samba - May 2019 - Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO

root at DC2:~# cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by
resolvconf(8)
# and managed by Zentyal.
#
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
#
nameserver 192.168.1.254
#search domain1.domain

/etc/hostname
cat /etc/hostname
DC2

/etc/hosts
root at DC2:~cat /etc/hosts
127.0.0.1       localhost.localdomain localhost
127.0.1.1       DC2.DOMAIN1.DOMAIN DC2
192.168.1.19    otherserver.DOMAIN1.DOMAIN otherserver
192.168.1.20    DC2.DOMAIN1.DOMAIN DC2
192.168.1.254   DC1.DOMAIN1.local DC1

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

/etc/krb5.conf (and an earlier version)
root at DC2:~# cat /etc/krb5.conf
[libdefaults]
        default_realm = DOMAIN1.DOMAIN
        dns_lookup_realm = false
        dns_lookup_kdc = true
root at DC2:~# cat /etc/krb5.conf.bak
[libdefaults]
    default_realm = DOMAIN1.DOMAIN
    dns_lookup_kdc = true
    dns_lookup_realm = false
    rdns = no

BIND9 (really long files here - only /etc/bind/named.conf +named.conf.*)

root at DC2:/etc/bind# cat named.conf
include "/etc/bind/named.conf.options";
include "/etc/bind/keys";

// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

include "/etc/bind/named.conf.local";
root at DC2:/etc/bind#

root at DC2:/etc/bind# cat named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};


root at DC2:/etc/bind#

root at DC2:/etc/bind# cat named.conf.local
// Generated by Zentyal

acl "trusted" {
    localhost;
    localnets;
};

acl "internal-local-nets" {
    192.168.1.0/24;
};


zone "domain1.domain." IN {
    type master;
    file "/etc/bind/db.domain1.domain";
};


zone "1.168.192.in-addr.arpa" {
    type master;
    file "/etc/bind/db.1.168.192";
    update-policy {
        // The only allowed dynamic updates are PTR records
        grant domain1.domain. subdomain 1.168.192.in-addr.arpa. PTR TXT;
        // Grant from localhost
        grant local-ddns zonesub any;
    };
};

zone "10.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "16.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "17.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "18.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "19.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "20.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "21.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "22.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "23.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "24.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "25.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "26.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "27.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "28.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "29.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "30.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "31.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "168.192.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
root at DC2:/etc/bind#

root at DC2:/etc/bind# cat named.conf.options

options {
     sortlist {
            { 192.168.1.0/24 ;{ 192.168.1.0/24 ; };};
    };
    directory "/var/cache/bind";

    // If there is a firewall between you and nameservers you want
    // to talk to, you might need to uncomment the query-source
    // directive below.  Previous versions of BIND always asked
    // questions using port 53, but BIND 8.1 and later use an unprivileged
    // port by default.

    //query-source address * port 53;
    //transfer-source * port 53;
    //notify-source * port 53;



    auth-nxdomain no;    # conform to RFC1035

    allow-query { any; };
    allow-recursion { trusted; };
    allow-query-cache { trusted; };
    allow-transfer { internal-local-nets; };
};

logging { category lame-servers { null; }; };
root at DC2:/etc/bind#



On Thu, May 2, 2019 at 3:06 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Thu, 2 May 2019 14:44:18 -0400
> James Fowler <fowlerj at adst.org> wrote:
>
> > I have read that so many times.  I started out with the simple,
> > prompted 'samba-tool domain join' and built up from there.
> >
> > Version is:
> > Samba 4.7.6 from Ubuntu (18.04.2)
> >
> > Interesting what happens when I take out --site directive (see below).
> >
> > root at DC2:~# samba-tool domain join DOMAIN1.DOMAIN DC
> > --username='DOMAIN1\EnterpriseAdminUser'
--realm='DOMAIN1.DOMAIN'
> > --server='DC1' --dns-backend=BIND9_DLZ
--workgroup='DOMAIN1' -d 3
> > Password for [DOMAIN1\EnterpriseAdminUser]:
> > workgroup is DOMAIN1
> > realm is DOMAIN1.DOMAIN
> > Adding CN=DC2,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN
> > Adding
> >
>
CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN
> > Join failed - cleaning up
> > ldb_wrap open of secrets.ldb
> > Could not find machine account in secrets database: Failed to fetch
> > machine account password for DOMAIN1 from both secrets.ldb (Could not
> > find entry to match filter:
> > '(&(flatname=DOMAIN1)(objectclass=primaryDomain))' base:
'cn=Primary
> > Domains': No such object: dsdb_search
> > at ../source4/dsdb/common/util.c:4636) and
> > from /var/lib/samba/private/secrets.tdb:
> > NT_STATUS_CANT_ACCESS_DOMAIN_INFO Deleted CN=DC2,OU=Domain
> > Controllers,DC=DOMAIN1,DC=DOMAIN ERROR(ldb): uncaught exception -
> > LDAP error 32 LDAP_NO_SUCH_OBJECT -
> > CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN <0000208D: NameErr:
> > DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
> > 'CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN'
> > > <>
> >   File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> > line 176, in _run
> >     return self.run(*args, **kwargs)
> >   File
"/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py",
> > line 661, in run
> >     machinepass=machinepass, use_ntvfs=use_ntvfs,
> > dns_backend=dns_backend) File
> > "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474,
in
> > join_DC ctx.do_join()
> >   File "/usr/lib/python2.7/dist-packages/samba/join.py",
line 1375, in
> > do_join
> >     ctx.join_add_objects()
> >   File "/usr/lib/python2.7/dist-packages/samba/join.py",
line 631, in
> > join_add_objects
> >     ctx.samdb.add(rec)
>
> I wonder if it is a dns problem ?
>
> can you post the contents of the following files:
>
> /etc/resolv.conf
> /etc/hostname
> /etc/hosts
> /etc/krb5.conf
>
> 4.7.6 is EOL as far as Samba is concerned, you can find a later version
> here:
>
> http://apt.van-belle.nl/
>
> Is bind9 installed, if so can you post the conf files.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 
James Fowler
Chief Information Officer
Association for Diplomatic Studies and Training http://adst.org
Capturing, Preserving, Sharing - Oral Histories of US Diplomacy

On Thu, 2 May 2019 16:51:02 -0400
James Fowler <fowlerj at adst.org> wrote:

See inline comments
> root at DC2:~# cat /etc/resolv.conf
> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
> resolvconf(8)
> # and managed by Zentyal.
> #
> #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE
> OVERWRITTEN #
> nameserver 192.168.1.254
> #search domain1.domain
I would do two things here, the first is 'apt-get purge resolvconf',
you do not want anything changing /etc/resolv.conf on a DC.
The second is, uncomment the 'search' line.

There is also that word 'Zentyal', was/is this computer a Zentyal DC ?
> 
> /etc/hostname
> cat /etc/hostname
> DC2
> 
> /etc/hosts
> root at DC2:~cat /etc/hosts
> 127.0.0.1       localhost.localdomain localhost
> 127.0.1.1       DC2.DOMAIN1.DOMAIN DC2
> 192.168.1.19    otherserver.DOMAIN1.DOMAIN otherserver
> 192.168.1.20    DC2.DOMAIN1.DOMAIN DC2
> 192.168.1.254   DC1.DOMAIN1.local DC1
> 
You should only have the new DC's info in /etc/hosts, anything else
should be found by DNS. There is also '127.0.1.1' , is there another
DNS server running ? (dnsmasq, netplan etc)
> root at DC2:/etc/bind# cat named.conf
> include "/etc/bind/named.conf.options";
> include "/etc/bind/keys";
You do not need the '/etc/bind/keys' line
> 
> // prime the server with knowledge of the root servers
> zone "." {
>         type hint;
>         file "/etc/bind/db.root";
> };
> 
> // be authoritative for the localhost forward and reverse zones, and
> for // broadcast zones as per RFC 1912
> 
> zone "localhost" {
>         type master;
>         file "/etc/bind/db.local";
> };
> 
> zone "127.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.127";
> };
> 
> zone "0.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.0";
> };
> 
> zone "255.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.255";
> };
Why is the above in /etc/bind/named.conf ?
There should just be an include line like this:

include "/etc/bind/named.conf.default-zones";
> root at DC2:/etc/bind# cat named.conf.local
> // Generated by Zentyal
Why? they seem to be making a right mess of it ;-)

Mine is just:

include "/var/lib/samba/bind-dns/named.conf";
> 
> root at DC2:/etc/bind# cat named.conf.options
> 
> options {
>      sortlist {
>             { 192.168.1.0/24 ;{ 192.168.1.0/24 ; };};
>     };
>     directory "/var/cache/bind";
>     auth-nxdomain no;    # conform to RFC1035
> 
>     allow-query { any; };
>     allow-recursion { trusted; };
>     allow-query-cache { trusted; };
>     allow-transfer { internal-local-nets; };
> };
> 
> logging { category lame-servers { null; }; };
 
If that again is managed by Zentyal, well they got some things right,
but missed a major thing, this is mine:

options {
    directory "/var/cache/bind";
    version "0.0.7";
    notify no;
    empty-zones-enable no;
    allow-query { 127.0.0.1; 192.168.0.0/24; };
    allow-recursion {  192.168.0.0/24; 127.0.0.1/32; };
    forwarders { 8.8.8.8; 8.8.4.4; };
    allow-transfer { none; };
    dnssec-validation no;
    dnssec-enable no;
    dnssec-lookaside no;
    listen-on-v6 { none; };
    listen-on port 53 { 192.168.0.6; 127.0.0.1; };

    tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
};

From all this, it is clear your DNS is not working as a Samba  AD DC
would expect.

Rowland

Inline reply.

On Fri, May 3, 2019 at 3:08 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Thu, 2 May 2019 16:51:02 -0400
> James Fowler <fowlerj at adst.org> wrote:
>
> See inline comments
>
> > root at DC2:~# cat /etc/resolv.conf
> > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
> > resolvconf(8)
> > # and managed by Zentyal.
> > #
> > #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE
> > OVERWRITTEN #
> > nameserver 192.168.1.254
> > #search domain1.domain
>
I would do two things here, the first is 'apt-get purge
resolvconf',
> you do not want anything changing /etc/resolv.conf on a DC.
>
 It looks like many packages are set to be dependent on resolvconf that I
need on this system.  I ended up unlinking it, making the changes you
recommended and then setting it to immutable (chattr +i).  I also did
systemctl disable resolvconf.

The second is, uncomment the 'search' line.
>
> There is also that word 'Zentyal', was/is this computer a Zentyal
DC ?
>
 Yes.
>
> >
> > /etc/hostname
> > cat /etc/hostname
> > DC2
> >
> > /etc/hosts
> > root at DC2:~cat /etc/hosts
> > 127.0.0.1       localhost.localdomain localhost
> > 127.0.1.1       DC2.DOMAIN1.DOMAIN DC2
> > 192.168.1.19    otherserver.DOMAIN1.DOMAIN otherserver
> > 192.168.1.20    DC2.DOMAIN1.DOMAIN DC2
> > 192.168.1.254   DC1.DOMAIN1.local DC1
> >
>
> You should only have the new DC's info in /etc/hosts, anything else
> should be found by DNS. There is also '127.0.1.1' , is there
another
> DNS server running ? (dnsmasq, netplan etc)
>
Only bind9 is running.  The 127.0.1.1 entry comes from a failed attempt to
resolve issues.  I commented it out.  Thank you.

> > root at DC2:/etc/bind# cat named.conf
> > include "/etc/bind/named.conf.options";
> > include "/etc/bind/keys";
>
> You do not need the '/etc/bind/keys' line
>
removed.
>
> >
> > // prime the server with knowledge of the root servers
> > zone "." {
> >         type hint;
> >         file "/etc/bind/db.root";
> > };
> >
> > // be authoritative for the localhost forward and reverse zones, and
> > for // broadcast zones as per RFC 1912
> >
> > zone "localhost" {
> >         type master;
> >         file "/etc/bind/db.local";
> > };
> >
> > zone "127.in-addr.arpa" {
> >         type master;
> >         file "/etc/bind/db.127";
> > };
> >
> > zone "0.in-addr.arpa" {
> >         type master;
> >         file "/etc/bind/db.0";
> > };
> >
> > zone "255.in-addr.arpa" {
> >         type master;
> >         file "/etc/bind/db.255";
> > };
>
> Why is the above in /etc/bind/named.conf ?
> There should just be an include line like this:
>
> include "/etc/bind/named.conf.default-zones";
>
When I this added to the end of the named.conf file bind9 wouldn't run and
complained:
named-checkconf
/etc/bind/named.conf.default-zones:2: zone '.': already exists previous
definition: /etc/bind/named.conf:5
/etc/bind/named.conf.default-zones:10: zone 'localhost': already exists
previous definition: /etc/bind/named.conf:13
/etc/bind/named.conf.default-zones:15: zone '127.in-addr.arpa': already
exists previous definition: /etc/bind/named.conf:18
/etc/bind/named.conf.default-zones:20: zone '0.in-addr.arpa': already
exists previous definition: /etc/bind/named.conf:23
/etc/bind/named.conf.default-zones:25: zone '255.in-addr.arpa': already
exists previous definition: /etc/bind/named.conf:28

Is it a problem to not have it calling named.conf.default-zones?  It has
the same information repeated in named.conf.  Is it better to comment out
those entries there and have it called from named.conf.default-zones?

> > root at DC2:/etc/bind# cat named.conf.local
> > // Generated by Zentyal
>
> Why? they seem to be making a right mess of it ;-)
>
Tell me about it!   It is kind of crazy the proliferation of named.conf
files, zones, etc.
>
> Mine is just:
>
> include "/var/lib/samba/bind-dns/named.conf";
>
Presently, I have nothing in the /var/lib/samba/bind-dns/named.conf path:
root at dc2:/etc# ll /var/lib/samba/
total 1412
drwxr-xr-x   8 root root            4096 May  2 09:03 ./
drwxr-xr-x  60 root root            4096 Apr 29 20:17 ../
-rw-------   1 root root          421888 Apr 25 11:42 account_policy.tdb
-rw-------   1 root root             696 Apr 25 11:42 group_mapping.tdb
drwxr-x---   2 root ntp             4096 Apr 30 00:14 ntp_signd/
drwxr-xr-x  10 root root            4096 Apr 25 11:39 printers/
drwxr-x---   5 root bind            4096 May  2 12:50 private/
-rw-------   1 root root          528384 Apr 25 11:42 registry.tdb
-rw-------   1 root root          421888 Apr 25 11:42 share_info.tdb
drwxrwx---+  3 root adm             4096 Apr 30 08:19 sysvol/
drwxrwx--T   2 root sambashare      4096 Apr 25 11:42 usershares/
-rw-------   1 root root           32768 May  2 09:03 winbindd_cache.tdb
drwxr-x---   2 root winbindd_priv   4096 Apr 30 00:14 winbindd_privileged/

root at dc2:/etc# ll /var/lib/samba/private/
total 10896
drwxr-x--- 5 root bind    4096 May  2 12:50 ./
drwxr-xr-x 8 root root    4096 May  2 09:03 ../
-rw-r--r-- 1 root root    3663 May  2 12:50 dns_update_list
-rw------- 1 root root 1286144 May  2 12:50 hklm.ldb
-rw------- 1 root root 1286144 May  2 12:50 idmap.ldb
-rw-r--r-- 1 root root      94 May  2 12:50 krb5.conf
drwx------ 2 root root    4096 May  2 11:36 msg.sock/
-rw------- 1 root root    8888 May  2 09:03 netlogon_creds_cli.tdb
-rw------- 1 root root 1286144 May  2 12:50 privilege.ldb
-rw------- 1 root root 4247552 May  2 12:50 sam.ldb
drwx------ 2 root root    4096 May  2 12:50 sam.ldb.d/
-rw------- 1 root root 1286144 May  2 12:50 secrets.ldb
-rw-rwx--- 1 root bind  430080 May  2 09:03 secrets.tdb*
-rw------- 1 root root 1286144 Apr 30 08:19 share.ldb
-rw-r--r-- 1 root root     955 May  2 12:50 spn_update_list
drwx------ 2 root root    4096 Apr 30 08:19 tls/

> >
> > root at DC2:/etc/bind# cat named.conf.options
> >
> > options {
> >      sortlist {
> >             { 192.168.1.0/24 ;{ 192.168.1.0/24 ; };};
> >     };
> >     directory "/var/cache/bind";
> >     auth-nxdomain no;    # conform to RFC1035
> >
> >     allow-query { any; };
> >     allow-recursion { trusted; };
> >     allow-query-cache { trusted; };
> >     allow-transfer { internal-local-nets; };
> > };
> >
> > logging { category lame-servers { null; }; };
>
> If that again is managed by Zentyal, well they got some things right,
> but missed a major thing, this is mine:
>
> options {
>     directory "/var/cache/bind";
>     version "0.0.7";
>     notify no;
>     empty-zones-enable no;
>     allow-query { 127.0.0.1; 192.168.0.0/24; };
>     allow-recursion {  192.168.0.0/24; 127.0.0.1/32; };
>     forwarders { 8.8.8.8; 8.8.4.4; };
>     allow-transfer { none; };
>     dnssec-validation no;
>     dnssec-enable no;
>     dnssec-lookaside no;
>     listen-on-v6 { none; };
>     listen-on port 53 { 192.168.0.6; 127.0.0.1; };
>
>     tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
> };
>
> From all this, it is clear your DNS is not working as a Samba  AD DC
> would expect.
>
> Rowland
>
Thank you Rowland!

I replaced my named.conf.options with yours (and made the changes above),
restarted bind9 and then tried to join again, but still get the same error:

Join failed - cleaning up
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch machine
account password for DOMAIN1 from both secrets.ldb (Could not find entry to
match filter: '(&(flatname=DOMAIN1)(objectclass=primaryDomain))'
base:
'cn=Primary Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4636) and from
/var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Deleted CN=DC2,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN
Deleted CN=dns-DC2,CN=Users,DC=DOMAIN1,DC=DOMAIN
Deleted CN=NTDS
Settings,CN=DC2,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN
Deleted
CN=DC2,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN
ERROR(runtime): uncaught exception - (8453, 'WERR_DS_DRA_ACCESS_DENIED')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line
176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
661,
in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in
join_DC
    ctx.do_join()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1377, in
do_join
    ctx.join_replicate()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 961, in
join_replicate
    exop=drsuapi.DRSUAPI_EXOP_FSMO_RID_ALLOC)
  File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line
291, in
replicate
    (level, ctr) = self.drs.DsGetNCChanges(self.drs_handle, req_level, req)

 Thanks,

James
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 
James Fowler
Association for Diplomatic Studies and Training http://adst.org
Capturing, Preserving, Sharing - Oral Histories of US Diplomacy

Hai, 

In addition to Rowlands last mail. 

I see wrong rights in /var/lib/samba/private 
You want : drwxr-xr-x   7 root root                      4096 May  6 13:06
private

Missing bind (named.conf.option)
In options { 
	empty-zones-enable no;
	auth-nxdomain yes;    # This server IS authorive for the AD-DC zones. 
	// to use new samba backup onnline tool, you also need auth-nxdomain yes; // 

	tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; // BEFORE
Samba 4.9
	//tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; // AFTER
Samba 4.9.x
	// Note, its observice that dns.keytab is not moved during the upgrade 
	// move it manualy.

Add in named.conf.local 
// adding the dlopen ( Bind DLZ ) module for samba
include "/var/lib/samba/private/dns/named.conf"; // BEFORE Samba 4.9
//include "/var/lib/samba/bind-dns/named.conf";	// AFTER Samba 4.9.x 


Make sure your resolv.conf has.
nameserver 192.168.1.254
search domain1.domain

How, what i would do here, start clean or stop the needed services and manualy
cleanup.

Cleanup /var/lib/samba/* 
Cleanup /var/cache/samba/* 

Check if bind9 is running. 

Clean up in the AD, computer name, alias links etc. 
Clean up in AD-DNS, A PTR records. 
Dont forget _msdc zone to check. 

Then then thats done, now try to join again. 



Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> James Fowler via samba
> Verzonden: maandag 6 mei 2019 13:07
> Aan: Rowland Penny
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or 
> NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> 
> Inline reply.
> 
> On Fri, May 3, 2019 at 3:08 AM Rowland Penny via samba <
> samba at lists.samba.org> wrote:
> 
> > On Thu, 2 May 2019 16:51:02 -0400
> > James Fowler <fowlerj at adst.org> wrote:
> >
> > See inline comments
> >
> > > root at DC2:~# cat /etc/resolv.conf
> > > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
> > > resolvconf(8)
> > > # and managed by Zentyal.
> > > #
> > > #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE
> > > OVERWRITTEN #
> > > nameserver 192.168.1.254
> > > #search domain1.domain
> >
> I would do two things here, the first is 'apt-get purge
resolvconf',
> > you do not want anything changing /etc/resolv.conf on a DC.
> >
> 
>  It looks like many packages are set to be dependent on 
> resolvconf that I
> need on this system.  I ended up unlinking it, making the changes you
> recommended and then setting it to immutable (chattr +i).  I also did
> systemctl disable resolvconf.
> 
> The second is, uncomment the 'search' line.
> >
> > There is also that word 'Zentyal', was/is this computer a 
> Zentyal DC ?
> >
>  Yes.
> 
> >
> > >
> > > /etc/hostname
> > > cat /etc/hostname
> > > DC2
> > >
> > > /etc/hosts
> > > root at DC2:~cat /etc/hosts
> > > 127.0.0.1       localhost.localdomain localhost
> > > 127.0.1.1       DC2.DOMAIN1.DOMAIN DC2
> > > 192.168.1.19    otherserver.DOMAIN1.DOMAIN otherserver
> > > 192.168.1.20    DC2.DOMAIN1.DOMAIN DC2
> > > 192.168.1.254   DC1.DOMAIN1.local DC1
> > >
> >
> > You should only have the new DC's info in /etc/hosts, anything
else
> > should be found by DNS. There is also '127.0.1.1' , is there
another
> > DNS server running ? (dnsmasq, netplan etc)
> >
> Only bind9 is running.  The 127.0.1.1 entry comes from a 
> failed attempt to
> resolve issues.  I commented it out.  Thank you.
> 
> 
> > > root at DC2:/etc/bind# cat named.conf
> > > include "/etc/bind/named.conf.options";
> > > include "/etc/bind/keys";
> >
> > You do not need the '/etc/bind/keys' line
> >
> removed.
> 
> >
> > >
> > > // prime the server with knowledge of the root servers
> > > zone "." {
> > >         type hint;
> > >         file "/etc/bind/db.root";
> > > };
> > >
> > > // be authoritative for the localhost forward and reverse 
> zones, and
> > > for // broadcast zones as per RFC 1912
> > >
> > > zone "localhost" {
> > >         type master;
> > >         file "/etc/bind/db.local";
> > > };
> > >
> > > zone "127.in-addr.arpa" {
> > >         type master;
> > >         file "/etc/bind/db.127";
> > > };
> > >
> > > zone "0.in-addr.arpa" {
> > >         type master;
> > >         file "/etc/bind/db.0";
> > > };
> > >
> > > zone "255.in-addr.arpa" {
> > >         type master;
> > >         file "/etc/bind/db.255";
> > > };
> >
> > Why is the above in /etc/bind/named.conf ?
> > There should just be an include line like this:
> >
> > include "/etc/bind/named.conf.default-zones";
> >
> When I this added to the end of the named.conf file bind9 
> wouldn't run and
> complained:
> named-checkconf
> /etc/bind/named.conf.default-zones:2: zone '.': already 
> exists previous
> definition: /etc/bind/named.conf:5
> /etc/bind/named.conf.default-zones:10: zone 'localhost': 
> already exists
> previous definition: /etc/bind/named.conf:13
> /etc/bind/named.conf.default-zones:15: zone 
> '127.in-addr.arpa': already
> exists previous definition: /etc/bind/named.conf:18
> /etc/bind/named.conf.default-zones:20: zone '0.in-addr.arpa':
already
> exists previous definition: /etc/bind/named.conf:23
> /etc/bind/named.conf.default-zones:25: zone 
> '255.in-addr.arpa': already
> exists previous definition: /etc/bind/named.conf:28
> 
> Is it a problem to not have it calling 
> named.conf.default-zones?  It has
> the same information repeated in named.conf.  Is it better to 
> comment out
> those entries there and have it called from named.conf.default-zones?
> 
> 
> > > root at DC2:/etc/bind# cat named.conf.local
> > > // Generated by Zentyal
> >
> > Why? they seem to be making a right mess of it ;-)
> >
> Tell me about it!   It is kind of crazy the proliferation of 
> named.conf
> files, zones, etc.
> 
> >
> > Mine is just:
> >
> > include "/var/lib/samba/bind-dns/named.conf";
> >
> 
> Presently, I have nothing in the 
> /var/lib/samba/bind-dns/named.conf path:
> root at dc2:/etc# ll /var/lib/samba/
> total 1412
> drwxr-xr-x   8 root root            4096 May  2 09:03 ./
> drwxr-xr-x  60 root root            4096 Apr 29 20:17 ../
> -rw-------   1 root root          421888 Apr 25 11:42 
> account_policy.tdb
> -rw-------   1 root root             696 Apr 25 11:42 
> group_mapping.tdb
> drwxr-x---   2 root ntp             4096 Apr 30 00:14 ntp_signd/
> drwxr-xr-x  10 root root            4096 Apr 25 11:39 printers/
> drwxr-x---   5 root bind            4096 May  2 12:50 private/
> -rw-------   1 root root          528384 Apr 25 11:42 registry.tdb
> -rw-------   1 root root          421888 Apr 25 11:42 share_info.tdb
> drwxrwx---+  3 root adm             4096 Apr 30 08:19 sysvol/
> drwxrwx--T   2 root sambashare      4096 Apr 25 11:42 usershares/
> -rw-------   1 root root           32768 May  2 09:03 
> winbindd_cache.tdb
> drwxr-x---   2 root winbindd_priv   4096 Apr 30 00:14 
> winbindd_privileged/
> 
> root at dc2:/etc# ll /var/lib/samba/private/
> total 10896
> drwxr-x--- 5 root bind    4096 May  2 12:50 ./
> drwxr-xr-x 8 root root    4096 May  2 09:03 ../
> -rw-r--r-- 1 root root    3663 May  2 12:50 dns_update_list
> -rw------- 1 root root 1286144 May  2 12:50 hklm.ldb
> -rw------- 1 root root 1286144 May  2 12:50 idmap.ldb
> -rw-r--r-- 1 root root      94 May  2 12:50 krb5.conf
> drwx------ 2 root root    4096 May  2 11:36 msg.sock/
> -rw------- 1 root root    8888 May  2 09:03 netlogon_creds_cli.tdb
> -rw------- 1 root root 1286144 May  2 12:50 privilege.ldb
> -rw------- 1 root root 4247552 May  2 12:50 sam.ldb
> drwx------ 2 root root    4096 May  2 12:50 sam.ldb.d/
> -rw------- 1 root root 1286144 May  2 12:50 secrets.ldb
> -rw-rwx--- 1 root bind  430080 May  2 09:03 secrets.tdb*
> -rw------- 1 root root 1286144 Apr 30 08:19 share.ldb
> -rw-r--r-- 1 root root     955 May  2 12:50 spn_update_list
> drwx------ 2 root root    4096 Apr 30 08:19 tls/
> 
> 
> > >
> > > root at DC2:/etc/bind# cat named.conf.options
> > >
> > > options {
> > >      sortlist {
> > >             { 192.168.1.0/24 ;{ 192.168.1.0/24 ; };};
> > >     };
> > >     directory "/var/cache/bind";
> > >     auth-nxdomain no;    # conform to RFC1035
> > >
> > >     allow-query { any; };
> > >     allow-recursion { trusted; };
> > >     allow-query-cache { trusted; };
> > >     allow-transfer { internal-local-nets; };
> > > };
> > >
> > > logging { category lame-servers { null; }; };
> >
> > If that again is managed by Zentyal, well they got some 
> things right,
> > but missed a major thing, this is mine:
> >
> > options {
> >     directory "/var/cache/bind";
> >     version "0.0.7";
> >     notify no;
> >     empty-zones-enable no;
> >     allow-query { 127.0.0.1; 192.168.0.0/24; };
> >     allow-recursion {  192.168.0.0/24; 127.0.0.1/32; };
> >     forwarders { 8.8.8.8; 8.8.4.4; };
> >     allow-transfer { none; };
> >     dnssec-validation no;
> >     dnssec-enable no;
> >     dnssec-lookaside no;
> >     listen-on-v6 { none; };
> >     listen-on port 53 { 192.168.0.6; 127.0.0.1; };
> >
> >     tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
> > };
> >
> > From all this, it is clear your DNS is not working as a Samba  AD DC
> > would expect.
> >
> > Rowland
> >
> Thank you Rowland!
> 
> I replaced my named.conf.options with yours (and made the 
> changes above),
> restarted bind9 and then tried to join again, but still get 
> the same error:
> 
> Join failed - cleaning up
> ldb_wrap open of secrets.ldb
> Could not find machine account in secrets database: Failed to 
> fetch machine
> account password for DOMAIN1 from both secrets.ldb (Could not 
> find entry to
> match filter:
'(&(flatname=DOMAIN1)(objectclass=primaryDomain))' base:
> 'cn=Primary Domains': No such object: dsdb_search at
> ../source4/dsdb/common/util.c:4636) and from
> /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> Deleted CN=DC2,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN
> Deleted CN=dns-DC2,CN=Users,DC=DOMAIN1,DC=DOMAIN
> Deleted CN=NTDS
> Settings,CN=DC2,CN=Servers,CN=Default-First-Site,CN=Sites,CN=C
> onfiguration,DC=DOMAIN1,DC=DOMAIN
> Deleted
> CN=DC2,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configurat
> ion,DC=DOMAIN1,DC=DOMAIN
> ERROR(runtime): uncaught exception - (8453, 
> 'WERR_DS_DRA_ACCESS_DENIED')
>   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 176, in _run
>     return self.run(*args, **kwargs)
>   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
661,
> in run
>     machinepass=machinepass, use_ntvfs=use_ntvfs, 
> dns_backend=dns_backend)
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line
1474, in
> join_DC
>     ctx.do_join()
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line
1377, in
> do_join
>     ctx.join_replicate()
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line
961, in
> join_replicate
>     exop=drsuapi.DRSUAPI_EXOP_FSMO_RID_ALLOC)
>   File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", 
> line 291, in
> replicate
>     (level, ctr) = self.drs.DsGetNCChanges(self.drs_handle, 
> req_level, req)
> 
>  Thanks,
> 
> James
> 
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> 
> 
> -- 
> James Fowler
> Association for Diplomatic Studies and Training http://adst.org
> Capturing, Preserving, Sharing - Oral Histories of US Diplomacy
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>