thr3ads.net - samba - [Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN

If this information is useful, please help other people find it:
Share via:

James Fowler

2019-May-02 18:44 UTC

[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO

I have read that so many times.  I started out with the simple, prompted
'samba-tool domain join' and built up from there.

Version is:
Samba 4.7.6 from Ubuntu (18.04.2)

Interesting what happens when I take out --site directive (see below).

root at DC2:~# samba-tool domain join DOMAIN1.DOMAIN DC
--username='DOMAIN1\EnterpriseAdminUser'
--realm='DOMAIN1.DOMAIN'
--server='DC1' --dns-backend=BIND9_DLZ --workgroup='DOMAIN1' -d
3
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
resolve_lmhosts: Attempting lmhosts lookup for name DC1<0x20>
Password for [DOMAIN1\EnterpriseAdminUser]:
workgroup is DOMAIN1
realm is DOMAIN1.DOMAIN
Adding CN=DC2,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN
Adding
CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN
Join failed - cleaning up
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch machine
account password for DOMAIN1 from both secrets.ldb (Could not find entry to
match filter: '(&(flatname=DOMAIN1)(objectclass=primaryDomain))'
base:
'cn=Primary Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4636) and from
/var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Deleted CN=DC2,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN
ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT -
CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN <0000208D: NameErr:
DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
       
'CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN'> <>  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line
176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
661,
in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in
join_DC
    ctx.do_join()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in
do_join
    ctx.join_add_objects()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 631, in
join_add_objects
    ctx.samdb.add(rec)


On Thu, May 2, 2019 at 2:25 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Thu, 2 May 2019 12:59:28 -0400
> James Fowler <fowlerj at adst.org> wrote:
>
> > root at DC2:~# samba-tool domain join DOMAIN1.DOMAIN DC
> > --username='DOMAIN1\EnterpriseAdminUser'
--realm='DOMAIN1.DOMAIN'
> > --site='Default-First-Site' --server='DC1'
--dns-backend=BIND9_DLZ
> > --workgroup='DOMAIN1' -d 3
> > GENSEC backend 'gssapi_spnego' registered
> > GENSEC backend 'gssapi_krb5' registered
> > GENSEC backend 'gssapi_krb5_sasl' registered
> > GENSEC backend 'spnego' registered
> > GENSEC backend 'schannel' registered
> > GENSEC backend 'naclrpc_as_system' registered
> > GENSEC backend 'sasl-EXTERNAL' registered
> > GENSEC backend 'ntlmssp' registered
> > GENSEC backend 'ntlmssp_resume_ccache' registered
> > GENSEC backend 'http_basic' registered
> > GENSEC backend 'http_ntlm' registered
> > GENSEC backend 'krb5' registered
> > GENSEC backend 'fake_gssapi_krb5' registered
> > resolve_lmhosts: Attempting lmhosts lookup for name DC1<0x20>
> > Password for [DOMAIN1\EnterpriseAdminUser]:
> > workgroup is DOMAIN1
> > realm is DOMAIN1.DOMAIN
> > Adding CN=DC2,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN
>
> I take it, that it didn't work.
>
> You have this:
>
> --site='Default-First-Site'
>
> Have you created a site called 'Default-First-Site' ? by default it
is
> '--site='Default-First-Site-Name'
>
> If you are trying to join the site 'Default-First-Site-Name', then
> there is no need to give the option.
>
> Have you read this:
>
>
>
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
>
> What version of Samba are you using ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 
James Fowler
Chief Information Officer
Association for Diplomatic Studies and Training http://adst.org
Capturing, Preserving, Sharing - Oral Histories of US Diplomacy

Rowland Penny

2019-May-02 19:05 UTC

head link

[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO

On Thu, 2 May 2019 14:44:18 -0400
James Fowler <fowlerj at adst.org> wrote:
> I have read that so many times.  I started out with the simple,
> prompted 'samba-tool domain join' and built up from there.
> 
> Version is:
> Samba 4.7.6 from Ubuntu (18.04.2)
> 
> Interesting what happens when I take out --site directive (see below).
> 
> root at DC2:~# samba-tool domain join DOMAIN1.DOMAIN DC
> --username='DOMAIN1\EnterpriseAdminUser'
--realm='DOMAIN1.DOMAIN'
> --server='DC1' --dns-backend=BIND9_DLZ
--workgroup='DOMAIN1' -d 3
> Password for [DOMAIN1\EnterpriseAdminUser]:
> workgroup is DOMAIN1
> realm is DOMAIN1.DOMAIN
> Adding CN=DC2,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN
> Adding
>
CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN
> Join failed - cleaning up
> ldb_wrap open of secrets.ldb
> Could not find machine account in secrets database: Failed to fetch
> machine account password for DOMAIN1 from both secrets.ldb (Could not
> find entry to match filter:
> '(&(flatname=DOMAIN1)(objectclass=primaryDomain))' base:
'cn=Primary
> Domains': No such object: dsdb_search
> at ../source4/dsdb/common/util.c:4636) and
> from /var/lib/samba/private/secrets.tdb:
> NT_STATUS_CANT_ACCESS_DOMAIN_INFO Deleted CN=DC2,OU=Domain
> Controllers,DC=DOMAIN1,DC=DOMAIN ERROR(ldb): uncaught exception -
> LDAP error 32 LDAP_NO_SUCH_OBJECT -
> CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN <0000208D: NameErr:
> DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
> 'CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN'
> > <>  
>   File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py",
> line 661, in run
>     machinepass=machinepass, use_ntvfs=use_ntvfs,
> dns_backend=dns_backend) File
> "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in
> join_DC ctx.do_join()
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line
1375, in
> do_join
>     ctx.join_add_objects()
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line
631, in
> join_add_objects
>     ctx.samdb.add(rec)
I wonder if it is a dns problem ?

can you post the contents of the following files:

/etc/resolv.conf
/etc/hostname
/etc/hosts
/etc/krb5.conf

4.7.6 is EOL as far as Samba is concerned, you can find a later version
here:

http://apt.van-belle.nl/

Is bind9 installed, if so can you post the conf files.

Rowland

James Fowler

2019-May-02 20:51 UTC

head link

[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO

root at DC2:~# cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by
resolvconf(8)
# and managed by Zentyal.
#
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
#
nameserver 192.168.1.254
#search domain1.domain

/etc/hostname
cat /etc/hostname
DC2

/etc/hosts
root at DC2:~cat /etc/hosts
127.0.0.1       localhost.localdomain localhost
127.0.1.1       DC2.DOMAIN1.DOMAIN DC2
192.168.1.19    otherserver.DOMAIN1.DOMAIN otherserver
192.168.1.20    DC2.DOMAIN1.DOMAIN DC2
192.168.1.254   DC1.DOMAIN1.local DC1

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

/etc/krb5.conf (and an earlier version)
root at DC2:~# cat /etc/krb5.conf
[libdefaults]
        default_realm = DOMAIN1.DOMAIN
        dns_lookup_realm = false
        dns_lookup_kdc = true
root at DC2:~# cat /etc/krb5.conf.bak
[libdefaults]
    default_realm = DOMAIN1.DOMAIN
    dns_lookup_kdc = true
    dns_lookup_realm = false
    rdns = no

BIND9 (really long files here - only /etc/bind/named.conf +named.conf.*)

root at DC2:/etc/bind# cat named.conf
include "/etc/bind/named.conf.options";
include "/etc/bind/keys";

// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

include "/etc/bind/named.conf.local";
root at DC2:/etc/bind#

root at DC2:/etc/bind# cat named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};


root at DC2:/etc/bind#

root at DC2:/etc/bind# cat named.conf.local
// Generated by Zentyal

acl "trusted" {
    localhost;
    localnets;
};

acl "internal-local-nets" {
    192.168.1.0/24;
};


zone "domain1.domain." IN {
    type master;
    file "/etc/bind/db.domain1.domain";
};


zone "1.168.192.in-addr.arpa" {
    type master;
    file "/etc/bind/db.1.168.192";
    update-policy {
        // The only allowed dynamic updates are PTR records
        grant domain1.domain. subdomain 1.168.192.in-addr.arpa. PTR TXT;
        // Grant from localhost
        grant local-ddns zonesub any;
    };
};

zone "10.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "16.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "17.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "18.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "19.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "20.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "21.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "22.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "23.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "24.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "25.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "26.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "27.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "28.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "29.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "30.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "31.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "168.192.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
root at DC2:/etc/bind#

root at DC2:/etc/bind# cat named.conf.options

options {
     sortlist {
            { 192.168.1.0/24 ;{ 192.168.1.0/24 ; };};
    };
    directory "/var/cache/bind";

    // If there is a firewall between you and nameservers you want
    // to talk to, you might need to uncomment the query-source
    // directive below.  Previous versions of BIND always asked
    // questions using port 53, but BIND 8.1 and later use an unprivileged
    // port by default.

    //query-source address * port 53;
    //transfer-source * port 53;
    //notify-source * port 53;



    auth-nxdomain no;    # conform to RFC1035

    allow-query { any; };
    allow-recursion { trusted; };
    allow-query-cache { trusted; };
    allow-transfer { internal-local-nets; };
};

logging { category lame-servers { null; }; };
root at DC2:/etc/bind#



On Thu, May 2, 2019 at 3:06 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Thu, 2 May 2019 14:44:18 -0400
> James Fowler <fowlerj at adst.org> wrote:
>
> > I have read that so many times.  I started out with the simple,
> > prompted 'samba-tool domain join' and built up from there.
> >
> > Version is:
> > Samba 4.7.6 from Ubuntu (18.04.2)
> >
> > Interesting what happens when I take out --site directive (see below).
> >
> > root at DC2:~# samba-tool domain join DOMAIN1.DOMAIN DC
> > --username='DOMAIN1\EnterpriseAdminUser'
--realm='DOMAIN1.DOMAIN'
> > --server='DC1' --dns-backend=BIND9_DLZ
--workgroup='DOMAIN1' -d 3
> > Password for [DOMAIN1\EnterpriseAdminUser]:
> > workgroup is DOMAIN1
> > realm is DOMAIN1.DOMAIN
> > Adding CN=DC2,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN
> > Adding
> >
>
CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN
> > Join failed - cleaning up
> > ldb_wrap open of secrets.ldb
> > Could not find machine account in secrets database: Failed to fetch
> > machine account password for DOMAIN1 from both secrets.ldb (Could not
> > find entry to match filter:
> > '(&(flatname=DOMAIN1)(objectclass=primaryDomain))' base:
'cn=Primary
> > Domains': No such object: dsdb_search
> > at ../source4/dsdb/common/util.c:4636) and
> > from /var/lib/samba/private/secrets.tdb:
> > NT_STATUS_CANT_ACCESS_DOMAIN_INFO Deleted CN=DC2,OU=Domain
> > Controllers,DC=DOMAIN1,DC=DOMAIN ERROR(ldb): uncaught exception -
> > LDAP error 32 LDAP_NO_SUCH_OBJECT -
> > CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN <0000208D: NameErr:
> > DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
> > 'CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN'
> > > <>
> >   File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> > line 176, in _run
> >     return self.run(*args, **kwargs)
> >   File
"/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py",
> > line 661, in run
> >     machinepass=machinepass, use_ntvfs=use_ntvfs,
> > dns_backend=dns_backend) File
> > "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474,
in
> > join_DC ctx.do_join()
> >   File "/usr/lib/python2.7/dist-packages/samba/join.py",
line 1375, in
> > do_join
> >     ctx.join_add_objects()
> >   File "/usr/lib/python2.7/dist-packages/samba/join.py",
line 631, in
> > join_add_objects
> >     ctx.samdb.add(rec)
>
> I wonder if it is a dns problem ?
>
> can you post the contents of the following files:
>
> /etc/resolv.conf
> /etc/hostname
> /etc/hosts
> /etc/krb5.conf
>
> 4.7.6 is EOL as far as Samba is concerned, you can find a later version
> here:
>
> http://apt.van-belle.nl/
>
> Is bind9 installed, if so can you post the conf files.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 
James Fowler
Chief Information Officer
Association for Diplomatic Studies and Training http://adst.org
Capturing, Preserving, Sharing - Oral Histories of US Diplomacy

L.P.H. van Belle

2019-May-03 06:37 UTC

head link

[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO

Hai James, 

An other question, is exchange installed in the windows environment? 
If not thats only good. 

Ok you need some rewriting some parts i see several things you need to fix. 

I'll comment below. 

Greetz, 

Louis 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> James Fowler via samba
> Verzonden: donderdag 2 mei 2019 22:51
> Aan: Rowland Penny
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or 
> NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> 
> root at DC2:~# cat /etc/resolv.conf
> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
> resolvconf(8)
> # and managed by Zentyal.
> #
> #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE 
> OVERWRITTEN
> #
> nameserver 192.168.1.254
> #search domain1.domain

Remove # and set that search to the the primary dnsdomain, should be ok. 
> 
> /etc/hostname
> cat /etc/hostname
> DC2
> 
I changed hosts .. > /etc/hosts
> root at DC2:~cat /etc/hosts
Correct this part. 
127.0.0.1       localhost localhost.localdomain
192.168.1.19    otherserver.DOMAIN1.DOMAIN otherserver
192.168.1.20    DC2.DOMAIN1.DOMAIN DC2
192.168.1.254   DC1.DOMAIN1.local DC1

> 
> # The following lines are desirable for IPv6 capable hosts
> ::1     localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> 
> /etc/krb5.conf (and an earlier version)
> root at DC2:~# cat /etc/krb5.conf
> [libdefaults]
>         default_realm = DOMAIN1.DOMAIN
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
> root at DC2:~# cat /etc/krb5.conf.bak
> [libdefaults]
>     default_realm = DOMAIN1.DOMAIN
>     dns_lookup_kdc = true
>     dns_lookup_realm = false
>     rdns = no
> 
> BIND9 (really long files here - only /etc/bind/named.conf 
> +named.conf.*)
> 
> root at DC2:/etc/bind# cat named.conf
> include "/etc/bind/named.conf.options";
> include "/etc/bind/keys";
> 
> // prime the server with knowledge of the root servers
> zone "." {
>         type hint;
>         file "/etc/bind/db.root";
> };
> 
> // be authoritative for the localhost forward and reverse 
> zones, and for
> // broadcast zones as per RFC 1912
> 
> zone "localhost" {
>         type master;
>         file "/etc/bind/db.local";
> };
> 
> zone "127.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.127";
> };
> 
> zone "0.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.0";
> };
> 
> zone "255.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.255";
> };
> 
> include "/etc/bind/named.conf.local";
> root at DC2:/etc/bind#
> 
> root at DC2:/etc/bind# cat named.conf.default-zones
> // prime the server with knowledge of the root servers
> zone "." {
>         type hint;
>         file "/etc/bind/db.root";
> };
> 
> // be authoritative for the localhost forward and reverse 
> zones, and for
> // broadcast zones as per RFC 1912
> 
> zone "localhost" {
>         type master;
>         file "/etc/bind/db.local";
> };
> 
> zone "127.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.127";
> };
> 
> zone "0.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.0";
> };
> 
> zone "255.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.255";
> };
> 
> 
> root at DC2:/etc/bind#
> 
> root at DC2:/etc/bind# cat named.conf.local
> // Generated by Zentyal
> 
> acl "trusted" {
>     localhost;
>     localnets;
> };
> 
> acl "internal-local-nets" {
>     192.168.1.0/24;
> };
> 
> 
Remove this part below thats your main problem. 
> zone "domain1.domain." IN {
>     type master;
>     file "/etc/bind/db.domain1.domain";
> };
> 
> 
> zone "1.168.192.in-addr.arpa" {
>     type master;
>     file "/etc/bind/db.1.168.192";
>     update-policy {
>         // The only allowed dynamic updates are PTR records
>         grant domain1.domain. subdomain 
> 1.168.192.in-addr.arpa. PTR TXT;
>         // Grant from localhost
>         grant local-ddns zonesub any;
>     };
> };
> ^^^^
Upto here..  

Samba and bind9 flat files are not supported.

> zone "10.in-addr.arpa" {
>     type master;
>     file "/etc/bind/db.empty";
> };
> zone "16.172.in-addr.arpa" {
>     type master;
>     file "/etc/bind/db.empty";
> };
> zone "17.172.in-addr.arpa" {
>     type master;
>     file "/etc/bind/db.empty";
> };
> zone "18.172.in-addr.arpa" {
>     type master;
>     file "/etc/bind/db.empty";
> };
> zone "19.172.in-addr.arpa" {
>     type master;
>     file "/etc/bind/db.empty";
> };
> zone "20.172.in-addr.arpa" {
>     type master;
>     file "/etc/bind/db.empty";
> };
> zone "21.172.in-addr.arpa" {
>     type master;
>     file "/etc/bind/db.empty";
> };
> zone "22.172.in-addr.arpa" {
>     type master;
>     file "/etc/bind/db.empty";
> };
> zone "23.172.in-addr.arpa" {
>     type master;
>     file "/etc/bind/db.empty";
> };
> zone "24.172.in-addr.arpa" {
>     type master;
>     file "/etc/bind/db.empty";
> };
> zone "25.172.in-addr.arpa" {
>     type master;
>     file "/etc/bind/db.empty";
> };
> zone "26.172.in-addr.arpa" {
>     type master;
>     file "/etc/bind/db.empty";
> };
> zone "27.172.in-addr.arpa" {
>     type master;
>     file "/etc/bind/db.empty";
> };
> zone "28.172.in-addr.arpa" {
>     type master;
>     file "/etc/bind/db.empty";
> };
> zone "29.172.in-addr.arpa" {
>     type master;
>     file "/etc/bind/db.empty";
> };
> zone "30.172.in-addr.arpa" {
>     type master;
>     file "/etc/bind/db.empty";
> };
> zone "31.172.in-addr.arpa" {
>     type master;
>     file "/etc/bind/db.empty";
> };
> zone "168.192.in-addr.arpa" {
>     type master;
>     file "/etc/bind/db.empty";
> };
> root at DC2:/etc/bind#
> 
> root at DC2:/etc/bind# cat named.conf.options
> 
> options {
>      sortlist {
>             { 192.168.1.0/24 ;{ 192.168.1.0/24 ; };};
>     };
>     directory "/var/cache/bind";
> 
>     // If there is a firewall between you and nameservers you want
>     // to talk to, you might need to uncomment the query-source
>     // directive below.  Previous versions of BIND always asked
>     // questions using port 53, but BIND 8.1 and later use an 
> unprivileged
>     // port by default.
> 
>     //query-source address * port 53;
>     //transfer-source * port 53;
>     //notify-source * port 53;
> 
> 
> Here  auth-nxdomain yes;    # because this server is authorive for the domain in
bind9_dlz.> 
>     allow-query { any; };
>     allow-recursion { trusted; };
>     allow-query-cache { trusted; };
>     allow-transfer { internal-local-nets; };
> };
> 
> logging { category lame-servers { null; }; };
> root at DC2:/etc/bind#
> 
> 
> 
> On Thu, May 2, 2019 at 3:06 PM Rowland Penny via samba <
> samba at lists.samba.org> wrote:
> 
> > On Thu, 2 May 2019 14:44:18 -0400
> > James Fowler <fowlerj at adst.org> wrote:
> >
> > > I have read that so many times.  I started out with the simple,
> > > prompted 'samba-tool domain join' and built up from
there.
> > >
> > > Version is:
> > > Samba 4.7.6 from Ubuntu (18.04.2)
> > >
> > > Interesting what happens when I take out --site directive 
> (see below).
> > >
> > > root at DC2:~# samba-tool domain join DOMAIN1.DOMAIN DC
> > > --username='DOMAIN1\EnterpriseAdminUser'
--realm='DOMAIN1.DOMAIN'
> > > --server='DC1' --dns-backend=BIND9_DLZ
--workgroup='DOMAIN1' -d 3
> > > Password for [DOMAIN1\EnterpriseAdminUser]:
> > > workgroup is DOMAIN1
> > > realm is DOMAIN1.DOMAIN
> > > Adding CN=DC2,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN
> > > Adding
> > >
> > 
> CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
guration,DC=DOMAIN1,DC=DOMAIN> > > Join failed - cleaning up
> > > ldb_wrap open of secrets.ldb
> > > Could not find machine account in secrets database: 
> Failed to fetch
> > > machine account password for DOMAIN1 from both 
> secrets.ldb (Could not
> > > find entry to match filter:
> > > '(&(flatname=DOMAIN1)(objectclass=primaryDomain))'
base:
> 'cn=Primary
> > > Domains': No such object: dsdb_search
> > > at ../source4/dsdb/common/util.c:4636) and
> > > from /var/lib/samba/private/secrets.tdb:
> > > NT_STATUS_CANT_ACCESS_DOMAIN_INFO Deleted CN=DC2,OU=Domain
> > > Controllers,DC=DOMAIN1,DC=DOMAIN ERROR(ldb): uncaught exception -
> > > LDAP error 32 LDAP_NO_SUCH_OBJECT -
> > > CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN <0000208D:
NameErr:
> > > DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
> > > 'CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN'
> > > > <>
> > >   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> > > line 176, in _run
> > >     return self.run(*args, **kwargs)
> > >   File
"/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py",
> > > line 661, in run
> > >     machinepass=machinepass, use_ntvfs=use_ntvfs,
> > > dns_backend=dns_backend) File
> > > "/usr/lib/python2.7/dist-packages/samba/join.py", line
1474, in
> > > join_DC ctx.do_join()
> > >   File
"/usr/lib/python2.7/dist-packages/samba/join.py",
> line 1375, in
> > > do_join
> > >     ctx.join_add_objects()
> > >   File
"/usr/lib/python2.7/dist-packages/samba/join.py",
> line 631, in
> > > join_add_objects
> > >     ctx.samdb.add(rec)
> >
> > I wonder if it is a dns problem ?
> >
> > can you post the contents of the following files:
> >
> > /etc/resolv.conf
> > /etc/hostname
> > /etc/hosts
> > /etc/krb5.conf
> >
> > 4.7.6 is EOL as far as Samba is concerned, you can find a 
> later version
> > here:
> >
> > http://apt.van-belle.nl/
> >
> > Is bind9 installed, if so can you post the conf files.
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> 
> 
> -- 
> James Fowler
> Chief Information Officer
> Association for Diplomatic Studies and Training http://adst.org
> Capturing, Preserving, Sharing - Oral Histories of US Diplomacy
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

Reasonably Related Threads

Search for more seemingly similar threads

samba - May 2019 - Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO

[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO

[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO

[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO

[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO

Reasonably Related Threads