James Fowler
2019-May-06 13:32 UTC
[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Inline reply. On Mon, May 6, 2019 at 7:25 AM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Mon, 6 May 2019 07:06:42 -0400 > James Fowler <fowlerj at adst.org> wrote: > > > Inline reply. > > > > On Fri, May 3, 2019 at 3:08 AM Rowland Penny via samba < > > samba at lists.samba.org> wrote: > > > > > On Thu, 2 May 2019 16:51:02 -0400 > > > James Fowler <fowlerj at adst.org> wrote: > > > > > > See inline comments > > > > > > > root at DC2:~# cat /etc/resolv.conf > > > > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by > > > > resolvconf(8) > > > > # and managed by Zentyal. > > > > # > > > > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE > > > > OVERWRITTEN # > > > > nameserver 192.168.1.254 > > > > #search domain1.domain > > > > > I would do two things here, the first is 'apt-get purge resolvconf', > > > you do not want anything changing /etc/resolv.conf on a DC. > > > > > > > It looks like many packages are set to be dependent on resolvconf > > that I need on this system. I ended up unlinking it, making the > > changes you recommended and then setting it to immutable (chattr > > +i). I also did systemctl disable resolvconf. > > > > The second is, uncomment the 'search' line. > > > > > > There is also that word 'Zentyal', was/is this computer a Zentyal > > > DC ? > > Yes. > > Which, is it a DC, or was it a DC >It has never been a DC. I even wiped the machine (again) at one point just to eliminate possible contamination> > If the former then you cannot join it to another DC, if it was a DC, > then you need to remove all traces of the old DC. >It has never been a DC. I've been trying to get it to become a DC> > > > > > > > > > > > > > /etc/hostname > > > > cat /etc/hostname > > > > DC2 > > > > > > > > /etc/hosts > > > > root at DC2:~cat /etc/hosts > > > > 127.0.0.1 localhost.localdomain localhost > > > > 127.0.1.1 DC2.DOMAIN1.DOMAIN DC2 > > > > 192.168.1.19 otherserver.DOMAIN1.DOMAIN otherserver > > > > 192.168.1.20 DC2.DOMAIN1.DOMAIN DC2 > > > > 192.168.1.254 DC1.DOMAIN1.local DC1 > > > > > > > > > > You should only have the new DC's info in /etc/hosts, anything else > > > should be found by DNS. There is also '127.0.1.1' , is there another > > > DNS server running ? (dnsmasq, netplan etc) > > > > > Only bind9 is running. The 127.0.1.1 entry comes from a failed > > attempt to resolve issues. I commented it out. Thank you. > > > > > > > > root at DC2:/etc/bind# cat named.conf > > > > include "/etc/bind/named.conf.options"; > > > > include "/etc/bind/keys"; > > > > > > You do not need the '/etc/bind/keys' line > > > > > removed. > > > > > > > > > > > > > // prime the server with knowledge of the root servers > > > > zone "." { > > > > type hint; > > > > file "/etc/bind/db.root"; > > > > }; > > > > > > > > // be authoritative for the localhost forward and reverse zones, > > > > and for // broadcast zones as per RFC 1912 > > > > > > > > zone "localhost" { > > > > type master; > > > > file "/etc/bind/db.local"; > > > > }; > > > > > > > > zone "127.in-addr.arpa" { > > > > type master; > > > > file "/etc/bind/db.127"; > > > > }; > > > > > > > > zone "0.in-addr.arpa" { > > > > type master; > > > > file "/etc/bind/db.0"; > > > > }; > > > > > > > > zone "255.in-addr.arpa" { > > > > type master; > > > > file "/etc/bind/db.255"; > > > > }; > > > > > > Why is the above in /etc/bind/named.conf ? > > > There should just be an include line like this: > > > > > > include "/etc/bind/named.conf.default-zones"; > > > > > When I this added to the end of the named.conf file bind9 wouldn't > > run and complained: > > named-checkconf > > /etc/bind/named.conf.default-zones:2: zone '.': already exists > > previous definition: /etc/bind/named.conf:5 > > /etc/bind/named.conf.default-zones:10: zone 'localhost': already > > exists previous definition: /etc/bind/named.conf:13 > > /etc/bind/named.conf.default-zones:15: zone '127.in-addr.arpa': > > already exists previous definition: /etc/bind/named.conf:18 > > /etc/bind/named.conf.default-zones:20: zone '0.in-addr.arpa': already > > exists previous definition: /etc/bind/named.conf:23 > > /etc/bind/named.conf.default-zones:25: zone '255.in-addr.arpa': > > already exists previous definition: /etc/bind/named.conf:28 > > > > Is it a problem to not have it calling named.conf.default-zones? It > > has the same information repeated in named.conf. Is it better to > > comment out those entries there and have it called from > > named.conf.default-zones? > > That is what I meant, remove the data from where it shouldn't be and > include it with the suggested line. Your way may work, but I know my > way works. >I made the change to exactly reflect your recommended settings.> > > > > > > > > root at DC2:/etc/bind# cat named.conf.local > > > > // Generated by Zentyal > > > > > > Why? they seem to be making a right mess of it ;-) > > > > > Tell me about it! It is kind of crazy the proliferation of > > named.conf files, zones, etc. > > > > > > > > Mine is just: > > > > > > include "/var/lib/samba/bind-dns/named.conf"; > > > > > > > Presently, I have nothing in the /var/lib/samba/bind-dns/named.conf > > Ah you wouldn't have, the path changed, yours would be: > > /var/lib/samba/private/named.conf >I don't have anything like that in that path: ll /var/lib/samba/private/ total 10896 drwxr-x--- 5 root bind 4096 May 6 07:41 ./ drwxr-xr-x 8 root root 4096 May 2 09:03 ../ -rw-r--r-- 1 root root 3663 May 6 07:41 dns_update_list -rw------- 1 root root 1286144 May 6 07:41 hklm.ldb -rw------- 1 root root 1286144 May 6 07:41 idmap.ldb -rw-r--r-- 1 root root 94 May 6 07:41 krb5.conf drwx------ 2 root root 4096 May 2 11:36 msg.sock/ -rw------- 1 root root 8888 May 2 09:03 netlogon_creds_cli.tdb -rw------- 1 root root 1286144 May 6 07:41 privilege.ldb -rw------- 1 root root 4247552 May 6 07:41 sam.ldb drwx------ 2 root root 4096 May 6 07:41 sam.ldb.d/ -rw------- 1 root root 1286144 May 6 07:41 secrets.ldb -rw-rwx--- 1 root bind 430080 May 2 09:03 secrets.tdb* -rw------- 1 root root 1286144 Apr 30 08:19 share.ldb -rw-r--r-- 1 root root 955 May 6 07:41 spn_update_list drwx------ 2 root root 4096 Apr 30 08:19 tls/> > I replaced my named.conf.options with yours (and made the changes > > above), restarted bind9 and then tried to join again, but still get > > the same error: > > > > > I am beginning to think you are trying to join an existing DC to > another existing DC, if so, this isn't allowed. >Really, I'm not. Is there an additional purge command, etc. that will ensure this is not happening? Really, I'm trying to create this samba server and add it to an existing AD/domain as a new DC.> > Rowland >Thanks, James> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- James Fowler Chief Information Officer Association for Diplomatic Studies and Training http://adst.org Capturing, Preserving, Sharing - Oral Histories of US Diplomacy
Rowland Penny
2019-May-06 13:57 UTC
[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO
On Mon, 6 May 2019 09:32:45 -0400 James Fowler <fowlerj at adst.org> wrote:> Inline reply. > > > > > There is also that word 'Zentyal', was/is this computer a > > > > Zentyal DC ? > > > Yes. > > > > Which, is it a DC, or was it a DC > > > It has never been a DC. I even wiped the machine (again) at one > point just to eliminate possible contaminationI asked about 'Zentyal' and was/if this was a DC, you answered 'Yes'. I asked which, now you say it has never been a DC, so were did 'Zentyal' come from ?> > > > > If the former then you cannot join it to another DC, if it was a DC, > > then you need to remove all traces of the old DC. > > > It has never been a DC. I've been trying to get it to become a DCI believe you.> > > I made the change to exactly reflect your recommended settings. > > > > > > > > > > > > > > root at DC2:/etc/bind# cat named.conf.local > > > > > // Generated by Zentyal > > > > > > > > Why? they seem to be making a right mess of it ;-) > > > > > > > Tell me about it! It is kind of crazy the proliferation of > > > named.conf files, zones, etc.There is that word 'Zentyal' again, where is it coming from ?> > > > > > > > > > > Mine is just: > > > > > > > > include "/var/lib/samba/bind-dns/named.conf"; > > > > > > > > > > Presently, I have nothing in > > > the /var/lib/samba/bind-dns/named.conf > > > > Ah you wouldn't have, the path changed, yours would be: > > > > /var/lib/samba/private/named.conf > > > I don't have anything like that in that path:Mine is in /var/lib/samba/bind-dns , but I am using 4.9.6 and the path changed recently, but it should be in /var/lib/samba/??? , so try looking for it. If it isn't there, bind9 wasn't installed when you provisioned and/or you didn't provision with '--dns-backend=BIND9_DLZ' , or you need to run 'samba_upgradedns' Rowland
James Fowler
2019-May-06 14:39 UTC
[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Inline. On Mon, May 6, 2019 at 9:58 AM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Mon, 6 May 2019 09:32:45 -0400 > James Fowler <fowlerj at adst.org> wrote: > > > Inline reply. > > > > > > > There is also that word 'Zentyal', was/is this computer a > > > > > Zentyal DC ? > > > > Yes. > > > > > > Which, is it a DC, or was it a DC > > > > > It has never been a DC. I even wiped the machine (again) at one > > point just to eliminate possible contamination > > I asked about 'Zentyal' and was/if this was a DC, you answered 'Yes'. > I asked which, now you say it has never been a DC, so were did > 'Zentyal' come from ? >Yes, this is Zentyal (https://zentyal.com/community/) which is the present incarnation of Ebox, built on Ubuntu (in this case 18.04). It aims to more or less make a turn-key appliance that includes the possibility of including various services (mail, firewall, Samba, etc.). That's where it comes from. Sorry for the confusion. I didn't want to obscure that fact that Zentyal was generating configurations for various services.> > > > > > > > > If the former then you cannot join it to another DC, if it was a DC, > > > then you need to remove all traces of the old DC. > > > > > It has never been a DC. I've been trying to get it to become a DC > > I believe you. >Thank you. :)> > > > > > > > I made the change to exactly reflect your recommended settings. > > > > > > > > > > > > > > > > > > > root at DC2:/etc/bind# cat named.conf.local > > > > > > // Generated by Zentyal > > > > > > > > > > Why? they seem to be making a right mess of it ;-) > > > > > > > > > Tell me about it! It is kind of crazy the proliferation of > > > > named.conf files, zones, etc. > > There is that word 'Zentyal' again, where is it coming from ? >See above or https://zentyal.com/community/> > > > > > > > > > > > > > > Mine is just: > > > > > > > > > > include "/var/lib/samba/bind-dns/named.conf"; > > > > > > > > > > > > > Presently, I have nothing in > > > > the /var/lib/samba/bind-dns/named.conf > > > > > > Ah you wouldn't have, the path changed, yours would be: > > > > > > /var/lib/samba/private/named.conf > > > > > I don't have anything like that in that path: > > Mine is in /var/lib/samba/bind-dns , but I am using 4.9.6 and the path > changed recently, but it should be in /var/lib/samba/??? , so try > looking for it. If it isn't there, bind9 wasn't installed when you > provisioned and/or you didn't provision with > '--dns-backend=BIND9_DLZ' , or you need to run 'samba_upgradedns' >It could be that Zentyal moved it. If so, they don't reference it or call it in any of the other bind9 config files. The provisioning command (originally taken from the one generated by Zentyal) is: samba-tool domain join domain1.domain DC --username='EnterpriseAdminUser' --realm='DOMAIN1.DOMAIN' --site='Default-First-Site' --server='existingdc1' --dns-backend=BIND9_DLZ --workgroup='domain1' -d 3 After attempting to join the following are created (that I know of - except for /var/lib/samba/private/dns): /var/lib/samba/: total 16 drwxr-xr-x 4 root root 4096 May 6 10:03 ./ drwxr-xr-x 60 root root 4096 Apr 29 20:17 ../ drwxr-xr-x 5 root root 4096 May 6 10:07 private/ drwxr-xr-x 3 root root 4096 May 6 10:03 sysvol/ /var/lib/samba/private/: total 10468 drwxr-xr-x 5 root root 4096 May 6 10:07 ./ drwxr-xr-x 4 root root 4096 May 6 10:03 ../ drwxr-xr-x 2 root root 4096 May 6 10:06 dns/ -rw-r--r-- 1 root root 3663 May 6 10:07 dns_update_list -rw------- 1 root root 1286144 May 6 10:07 hklm.ldb -rw------- 1 root root 1286144 May 6 10:07 idmap.ldb -rw-r--r-- 1 root root 94 May 6 10:07 krb5.conf -rw------- 1 root root 1286144 May 6 10:07 privilege.ldb -rw------- 1 root root 4247552 May 6 10:07 sam.ldb drwx------ 2 root root 4096 May 6 10:07 sam.ldb.d/ -rw------- 1 root root 1286144 May 6 10:07 secrets.ldb -rw------- 1 root root 696 May 6 10:03 secrets.tdb -rw------- 1 root root 1286144 May 6 10:03 share.ldb -rw-r--r-- 1 root root 955 May 6 10:07 spn_update_list drwx------ 2 root root 4096 May 6 10:03 tls/ Thanks, James> Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- James Fowler Association for Diplomatic Studies and Training http://adst.org Capturing, Preserving, Sharing - Oral Histories of US Diplomacy
Possibly Parallel Threads
- Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO
- Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO
- Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO
- Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO
- Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO