > GENSEC backend 'http_ntlm' registered
> > GENSEC backend 'krb5' registered
> > GENSEC backend 'fake_gssapi_krb5' registered
> > resolve_lmhosts: Attempting lmhosts lookup for name DC1<0x20>
> > Password for [DOMAIN1\EnterpriseAdminUser]:
> > workgroup is DOMAIN1
> > realm is DOMAIN1.DOMAIN
> > Adding CN=DC2,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN
>
> I take it, that it didn't work.
>
> You have this:
>
> --site='Default-First-Site'
>
> Have you created a site called 'Default-First-Site' ? by default it
is
> '--site='Default-First-Site-Name'
>
> If you are trying to join the site 'Default-First-Site-Name', then
> there is no need to give the option.
>
> Have you read this:
>
>
>
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
>
> What version of Samba are you using ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
James Fowler
Chief Information Officer
Association for Diplomatic Studies and Training http://adst.org
Capturing, Preserving, Sharing - Oral Histories of US Diplomacy
Rowland Penny
2019-May-02 19:05 UTC
[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO
On Thu, 2 May 2019 14:44:18 -0400 James Fowler <fowlerj at adst.org> wrote:> I have read that so many times. I started out with the simple, > prompted 'samba-tool domain join' and built up from there. > > Version is: > Samba 4.7.6 from Ubuntu (18.04.2) > > Interesting what happens when I take out --site directive (see below). > > root at DC2:~# samba-tool domain join DOMAIN1.DOMAIN DC > --username='DOMAIN1\EnterpriseAdminUser' --realm='DOMAIN1.DOMAIN' > --server='DC1' --dns-backend=BIND9_DLZ --workgroup='DOMAIN1' -d 3 > Password for [DOMAIN1\EnterpriseAdminUser]: > workgroup is DOMAIN1 > realm is DOMAIN1.DOMAIN > Adding CN=DC2,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN > Adding > CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN > Join failed - cleaning up > ldb_wrap open of secrets.ldb > Could not find machine account in secrets database: Failed to fetch > machine account password for DOMAIN1 from both secrets.ldb (Could not > find entry to match filter: > '(&(flatname=DOMAIN1)(objectclass=primaryDomain))' base: 'cn=Primary > Domains': No such object: dsdb_search > at ../source4/dsdb/common/util.c:4636) and > from /var/lib/samba/private/secrets.tdb: > NT_STATUS_CANT_ACCESS_DOMAIN_INFO Deleted CN=DC2,OU=Domain > Controllers,DC=DOMAIN1,DC=DOMAIN ERROR(ldb): uncaught exception - > LDAP error 32 LDAP_NO_SUCH_OBJECT - > CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN <0000208D: NameErr: > DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of: > 'CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN' > > <> > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", > line 661, in run > machinepass=machinepass, use_ntvfs=use_ntvfs, > dns_backend=dns_backend) File > "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in > join_DC ctx.do_join() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in > do_join > ctx.join_add_objects() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 631, in > join_add_objects > ctx.samdb.add(rec)I wonder if it is a dns problem ? can you post the contents of the following files: /etc/resolv.conf /etc/hostname /etc/hosts /etc/krb5.conf 4.7.6 is EOL as far as Samba is concerned, you can find a later version here: http://apt.van-belle.nl/ Is bind9 installed, if so can you post the conf files. Rowland
James Fowler
2019-May-02 20:51 UTC
[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO
root at DC2:~# cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by
resolvconf(8)
# and managed by Zentyal.
#
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
#
nameserver 192.168.1.254
#search domain1.domain
/etc/hostname
cat /etc/hostname
DC2
/etc/hosts
root at DC2:~cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
127.0.1.1 DC2.DOMAIN1.DOMAIN DC2
192.168.1.19 otherserver.DOMAIN1.DOMAIN otherserver
192.168.1.20 DC2.DOMAIN1.DOMAIN DC2
192.168.1.254 DC1.DOMAIN1.local DC1
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
/etc/krb5.conf (and an earlier version)
root at DC2:~# cat /etc/krb5.conf
[libdefaults]
default_realm = DOMAIN1.DOMAIN
dns_lookup_realm = false
dns_lookup_kdc = true
root at DC2:~# cat /etc/krb5.conf.bak
[libdefaults]
default_realm = DOMAIN1.DOMAIN
dns_lookup_kdc = true
dns_lookup_realm = false
rdns = no
BIND9 (really long files here - only /etc/bind/named.conf +named.conf.*)
root at DC2:/etc/bind# cat named.conf
include "/etc/bind/named.conf.options";
include "/etc/bind/keys";
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
include "/etc/bind/named.conf.local";
root at DC2:/etc/bind#
root at DC2:/etc/bind# cat named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
root at DC2:/etc/bind#
root at DC2:/etc/bind# cat named.conf.local
// Generated by Zentyal
acl "trusted" {
localhost;
localnets;
};
acl "internal-local-nets" {
192.168.1.0/24;
};
zone "domain1.domain." IN {
type master;
file "/etc/bind/db.domain1.domain";
};
zone "1.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.1.168.192";
update-policy {
// The only allowed dynamic updates are PTR records
grant domain1.domain. subdomain 1.168.192.in-addr.arpa. PTR TXT;
// Grant from localhost
grant local-ddns zonesub any;
};
};
zone "10.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "16.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "17.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "18.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "19.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "20.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "21.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "22.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "23.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "24.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "25.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "26.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "27.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "28.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "29.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "30.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "31.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
root at DC2:/etc/bind#
root at DC2:/etc/bind# cat named.conf.options
options {
sortlist {
{ 192.168.1.0/24 ;{ 192.168.1.0/24 ; };};
};
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you might need to uncomment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 and later use an unprivileged
// port by default.
//query-source address * port 53;
//transfer-source * port 53;
//notify-source * port 53;
auth-nxdomain no; # conform to RFC1035
allow-query { any; };
allow-recursion { trusted; };
allow-query-cache { trusted; };
allow-transfer { internal-local-nets; };
};
logging { category lame-servers { null; }; };
root at DC2:/etc/bind#
On Thu, May 2, 2019 at 3:06 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Thu, 2 May 2019 14:44:18 -0400
> James Fowler <fowlerj at adst.org> wrote:
>
> > I have read that so many times. I started out with the simple,
> > prompted 'samba-tool domain join' and built up from there.
> >
> > Version is:
> > Samba 4.7.6 from Ubuntu (18.04.2)
> >
> > Interesting what happens when I take out --site directive (see below).
> >
> > root at DC2:~# samba-tool domain join DOMAIN1.DOMAIN DC
> > --username='DOMAIN1\EnterpriseAdminUser'
--realm='DOMAIN1.DOMAIN'
> > --server='DC1' --dns-backend=BIND9_DLZ
--workgroup='DOMAIN1' -d 3
> > Password for [DOMAIN1\EnterpriseAdminUser]:
> > workgroup is DOMAIN1
> > realm is DOMAIN1.DOMAIN
> > Adding CN=DC2,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN
> > Adding
> >
>
CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN
> > Join failed - cleaning up
> > ldb_wrap open of secrets.ldb
> > Could not find machine account in secrets database: Failed to fetch
> > machine account password for DOMAIN1 from both secrets.ldb (Could not
> > find entry to match filter:
> > '(&(flatname=DOMAIN1)(objectclass=primaryDomain))' base:
'cn=Primary
> > Domains': No such object: dsdb_search
> > at ../source4/dsdb/common/util.c:4636) and
> > from /var/lib/samba/private/secrets.tdb:
> > NT_STATUS_CANT_ACCESS_DOMAIN_INFO Deleted CN=DC2,OU=Domain
> > Controllers,DC=DOMAIN1,DC=DOMAIN ERROR(ldb): uncaught exception -
> > LDAP error 32 LDAP_NO_SUCH_OBJECT -
> > CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN <0000208D: NameErr:
> > DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
> > 'CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN'
> > > <>
> > File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> > line 176, in _run
> > return self.run(*args, **kwargs)
> > File
"/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py",
> > line 661, in run
> > machinepass=machinepass, use_ntvfs=use_ntvfs,
> > dns_backend=dns_backend) File
> > "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474,
in
> > join_DC ctx.do_join()
> > File "/usr/lib/python2.7/dist-packages/samba/join.py",
line 1375, in
> > do_join
> > ctx.join_add_objects()
> > File "/usr/lib/python2.7/dist-packages/samba/join.py",
line 631, in
> > join_add_objects
> > ctx.samdb.add(rec)
>
> I wonder if it is a dns problem ?
>
> can you post the contents of the following files:
>
> /etc/resolv.conf
> /etc/hostname
> /etc/hosts
> /etc/krb5.conf
>
> 4.7.6 is EOL as far as Samba is concerned, you can find a later version
> here:
>
> http://apt.van-belle.nl/
>
> Is bind9 installed, if so can you post the conf files.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
James Fowler
Chief Information Officer
Association for Diplomatic Studies and Training http://adst.org
Capturing, Preserving, Sharing - Oral Histories of US Diplomacy
L.P.H. van Belle
2019-May-03 06:37 UTC
[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Hai James, An other question, is exchange installed in the windows environment? If not thats only good. Ok you need some rewriting some parts i see several things you need to fix. I'll comment below. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > James Fowler via samba > Verzonden: donderdag 2 mei 2019 22:51 > Aan: Rowland Penny > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or > NT_STATUS_CANT_ACCESS_DOMAIN_INFO > > root at DC2:~# cat /etc/resolv.conf > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by > resolvconf(8) > # and managed by Zentyal. > # > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE > OVERWRITTEN > # > nameserver 192.168.1.254 > #search domain1.domainRemove # and set that search to the the primary dnsdomain, should be ok.> > /etc/hostname > cat /etc/hostname > DC2 >I changed hosts ..> /etc/hosts > root at DC2:~cat /etc/hostsCorrect this part. 127.0.0.1 localhost localhost.localdomain 192.168.1.19 otherserver.DOMAIN1.DOMAIN otherserver 192.168.1.20 DC2.DOMAIN1.DOMAIN DC2 192.168.1.254 DC1.DOMAIN1.local DC1> > # The following lines are desirable for IPv6 capable hosts > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > /etc/krb5.conf (and an earlier version) > root at DC2:~# cat /etc/krb5.conf > [libdefaults] > default_realm = DOMAIN1.DOMAIN > dns_lookup_realm = false > dns_lookup_kdc = true > root at DC2:~# cat /etc/krb5.conf.bak > [libdefaults] > default_realm = DOMAIN1.DOMAIN > dns_lookup_kdc = true > dns_lookup_realm = false > rdns = no > > BIND9 (really long files here - only /etc/bind/named.conf > +named.conf.*) > > root at DC2:/etc/bind# cat named.conf > include "/etc/bind/named.conf.options"; > include "/etc/bind/keys"; > > // prime the server with knowledge of the root servers > zone "." { > type hint; > file "/etc/bind/db.root"; > }; > > // be authoritative for the localhost forward and reverse > zones, and for > // broadcast zones as per RFC 1912 > > zone "localhost" { > type master; > file "/etc/bind/db.local"; > }; > > zone "127.in-addr.arpa" { > type master; > file "/etc/bind/db.127"; > }; > > zone "0.in-addr.arpa" { > type master; > file "/etc/bind/db.0"; > }; > > zone "255.in-addr.arpa" { > type master; > file "/etc/bind/db.255"; > }; > > include "/etc/bind/named.conf.local"; > root at DC2:/etc/bind# > > root at DC2:/etc/bind# cat named.conf.default-zones > // prime the server with knowledge of the root servers > zone "." { > type hint; > file "/etc/bind/db.root"; > }; > > // be authoritative for the localhost forward and reverse > zones, and for > // broadcast zones as per RFC 1912 > > zone "localhost" { > type master; > file "/etc/bind/db.local"; > }; > > zone "127.in-addr.arpa" { > type master; > file "/etc/bind/db.127"; > }; > > zone "0.in-addr.arpa" { > type master; > file "/etc/bind/db.0"; > }; > > zone "255.in-addr.arpa" { > type master; > file "/etc/bind/db.255"; > }; > > > root at DC2:/etc/bind# > > root at DC2:/etc/bind# cat named.conf.local > // Generated by Zentyal > > acl "trusted" { > localhost; > localnets; > }; > > acl "internal-local-nets" { > 192.168.1.0/24; > }; > >Remove this part below thats your main problem.> zone "domain1.domain." IN { > type master; > file "/etc/bind/db.domain1.domain"; > }; > > > zone "1.168.192.in-addr.arpa" { > type master; > file "/etc/bind/db.1.168.192"; > update-policy { > // The only allowed dynamic updates are PTR records > grant domain1.domain. subdomain > 1.168.192.in-addr.arpa. PTR TXT; > // Grant from localhost > grant local-ddns zonesub any; > }; > }; >^^^^ Upto here.. Samba and bind9 flat files are not supported.> zone "10.in-addr.arpa" { > type master; > file "/etc/bind/db.empty"; > }; > zone "16.172.in-addr.arpa" { > type master; > file "/etc/bind/db.empty"; > }; > zone "17.172.in-addr.arpa" { > type master; > file "/etc/bind/db.empty"; > }; > zone "18.172.in-addr.arpa" { > type master; > file "/etc/bind/db.empty"; > }; > zone "19.172.in-addr.arpa" { > type master; > file "/etc/bind/db.empty"; > }; > zone "20.172.in-addr.arpa" { > type master; > file "/etc/bind/db.empty"; > }; > zone "21.172.in-addr.arpa" { > type master; > file "/etc/bind/db.empty"; > }; > zone "22.172.in-addr.arpa" { > type master; > file "/etc/bind/db.empty"; > }; > zone "23.172.in-addr.arpa" { > type master; > file "/etc/bind/db.empty"; > }; > zone "24.172.in-addr.arpa" { > type master; > file "/etc/bind/db.empty"; > }; > zone "25.172.in-addr.arpa" { > type master; > file "/etc/bind/db.empty"; > }; > zone "26.172.in-addr.arpa" { > type master; > file "/etc/bind/db.empty"; > }; > zone "27.172.in-addr.arpa" { > type master; > file "/etc/bind/db.empty"; > }; > zone "28.172.in-addr.arpa" { > type master; > file "/etc/bind/db.empty"; > }; > zone "29.172.in-addr.arpa" { > type master; > file "/etc/bind/db.empty"; > }; > zone "30.172.in-addr.arpa" { > type master; > file "/etc/bind/db.empty"; > }; > zone "31.172.in-addr.arpa" { > type master; > file "/etc/bind/db.empty"; > }; > zone "168.192.in-addr.arpa" { > type master; > file "/etc/bind/db.empty"; > }; > root at DC2:/etc/bind# > > root at DC2:/etc/bind# cat named.conf.options > > options { > sortlist { > { 192.168.1.0/24 ;{ 192.168.1.0/24 ; };}; > }; > directory "/var/cache/bind"; > > // If there is a firewall between you and nameservers you want > // to talk to, you might need to uncomment the query-source > // directive below. Previous versions of BIND always asked > // questions using port 53, but BIND 8.1 and later use an > unprivileged > // port by default. > > //query-source address * port 53; > //transfer-source * port 53; > //notify-source * port 53; > > >Here auth-nxdomain yes; # because this server is authorive for the domain in bind9_dlz.> > allow-query { any; }; > allow-recursion { trusted; }; > allow-query-cache { trusted; }; > allow-transfer { internal-local-nets; }; > }; > > logging { category lame-servers { null; }; }; > root at DC2:/etc/bind# > > > > On Thu, May 2, 2019 at 3:06 PM Rowland Penny via samba < > samba at lists.samba.org> wrote: > > > On Thu, 2 May 2019 14:44:18 -0400 > > James Fowler <fowlerj at adst.org> wrote: > > > > > I have read that so many times. I started out with the simple, > > > prompted 'samba-tool domain join' and built up from there. > > > > > > Version is: > > > Samba 4.7.6 from Ubuntu (18.04.2) > > > > > > Interesting what happens when I take out --site directive > (see below). > > > > > > root at DC2:~# samba-tool domain join DOMAIN1.DOMAIN DC > > > --username='DOMAIN1\EnterpriseAdminUser' --realm='DOMAIN1.DOMAIN' > > > --server='DC1' --dns-backend=BIND9_DLZ --workgroup='DOMAIN1' -d 3 > > > Password for [DOMAIN1\EnterpriseAdminUser]: > > > workgroup is DOMAIN1 > > > realm is DOMAIN1.DOMAIN > > > Adding CN=DC2,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN > > > Adding > > > > > > CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN> > > Join failed - cleaning up > > > ldb_wrap open of secrets.ldb > > > Could not find machine account in secrets database: > Failed to fetch > > > machine account password for DOMAIN1 from both > secrets.ldb (Could not > > > find entry to match filter: > > > '(&(flatname=DOMAIN1)(objectclass=primaryDomain))' base: > 'cn=Primary > > > Domains': No such object: dsdb_search > > > at ../source4/dsdb/common/util.c:4636) and > > > from /var/lib/samba/private/secrets.tdb: > > > NT_STATUS_CANT_ACCESS_DOMAIN_INFO Deleted CN=DC2,OU=Domain > > > Controllers,DC=DOMAIN1,DC=DOMAIN ERROR(ldb): uncaught exception - > > > LDAP error 32 LDAP_NO_SUCH_OBJECT - > > > CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN <0000208D: NameErr: > > > DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of: > > > 'CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN' > > > > <> > > > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > > > line 176, in _run > > > return self.run(*args, **kwargs) > > > File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", > > > line 661, in run > > > machinepass=machinepass, use_ntvfs=use_ntvfs, > > > dns_backend=dns_backend) File > > > "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in > > > join_DC ctx.do_join() > > > File "/usr/lib/python2.7/dist-packages/samba/join.py", > line 1375, in > > > do_join > > > ctx.join_add_objects() > > > File "/usr/lib/python2.7/dist-packages/samba/join.py", > line 631, in > > > join_add_objects > > > ctx.samdb.add(rec) > > > > I wonder if it is a dns problem ? > > > > can you post the contents of the following files: > > > > /etc/resolv.conf > > /etc/hostname > > /etc/hosts > > /etc/krb5.conf > > > > 4.7.6 is EOL as far as Samba is concerned, you can find a > later version > > here: > > > > http://apt.van-belle.nl/ > > > > Is bind9 installed, if so can you post the conf files. > > > > Rowland > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > -- > James Fowler > Chief Information Officer > Association for Diplomatic Studies and Training http://adst.org > Capturing, Preserving, Sharing - Oral Histories of US Diplomacy > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Reasonably Related Threads
- Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO
- Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO
- Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO
- Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO
- Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO