samba - Jul 2019 - Can't find machine account

On 07/17/2019 12:48 PM, Rowland penny via samba wrote:
>
> What are you trying to join to ?
Active Directory domain, the only DC is a Server 2003 machine.
>
> Have you removed any existing smb.conf file ?
Yes
>
> Can you post the contents of the following files:
>
> /etc/hostname
athena
>
> /etc/hosts
127.0.0.1?????? localhost?????? localhost.localdomain
10.10.1.10????? athena.edm-inc.com????? athena

# The following lines are desirable for IPv6 capable hosts
::1???? localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
>
> /etc/resolv.conf
nameserver 10.10.1.14
nameserver 10.10.1.1
search edm-inc.com
>
> /etc/krb5.conf
[libdefaults]
 ??? dns_lookup_realm = false
 ??? dns_lookup_kdc = true
 ??? default_realm = EDM-INC.COM
 ??? default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
 ??? default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5

[realms]
 ?? EDM-INC.COM = {
 ?? kdc = ADS1.EDM-INC.COM
 ?? default_domain = EDM-INC.COM
 ?? }

[domain_realm]
 ?? .edm-inc.com = EDM-INC.COM
 ?? edm-inc.com = EDM-INC.COM


Here's the full error:

Could not find machine account in secrets database: Failed to fetch 
machine account password for EDM from both secrets.ldb (Could not find 
entry to match filter:
'(&(flatname=EDM)(objectclass=primaryDomain))'
base: 'cn=Primary Domains': No such object: dsdb_search at 
../source4/dsdb/common/util.c:4705) and from 
/var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Deleted CN=RID Set,CN=ATHENA,OU=Domain Controllers,DC=edm-inc,DC=com
Deleted CN=ATHENA,OU=Domain Controllers,DC=edm-inc,DC=com
Deleted CN=NTDS 
Settings,CN=ATHENA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=edm-inc,DC=com
Deleted 
CN=ATHENA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=edm-inc,DC=com
ERROR(runtime): uncaught exception - (9003, 
'WERR_DNS_ERROR_RCODE_NAME_ERROR')
 ? File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
line 177, in _run
 ??? return self.run(*args, **kwargs)
 ? File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py",
line
716, in run
 ??? backend_store=backend_store)
 ? File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1501,
in
join_DC
 ??? ctx.do_join()
 ? File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1406,
in
do_join
 ??? ctx.join_add_dns_records()
 ? File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1143,
in
join_add_dns_records
 ??? dns_partition=domaindns_zone_dn)
 ? File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 1057,
in
dns_lookup
 ??? dns_partition=dns_partition)



-- 
Bob Wooldridge
EDM Incorporated

On 17/07/2019 19:31, Robert A Wooldridge via samba
wrote:
> Active Directory domain, the only DC is a Server 2003 machine.
Is the function level set to its highest level ?
>>
>> /etc/resolv.conf
> nameserver 10.10.1.14
> nameserver 10.10.1.1
> search edm-inc.com
I take it '10.10.1.14' is the 2003 DC
>
>>
>> /etc/krb5.conf
> [libdefaults]
> ??? dns_lookup_realm = false
> ??? dns_lookup_kdc = true
> ??? default_realm = EDM-INC.COM
Try /etc/krb5.conf like the above
>
>
> Here's the full error:
>
> Could not find machine account in secrets database: Failed to fetch 
> machine account password for EDM from both secrets.ldb (Could not find 
> entry to match filter:
'(&(flatname=EDM)(objectclass=primaryDomain))'
> base: 'cn=Primary Domains': No such object: dsdb_search at 
> ../source4/dsdb/common/util.c:4705) and from 
> /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Problem is (so I have been told) neither secrets.tdb or secrets.ldb will 
have been created at this point, so this could be a red herring.

Does the windows DC run a dns server

What actual command are you running ?

Can you try it again with '-d3' on the end.

Rowland

On 18/07/19 7:12 AM, Rowland penny via samba wrote:
> On 17/07/2019 19:31, Robert A Wooldridge via samba wrote:
>>
>> Here's the full error:
>>
>> Could not find machine account in secrets database: Failed to fetch
>> machine account password for EDM from both secrets.ldb (Could not
>> find entry to match filter:
>> '(&(flatname=EDM)(objectclass=primaryDomain))' base:
'cn=Primary
>> Domains': No such object: dsdb_search at
>> ../source4/dsdb/common/util.c:4705) and from
>> /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> Problem is (so I have been told) neither secrets.tdb or secrets.ldb
> will have been created at this point, so this could be a red herring.
Yeah, I think that's a red herring. If we had more log context around
the error, you'd probably see the following messages beforehand.
>> Adding 1 remote DNS records for <blah-DC>
>> Join failed - cleaning up
>> Could not find machine account in secrets database: ...
i.e. the 'machine account' message gets logged as part of the cleanup,
after the join has already failed.

A few people have noticed this problem. It mostly seems to occur when
joining Samba to an older Windows DC.

The join has basically completed successfully at this point, and
samba-tool is trying to create DNS records on the Windows DC for the new
Samba DC that's just joined. That part is failing, due to the Windows DC
rejecting it.

There's more details about the DNS records it's trying to add here:
https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record

One option might be to hack the join code to skip this step, and then
try to fix up these DNS records manually later. To do so, apply the
attached patch and retry the join, e.g.
cd /usr/lib/python2.7/dist-packages/samba
patch -p1 < join.patch

However, it'd be good to understand what exactly Windows doesn't like
about what Samba is telling it to do, so we could come up with a better
solution.

-------------- next part --------------

On 07/17/2019 02:12 PM, Rowland penny via samba wrote:
> On 17/07/2019 19:31, Robert A Wooldridge via samba wrote:
>> Active Directory domain, the only DC is a Server 2003 machine.
> Is the function level set to its highest level ?
Apparently not.? It is set to Windows 2000 level.? It could be set to 
Server2003 level but it thinks that one of my file servers is a domain 
controller and it can't change it's level.? That's strange because
this
file server is not a DC.
>>>
>>> /etc/resolv.conf
>> nameserver 10.10.1.14
>> nameserver 10.10.1.1
>> search edm-inc.com
> I take it '10.10.1.14' is the 2003 DC
Yes
>>
>>>
>>> /etc/krb5.conf
>> [libdefaults]
>> ??? dns_lookup_realm = false
>> ??? dns_lookup_kdc = true
>> ??? default_realm = EDM-INC.COM
> Try /etc/krb5.conf like the above
Have tried both.
>>
>>
>> Here's the full error:
>>
>> Could not find machine account in secrets database: Failed to fetch 
>> machine account password for EDM from both secrets.ldb (Could not 
>> find entry to match filter: 
>> '(&(flatname=EDM)(objectclass=primaryDomain))' base:
'cn=Primary
>> Domains': No such object: dsdb_search at 
>> ../source4/dsdb/common/util.c:4705) and from 
>> /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
>
> Problem is (so I have been told) neither secrets.tdb or secrets.ldb 
> will have been created at this point, so this could be a red herring.
>
> Does the windows DC run a dns server
Yes
>
> What actual command are you running ?
samba-tool domain join EDM-INC.COM DC -U"EDM\administrator" --verbose
-d3
>
-- 
Bob Wooldridge
EDM Incorporated