James Fowler
2019-May-06 11:06 UTC
[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Inline reply. On Fri, May 3, 2019 at 3:08 AM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Thu, 2 May 2019 16:51:02 -0400 > James Fowler <fowlerj at adst.org> wrote: > > See inline comments > > > root at DC2:~# cat /etc/resolv.conf > > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by > > resolvconf(8) > > # and managed by Zentyal. > > # > > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE > > OVERWRITTEN # > > nameserver 192.168.1.254 > > #search domain1.domain >I would do two things here, the first is 'apt-get purge resolvconf',> you do not want anything changing /etc/resolv.conf on a DC. >It looks like many packages are set to be dependent on resolvconf that I need on this system. I ended up unlinking it, making the changes you recommended and then setting it to immutable (chattr +i). I also did systemctl disable resolvconf. The second is, uncomment the 'search' line.> > There is also that word 'Zentyal', was/is this computer a Zentyal DC ? >Yes.> > > > > /etc/hostname > > cat /etc/hostname > > DC2 > > > > /etc/hosts > > root at DC2:~cat /etc/hosts > > 127.0.0.1 localhost.localdomain localhost > > 127.0.1.1 DC2.DOMAIN1.DOMAIN DC2 > > 192.168.1.19 otherserver.DOMAIN1.DOMAIN otherserver > > 192.168.1.20 DC2.DOMAIN1.DOMAIN DC2 > > 192.168.1.254 DC1.DOMAIN1.local DC1 > > > > You should only have the new DC's info in /etc/hosts, anything else > should be found by DNS. There is also '127.0.1.1' , is there another > DNS server running ? (dnsmasq, netplan etc) >Only bind9 is running. The 127.0.1.1 entry comes from a failed attempt to resolve issues. I commented it out. Thank you.> > root at DC2:/etc/bind# cat named.conf > > include "/etc/bind/named.conf.options"; > > include "/etc/bind/keys"; > > You do not need the '/etc/bind/keys' line >removed.> > > > > // prime the server with knowledge of the root servers > > zone "." { > > type hint; > > file "/etc/bind/db.root"; > > }; > > > > // be authoritative for the localhost forward and reverse zones, and > > for // broadcast zones as per RFC 1912 > > > > zone "localhost" { > > type master; > > file "/etc/bind/db.local"; > > }; > > > > zone "127.in-addr.arpa" { > > type master; > > file "/etc/bind/db.127"; > > }; > > > > zone "0.in-addr.arpa" { > > type master; > > file "/etc/bind/db.0"; > > }; > > > > zone "255.in-addr.arpa" { > > type master; > > file "/etc/bind/db.255"; > > }; > > Why is the above in /etc/bind/named.conf ? > There should just be an include line like this: > > include "/etc/bind/named.conf.default-zones"; >When I this added to the end of the named.conf file bind9 wouldn't run and complained: named-checkconf /etc/bind/named.conf.default-zones:2: zone '.': already exists previous definition: /etc/bind/named.conf:5 /etc/bind/named.conf.default-zones:10: zone 'localhost': already exists previous definition: /etc/bind/named.conf:13 /etc/bind/named.conf.default-zones:15: zone '127.in-addr.arpa': already exists previous definition: /etc/bind/named.conf:18 /etc/bind/named.conf.default-zones:20: zone '0.in-addr.arpa': already exists previous definition: /etc/bind/named.conf:23 /etc/bind/named.conf.default-zones:25: zone '255.in-addr.arpa': already exists previous definition: /etc/bind/named.conf:28 Is it a problem to not have it calling named.conf.default-zones? It has the same information repeated in named.conf. Is it better to comment out those entries there and have it called from named.conf.default-zones?> > root at DC2:/etc/bind# cat named.conf.local > > // Generated by Zentyal > > Why? they seem to be making a right mess of it ;-) >Tell me about it! It is kind of crazy the proliferation of named.conf files, zones, etc.> > Mine is just: > > include "/var/lib/samba/bind-dns/named.conf"; >Presently, I have nothing in the /var/lib/samba/bind-dns/named.conf path: root at dc2:/etc# ll /var/lib/samba/ total 1412 drwxr-xr-x 8 root root 4096 May 2 09:03 ./ drwxr-xr-x 60 root root 4096 Apr 29 20:17 ../ -rw------- 1 root root 421888 Apr 25 11:42 account_policy.tdb -rw------- 1 root root 696 Apr 25 11:42 group_mapping.tdb drwxr-x--- 2 root ntp 4096 Apr 30 00:14 ntp_signd/ drwxr-xr-x 10 root root 4096 Apr 25 11:39 printers/ drwxr-x--- 5 root bind 4096 May 2 12:50 private/ -rw------- 1 root root 528384 Apr 25 11:42 registry.tdb -rw------- 1 root root 421888 Apr 25 11:42 share_info.tdb drwxrwx---+ 3 root adm 4096 Apr 30 08:19 sysvol/ drwxrwx--T 2 root sambashare 4096 Apr 25 11:42 usershares/ -rw------- 1 root root 32768 May 2 09:03 winbindd_cache.tdb drwxr-x--- 2 root winbindd_priv 4096 Apr 30 00:14 winbindd_privileged/ root at dc2:/etc# ll /var/lib/samba/private/ total 10896 drwxr-x--- 5 root bind 4096 May 2 12:50 ./ drwxr-xr-x 8 root root 4096 May 2 09:03 ../ -rw-r--r-- 1 root root 3663 May 2 12:50 dns_update_list -rw------- 1 root root 1286144 May 2 12:50 hklm.ldb -rw------- 1 root root 1286144 May 2 12:50 idmap.ldb -rw-r--r-- 1 root root 94 May 2 12:50 krb5.conf drwx------ 2 root root 4096 May 2 11:36 msg.sock/ -rw------- 1 root root 8888 May 2 09:03 netlogon_creds_cli.tdb -rw------- 1 root root 1286144 May 2 12:50 privilege.ldb -rw------- 1 root root 4247552 May 2 12:50 sam.ldb drwx------ 2 root root 4096 May 2 12:50 sam.ldb.d/ -rw------- 1 root root 1286144 May 2 12:50 secrets.ldb -rw-rwx--- 1 root bind 430080 May 2 09:03 secrets.tdb* -rw------- 1 root root 1286144 Apr 30 08:19 share.ldb -rw-r--r-- 1 root root 955 May 2 12:50 spn_update_list drwx------ 2 root root 4096 Apr 30 08:19 tls/> > > > root at DC2:/etc/bind# cat named.conf.options > > > > options { > > sortlist { > > { 192.168.1.0/24 ;{ 192.168.1.0/24 ; };}; > > }; > > directory "/var/cache/bind"; > > auth-nxdomain no; # conform to RFC1035 > > > > allow-query { any; }; > > allow-recursion { trusted; }; > > allow-query-cache { trusted; }; > > allow-transfer { internal-local-nets; }; > > }; > > > > logging { category lame-servers { null; }; }; > > If that again is managed by Zentyal, well they got some things right, > but missed a major thing, this is mine: > > options { > directory "/var/cache/bind"; > version "0.0.7"; > notify no; > empty-zones-enable no; > allow-query { 127.0.0.1; 192.168.0.0/24; }; > allow-recursion { 192.168.0.0/24; 127.0.0.1/32; }; > forwarders { 8.8.8.8; 8.8.4.4; }; > allow-transfer { none; }; > dnssec-validation no; > dnssec-enable no; > dnssec-lookaside no; > listen-on-v6 { none; }; > listen-on port 53 { 192.168.0.6; 127.0.0.1; }; > > tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; > }; > > From all this, it is clear your DNS is not working as a Samba AD DC > would expect. > > Rowland >Thank you Rowland! I replaced my named.conf.options with yours (and made the changes above), restarted bind9 and then tried to join again, but still get the same error: Join failed - cleaning up ldb_wrap open of secrets.ldb Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN1 from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN1)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4636) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO Deleted CN=DC2,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN Deleted CN=dns-DC2,CN=Users,DC=DOMAIN1,DC=DOMAIN Deleted CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN Deleted CN=DC2,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN ERROR(runtime): uncaught exception - (8453, 'WERR_DS_DRA_ACCESS_DENIED') File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in join_DC ctx.do_join() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1377, in do_join ctx.join_replicate() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 961, in join_replicate exop=drsuapi.DRSUAPI_EXOP_FSMO_RID_ALLOC) File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 291, in replicate (level, ctr) = self.drs.DsGetNCChanges(self.drs_handle, req_level, req) Thanks, James> > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- James Fowler Association for Diplomatic Studies and Training http://adst.org Capturing, Preserving, Sharing - Oral Histories of US Diplomacy
Rowland Penny
2019-May-06 11:25 UTC
[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO
On Mon, 6 May 2019 07:06:42 -0400 James Fowler <fowlerj at adst.org> wrote:> Inline reply. > > On Fri, May 3, 2019 at 3:08 AM Rowland Penny via samba < > samba at lists.samba.org> wrote: > > > On Thu, 2 May 2019 16:51:02 -0400 > > James Fowler <fowlerj at adst.org> wrote: > > > > See inline comments > > > > > root at DC2:~# cat /etc/resolv.conf > > > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by > > > resolvconf(8) > > > # and managed by Zentyal. > > > # > > > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE > > > OVERWRITTEN # > > > nameserver 192.168.1.254 > > > #search domain1.domain > > > I would do two things here, the first is 'apt-get purge resolvconf', > > you do not want anything changing /etc/resolv.conf on a DC. > > > > It looks like many packages are set to be dependent on resolvconf > that I need on this system. I ended up unlinking it, making the > changes you recommended and then setting it to immutable (chattr > +i). I also did systemctl disable resolvconf. > > The second is, uncomment the 'search' line. > > > > There is also that word 'Zentyal', was/is this computer a Zentyal > > DC ? > Yes.Which, is it a DC, or was it a DC If the former then you cannot join it to another DC, if it was a DC, then you need to remove all traces of the old DC.> > > > > > > > > /etc/hostname > > > cat /etc/hostname > > > DC2 > > > > > > /etc/hosts > > > root at DC2:~cat /etc/hosts > > > 127.0.0.1 localhost.localdomain localhost > > > 127.0.1.1 DC2.DOMAIN1.DOMAIN DC2 > > > 192.168.1.19 otherserver.DOMAIN1.DOMAIN otherserver > > > 192.168.1.20 DC2.DOMAIN1.DOMAIN DC2 > > > 192.168.1.254 DC1.DOMAIN1.local DC1 > > > > > > > You should only have the new DC's info in /etc/hosts, anything else > > should be found by DNS. There is also '127.0.1.1' , is there another > > DNS server running ? (dnsmasq, netplan etc) > > > Only bind9 is running. The 127.0.1.1 entry comes from a failed > attempt to resolve issues. I commented it out. Thank you. > > > > > root at DC2:/etc/bind# cat named.conf > > > include "/etc/bind/named.conf.options"; > > > include "/etc/bind/keys"; > > > > You do not need the '/etc/bind/keys' line > > > removed. > > > > > > > > > // prime the server with knowledge of the root servers > > > zone "." { > > > type hint; > > > file "/etc/bind/db.root"; > > > }; > > > > > > // be authoritative for the localhost forward and reverse zones, > > > and for // broadcast zones as per RFC 1912 > > > > > > zone "localhost" { > > > type master; > > > file "/etc/bind/db.local"; > > > }; > > > > > > zone "127.in-addr.arpa" { > > > type master; > > > file "/etc/bind/db.127"; > > > }; > > > > > > zone "0.in-addr.arpa" { > > > type master; > > > file "/etc/bind/db.0"; > > > }; > > > > > > zone "255.in-addr.arpa" { > > > type master; > > > file "/etc/bind/db.255"; > > > }; > > > > Why is the above in /etc/bind/named.conf ? > > There should just be an include line like this: > > > > include "/etc/bind/named.conf.default-zones"; > > > When I this added to the end of the named.conf file bind9 wouldn't > run and complained: > named-checkconf > /etc/bind/named.conf.default-zones:2: zone '.': already exists > previous definition: /etc/bind/named.conf:5 > /etc/bind/named.conf.default-zones:10: zone 'localhost': already > exists previous definition: /etc/bind/named.conf:13 > /etc/bind/named.conf.default-zones:15: zone '127.in-addr.arpa': > already exists previous definition: /etc/bind/named.conf:18 > /etc/bind/named.conf.default-zones:20: zone '0.in-addr.arpa': already > exists previous definition: /etc/bind/named.conf:23 > /etc/bind/named.conf.default-zones:25: zone '255.in-addr.arpa': > already exists previous definition: /etc/bind/named.conf:28 > > Is it a problem to not have it calling named.conf.default-zones? It > has the same information repeated in named.conf. Is it better to > comment out those entries there and have it called from > named.conf.default-zones?That is what I meant, remove the data from where it shouldn't be and include it with the suggested line. Your way may work, but I know my way works.> > > > > root at DC2:/etc/bind# cat named.conf.local > > > // Generated by Zentyal > > > > Why? they seem to be making a right mess of it ;-) > > > Tell me about it! It is kind of crazy the proliferation of > named.conf files, zones, etc. > > > > > Mine is just: > > > > include "/var/lib/samba/bind-dns/named.conf"; > > > > Presently, I have nothing in the /var/lib/samba/bind-dns/named.confAh you wouldn't have, the path changed, yours would be: /var/lib/samba/private/named.conf> I replaced my named.conf.options with yours (and made the changes > above), restarted bind9 and then tried to join again, but still get > the same error: >I am beginning to think you are trying to join an existing DC to another existing DC, if so, this isn't allowed. Rowland
James Fowler
2019-May-06 13:32 UTC
[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Inline reply. On Mon, May 6, 2019 at 7:25 AM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Mon, 6 May 2019 07:06:42 -0400 > James Fowler <fowlerj at adst.org> wrote: > > > Inline reply. > > > > On Fri, May 3, 2019 at 3:08 AM Rowland Penny via samba < > > samba at lists.samba.org> wrote: > > > > > On Thu, 2 May 2019 16:51:02 -0400 > > > James Fowler <fowlerj at adst.org> wrote: > > > > > > See inline comments > > > > > > > root at DC2:~# cat /etc/resolv.conf > > > > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by > > > > resolvconf(8) > > > > # and managed by Zentyal. > > > > # > > > > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE > > > > OVERWRITTEN # > > > > nameserver 192.168.1.254 > > > > #search domain1.domain > > > > > I would do two things here, the first is 'apt-get purge resolvconf', > > > you do not want anything changing /etc/resolv.conf on a DC. > > > > > > > It looks like many packages are set to be dependent on resolvconf > > that I need on this system. I ended up unlinking it, making the > > changes you recommended and then setting it to immutable (chattr > > +i). I also did systemctl disable resolvconf. > > > > The second is, uncomment the 'search' line. > > > > > > There is also that word 'Zentyal', was/is this computer a Zentyal > > > DC ? > > Yes. > > Which, is it a DC, or was it a DC >It has never been a DC. I even wiped the machine (again) at one point just to eliminate possible contamination> > If the former then you cannot join it to another DC, if it was a DC, > then you need to remove all traces of the old DC. >It has never been a DC. I've been trying to get it to become a DC> > > > > > > > > > > > > > /etc/hostname > > > > cat /etc/hostname > > > > DC2 > > > > > > > > /etc/hosts > > > > root at DC2:~cat /etc/hosts > > > > 127.0.0.1 localhost.localdomain localhost > > > > 127.0.1.1 DC2.DOMAIN1.DOMAIN DC2 > > > > 192.168.1.19 otherserver.DOMAIN1.DOMAIN otherserver > > > > 192.168.1.20 DC2.DOMAIN1.DOMAIN DC2 > > > > 192.168.1.254 DC1.DOMAIN1.local DC1 > > > > > > > > > > You should only have the new DC's info in /etc/hosts, anything else > > > should be found by DNS. There is also '127.0.1.1' , is there another > > > DNS server running ? (dnsmasq, netplan etc) > > > > > Only bind9 is running. The 127.0.1.1 entry comes from a failed > > attempt to resolve issues. I commented it out. Thank you. > > > > > > > > root at DC2:/etc/bind# cat named.conf > > > > include "/etc/bind/named.conf.options"; > > > > include "/etc/bind/keys"; > > > > > > You do not need the '/etc/bind/keys' line > > > > > removed. > > > > > > > > > > > > > // prime the server with knowledge of the root servers > > > > zone "." { > > > > type hint; > > > > file "/etc/bind/db.root"; > > > > }; > > > > > > > > // be authoritative for the localhost forward and reverse zones, > > > > and for // broadcast zones as per RFC 1912 > > > > > > > > zone "localhost" { > > > > type master; > > > > file "/etc/bind/db.local"; > > > > }; > > > > > > > > zone "127.in-addr.arpa" { > > > > type master; > > > > file "/etc/bind/db.127"; > > > > }; > > > > > > > > zone "0.in-addr.arpa" { > > > > type master; > > > > file "/etc/bind/db.0"; > > > > }; > > > > > > > > zone "255.in-addr.arpa" { > > > > type master; > > > > file "/etc/bind/db.255"; > > > > }; > > > > > > Why is the above in /etc/bind/named.conf ? > > > There should just be an include line like this: > > > > > > include "/etc/bind/named.conf.default-zones"; > > > > > When I this added to the end of the named.conf file bind9 wouldn't > > run and complained: > > named-checkconf > > /etc/bind/named.conf.default-zones:2: zone '.': already exists > > previous definition: /etc/bind/named.conf:5 > > /etc/bind/named.conf.default-zones:10: zone 'localhost': already > > exists previous definition: /etc/bind/named.conf:13 > > /etc/bind/named.conf.default-zones:15: zone '127.in-addr.arpa': > > already exists previous definition: /etc/bind/named.conf:18 > > /etc/bind/named.conf.default-zones:20: zone '0.in-addr.arpa': already > > exists previous definition: /etc/bind/named.conf:23 > > /etc/bind/named.conf.default-zones:25: zone '255.in-addr.arpa': > > already exists previous definition: /etc/bind/named.conf:28 > > > > Is it a problem to not have it calling named.conf.default-zones? It > > has the same information repeated in named.conf. Is it better to > > comment out those entries there and have it called from > > named.conf.default-zones? > > That is what I meant, remove the data from where it shouldn't be and > include it with the suggested line. Your way may work, but I know my > way works. >I made the change to exactly reflect your recommended settings.> > > > > > > > > root at DC2:/etc/bind# cat named.conf.local > > > > // Generated by Zentyal > > > > > > Why? they seem to be making a right mess of it ;-) > > > > > Tell me about it! It is kind of crazy the proliferation of > > named.conf files, zones, etc. > > > > > > > > Mine is just: > > > > > > include "/var/lib/samba/bind-dns/named.conf"; > > > > > > > Presently, I have nothing in the /var/lib/samba/bind-dns/named.conf > > Ah you wouldn't have, the path changed, yours would be: > > /var/lib/samba/private/named.conf >I don't have anything like that in that path: ll /var/lib/samba/private/ total 10896 drwxr-x--- 5 root bind 4096 May 6 07:41 ./ drwxr-xr-x 8 root root 4096 May 2 09:03 ../ -rw-r--r-- 1 root root 3663 May 6 07:41 dns_update_list -rw------- 1 root root 1286144 May 6 07:41 hklm.ldb -rw------- 1 root root 1286144 May 6 07:41 idmap.ldb -rw-r--r-- 1 root root 94 May 6 07:41 krb5.conf drwx------ 2 root root 4096 May 2 11:36 msg.sock/ -rw------- 1 root root 8888 May 2 09:03 netlogon_creds_cli.tdb -rw------- 1 root root 1286144 May 6 07:41 privilege.ldb -rw------- 1 root root 4247552 May 6 07:41 sam.ldb drwx------ 2 root root 4096 May 6 07:41 sam.ldb.d/ -rw------- 1 root root 1286144 May 6 07:41 secrets.ldb -rw-rwx--- 1 root bind 430080 May 2 09:03 secrets.tdb* -rw------- 1 root root 1286144 Apr 30 08:19 share.ldb -rw-r--r-- 1 root root 955 May 6 07:41 spn_update_list drwx------ 2 root root 4096 Apr 30 08:19 tls/> > I replaced my named.conf.options with yours (and made the changes > > above), restarted bind9 and then tried to join again, but still get > > the same error: > > > > > I am beginning to think you are trying to join an existing DC to > another existing DC, if so, this isn't allowed. >Really, I'm not. Is there an additional purge command, etc. that will ensure this is not happening? Really, I'm trying to create this samba server and add it to an existing AD/domain as a new DC.> > Rowland >Thanks, James> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- James Fowler Chief Information Officer Association for Diplomatic Studies and Training http://adst.org Capturing, Preserving, Sharing - Oral Histories of US Diplomacy
Apparently Analagous Threads
- Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO
- Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO
- Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO
- Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO
- Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO