L.P.H. van Belle
2020-Feb-10 16:01 UTC
[Samba] FW: samba_kcc issue after joining the domain as a DC
Hai, Ok. I did more digging, this is a link Dennis showed which might help.. itprotoday.com/windows-78/q-how-can-i-create-domaindnszones-directory-partition Now, if i go throught the mailing list and lookup everything abotu this part.> Could not find machine account in secrets database: Failed to fetch > machine account password for DOM from both secrets.ldb (Could not find > entry to match filter: '(&(flatname=DOM)(objectclass=primaryDomain))' > base: 'cn=Primary Domains': No such object: dsdb_search at > ../source4/dsdb/common/util.c:4705) and from > /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFOI cant see/find a clear solution. All problem domains where 2000/2003 related.. @Rowland or @Dennis, you guys any other options here? Im out of options for Alex. So far, Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Alex > via samba > Verzonden: maandag 10 februari 2020 16:44 > Aan: Rowland penny > CC: Alex > Onderwerp: Re: [Samba] FW: samba_kcc issue after joining the > domain as a DC > > Rowland, > > >>> samba-tool domain join domain.com DC -k yes --dns-backend NONE > >>> --server=vm-dc1.domain.com > >>> Why did he do that ? why no dns server ????? > >> This is b/c we used to host AD zone on a separate DNS > server(s), not in the AD. > >> I thought to keep that setup b/c it's much easier to > administrator the AD zone > >> in bind9, rather than in MS DNS. > >> > > No, it isn't and using 'NONE' as the dns backend is not > supported by Samba. > > > Run: samba_upgradedns > > > That should fill in your missing dns data. > > > An AD DC is authoritative for the AD dns domain. > > Here is what I got after switching to SAMBA_INTERNAL backend: > > # samba-tool domain join domain.com DC -k yes > --server=vm-dc1.domain.com > > INFO 2020-02-10 18:34:09,671 pid:26424 > /usr/local/samba/lib64/python3.6/site-packages/samba/join.py > #1116: Adding 1 remote DNS records for VM-DC3.domain.com > Using binding ncacn_ip_tcp:vm-dc1.domain.com[,sign] > Mapped to DCERPC endpoint 135 > added interface eth0 ip=172.26.1.83 bcast=172.26.255.255 > netmask=255.255.0.0 > added interface eth0 ip=172.26.1.83 bcast=172.26.255.255 > netmask=255.255.0.0 > resolve_lmhosts: Attempting lmhosts lookup for name > vm-dc1.domain.com<0x20> > Mapped to DCERPC endpoint 49228 > added interface eth0 ip=172.26.1.83 bcast=172.26.255.255 > netmask=255.255.0.0 > added interface eth0 ip=172.26.1.83 bcast=172.26.255.255 > netmask=255.255.0.0 > resolve_lmhosts: Attempting lmhosts lookup for name > vm-dc1.domain.com<0x20> > Starting GENSEC mechanism spnego > Starting GENSEC submechanism gssapi_krb5 > GSSAPI credentials for administrator at domain.com will expire > in 32550 secs > gensec_gssapi: NO credentials were delegated > GSSAPI Connection will be cryptographically signed > INFO 2020-02-10 18:34:10,109 pid:26424 > /usr/local/samba/lib64/python3.6/site-packages/samba/join.py > #1179: Adding DNS A record VM-DC3.domain.com for IPv4 IP: 172.26.1.83 > ldb_wrap open of secrets.ldb > Could not find machine account in secrets database: Failed to > fetch machine account password for DOMAIN from both > secrets.ldb (Could not find entry to match filter: > '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: > 'cn=Primary Domains': No such object: dsdb_search at > ../../source4/dsdb/common/util.c:4733) and from > /usr/local/samba/private/secrets.tdb: > NT_STATUS_CANT_ACCESS_DOMAIN_INFO > ERROR(runtime): uncaught exception - (9003, > 'WERR_DNS_ERROR_RCODE_NAME_ERROR') > File > "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/__init__.py", line 186, in _run> return self.run(*args, **kwargs) > File > "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/domain.py", line 708, in run> backend_store_size=backend_store_size) > File > "/usr/local/samba/lib64/python3.6/site-packages/samba/join.py" > , line 1561, in join_DC > ctx.do_join() > File > "/usr/local/samba/lib64/python3.6/site-packages/samba/join.py" > , line 1456, in do_join > ctx.join_add_dns_records() > File > "/usr/local/samba/lib64/python3.6/site-packages/samba/join.py" > , line 1197, in join_add_dns_records > dns_partition=domaindns_zone_dn) > File > "/usr/local/samba/lib64/python3.6/site-packages/samba/samdb.py > ", line 1177, in dns_lookup > dns_partition=dns_partition) > Adding CN=VM-DC3,OU=Domain Controllers,DC=domain,DC=com > Adding > CN=VM-DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com> Adding CN=NTDS > Settings,CN=VM-DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com> Adding SPNs to CN=VM-DC3,OU=Domain Controllers,DC=domain,DC=com > Setting account password for VM-DC3$ > Enabling account > Calling bare provision > Provision OK for domain DN DC=domain,DC=com > Starting replication > Missing target object - retrying with DRS_GET_TGT > Replicating critical objects from the base DN of the domain > Missing target object - retrying with DRS_GET_TGT > Done with always replicated NC (base, config, schema) > Replicating DC=DomainDnsZones,DC=domain,DC=com > Replicating DC=ForestDnsZones,DC=domain,DC=com > Committing SAM database > --- join_add_dns_records > Join failed - cleaning up > > DNS is now updated as Louis suggested to do. > > -- > Best regards, > Alex Alex > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: lists.samba.org/mailman/options/samba > >
Louis,> Ok. I did more digging, this is a link Dennis showed which might help.. > itprotoday.com/windows-78/q-how-can-i-create-domaindnszones-directory-partitionI've just tried that and got the message that the specified directory partition already exists.> Now, if i go throught the mailing list and lookup everything abotu this part.>> Could not find machine account in secrets database: Failed to fetch >> machine account password for DOM from both secrets.ldb (Could not find >> entry to match filter: '(&(flatname=DOM)(objectclass=primaryDomain))' >> base: 'cn=Primary Domains': No such object: dsdb_search at >> ../source4/dsdb/common/util.c:4705) and from >> /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO> I cant see/find a clear solution. > All problem domains where 2000/2003 related..> @Rowland or @Dennis, you guys any other options here? > Im out of options for Alex.Thanks anyway Louis, I really appreciate your attempts to help me. -- Best regards, Alex Alex
Rowland penny
2020-Feb-10 16:23 UTC
[Samba] FW: samba_kcc issue after joining the domain as a DC
On 10/02/2020 16:01, L.P.H. van Belle via samba wrote:> Hai, > > Ok. I did more digging, this is a link Dennis showed which might help.. > itprotoday.com/windows-78/q-how-can-i-create-domaindnszones-directory-partition > > > Now, if i go throught the mailing list and lookup everything abotu this part. > >> Could not find machine account in secrets database: Failed to fetch >> machine account password for DOM from both secrets.ldb (Could not find >> entry to match filter: '(&(flatname=DOM)(objectclass=primaryDomain))' >> base: 'cn=Primary Domains': No such object: dsdb_search at >> ../source4/dsdb/common/util.c:4705) and from >> /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO > I cant see/find a clear solution. > All problem domains where 2000/2003 related.. > > @Rowland or @Dennis, you guys any other options here? > Im out of options for Alex.There have been quite a few posts lately where the problem has come from trying to join a Samba AD DC to a Windows domain that started out as Win 2k or 2003 and has never had the DNS upgraded. Perhaps we need to place something on the wiki to advise that the DNS must be 2008R2 function level and the best place to do this is on the Windows DC before attempting joining the Samba DC. The other option is to remove 'DC=DomainDnsZones,DC=domain,DC=com' and 'DC=ForestDnsZones,DC=domain,DC=com' after the join and then run 'samba_upgradedns', would this work ? Rowland
Rowland penny
2020-Feb-10 18:27 UTC
[Samba] FW: samba_kcc issue after joining the domain as a DC
On 10/02/2020 16:46, Alex wrote:>>>> Could not find machine account in secrets database: Failed to fetch >>>> machine account password for DOM from both secrets.ldb (Could not find >>>> entry to match filter: '(&(flatname=DOM)(objectclass=primaryDomain))' >>>> base: 'cn=Primary Domains': No such object: dsdb_search at >>>> ../source4/dsdb/common/util.c:4705) and from >>>> /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO >> The other option is to remove 'DC=DomainDnsZones,DC=domain,DC=com' and >> 'DC=ForestDnsZones,DC=domain,DC=com' after the join and then run >> 'samba_upgradedns', would this work ? > While it seems to be safe to delete DomainDnsZones context, the ForestDnsZones > context seems to contain the real DNS zone info:First and for most, this is just an idea I threw out for discussion. If you are running the old style of DNS, then things are in a different place to what is now expected. Samba has a script 'samba_upgradedns', its main task is to change between the internal and Bind9 dns servers, but it can recreate the DNS records given a certain set of circumstances. So, a couple of questions: Can you clone your Samba DC and sandbox the clone ? Can you run this search on your Samba DC: ldbsearch -H /var/lib/samba/private/sam.ldb -b 'CN=Configuration,DC=samdom,DC=example,DC=com' -s sub '(|(dnsRoot=DomainDnsZones.samdom.example.com)(dnsRoot=ForestDnsZones.samdom.example.com))' nCName You will have to alter it for your set up and dns domain. Rowland
>>> The other option is to remove 'DC=DomainDnsZones,DC=domain,DC=com' and >>> 'DC=ForestDnsZones,DC=domain,DC=com' after the join and then run >>> 'samba_upgradedns', would this work ? >> While it seems to be safe to delete DomainDnsZones context, the ForestDnsZones >> context seems to contain the real DNS zone info:> First and for most, this is just an idea I threw out for discussion.> If you are running the old style of DNS, then things are in a different > place to what is now expected.How can i check if it's an old style or not? I guess it should be new after following the guide Louis provided.> Samba has a script 'samba_upgradedns', its main task is to change > between the internal and Bind9 dns servers, but it can recreate the DNS > records given a certain set of circumstances.Yeah, I've already tried to run it. No success: # samba_upgradedns -d 3 lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf Reading domain information lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf Traceback (most recent call last): File "/usr/local/samba/sbin/samba_upgradedns", line 293, in <module> paths, lp.configfile, lp) File "/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py", line 209, in find_provision_key_parameters names.netbiosname = str(res[0]["sAMAccountName"]).replace("$", "") IndexError: list index out of range This however might be expected b/c Samba failed to join the DC before.> Can you clone your Samba DC and sandbox the clone ?This is what I'd like to do in the very end if nothing else helped. I don't have enough resources at the moment to sandbox all of that.> Can you run this search on your Samba DC:> ldbsearch -H /var/lib/samba/private/sam.ldb -b > 'CN=Configuration,DC=samdom,DC=example,DC=com' -s sub > '(|(dnsRoot=DomainDnsZones.samdom.example.com)(dnsRoot=ForestDnsZones.samdom.example.com))' > nCName# record 1 dn: CN=e099a041-eb07-4123-9325-15cd9edcaf54,CN=Partitions,CN=Configuration,DC=domain,DC=com nCName: DC=DomainDnsZones,DC=domain,DC=com # record 2 dn: CN=2400e56f-8acd-4764-9c51-23aba14730b7,CN=Partitions,CN=Configuration,DC=domain,DC=com nCName: DC=ForestDnsZones,DC=domain,DC=com -- Best regards, Alex