Jonathan Hunter
2020-Feb-16 11:53 UTC
[Samba] Newly joined DC - Failed to bind to uuid for ncacn_ip_tcp .. NT_STATUS_INVALID_PARAMETER
Following up on this post for the benefit of the archives, I don't want to be another DenverCoder9! [1] I believe I have fixed this issue now (although I am at a loss to explain how it occurred in the first place). Hopefully I correctly figured out what SPNs should be present against each machine - I'm not an expert in this area, but am describing the process I went through below in the hope that it will help some future person who might have the same issue. If I've mis-understood SPNs then hopefully someone can correct me :) On Tue, 28 Jan 2020 at 17:52, Jonathan Hunter <jmhunter1 at gmail.com> wrote:> > The error I am getting in the logs on other DCs is below (this example > is from the log file on existing dc2, trying to replicate to newdc) > Jan 28 14:19:37 dc2 samba[3153]: [2020/01/28 14:19:37.115584, 0] > ../../source4/librpc/rpc/dcerpc_util.c:737(dcerpc_pipe_auth_recv) > Jan 28 14:19:37 dc2 samba[3153]: Failed to bind to uuid > 11111111-2222-3333-4444-5555555555 for > ncacn_ip_tcp:192.168.1.6[49153,seal,krb5,target_hostname=66666666-7777-8888-9999-0000000000._msdcs.mydomain.org.uk,target_principal=GC/newdc.mydomain.org.uk/mydomain.org.uk,abstract_syntax=11111111-2222-3333-4444-5555555555/0x00000004,localaddress=192.168.1.3] > NT_STATUS_INVALID_PARAMETER > > > Previous google searches uncovered some mentions of TLS issues but I > [...] > I don't know much about SPNs - is there anything I can check there, perhaps?The issue, as far as I can see, turned out to be nothing to do with DNS entries, /etc/hosts files, TLS or anything of that sort. In the end, and I have no idea why, it seems I had ended up with a situation where DC2 (which was the existing and running DC) had some *extra* SPNs stored in AD that belonged to an old instance of DC1 (the DC I was trying to join). A 'normal' DC looks like this (in my environment, at least - the output shown below is from DC1 now that I have successfully joined it to my domain): user at dc2:~ $ sudo samba-tool spn list dc1$ dc1$ User CN=DC1,OU=Domain Controllers,DC=mydomain,DC=org,DC=uk has the following servicePrincipalName: HOST/DC1 HOST/dc1.mydomain.org.uk GC/dc1.mydomain.org.uk/mydomain.org.uk 00000000-1111-2222-3333-4444444/55555555-6666-7777-8888-9999999999/mydomain.org.uk HOST/dc1.mydomain.org.uk/MYDOMAIN ldap/dc1.mydomain.org.uk/MYDOMAIN ldap/dc1.mydomain.org.uk HOST/dc1.mydomain.org.uk/mydomain.org.uk ldap/dc1.mydomain.org.uk/mydomain.org.uk ldap/55555555-6666-7777-8888-9999999999._msdcs.mydomain.org.uk ldap/DC1 RestrictedKrbHost/DC1 RestrictedKrbHost/dc1.mydomain.org.uk ldap/dc1.mydomain.org.uk/DomainDnsZones.mydomain.org.uk ldap/dc1.mydomain.org.uk/ForestDnsZones.mydomain.org.uk However, before I was able to join DC1 successfully (when I was having the issues described in the original post), I finally spotted that DC2 had the following SPN entries which didn't seem correct: (I have annoted the output below) user at dc2:~ $ sudo samba-tool spn list dc2$ dc2$ User CN=DC2,OU=Domain Controllers,DC=mydomain,DC=org,DC=uk has the following servicePrincipalName: ---> the below is all correct as it relates to DC2 <--- HOST/DC2 HOST/dc2.mydomain.org.uk GC/dc2.mydomain.org.uk/mydomain.org.uk 00000000-1111-2222-3333-4444444/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeee/mydomain.org.uk HOST/dc2.mydomain.org.uk/MYDOMAIN ldap/dc2.mydomain.org.uk/MYDOMAIN ldap/dc2.mydomain.org.uk HOST/dc2.mydomain.org.uk/mydomain.org.uk ldap/dc2.mydomain.org.uk/mydomain.org.uk ldap/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeee._msdcs.mydomain.org.uk ldap/DC2 RestrictedKrbHost/DC2 RestrictedKrbHost/dc2.mydomain.org.uk ldap/dc2.mydomain.org.uk/DomainDnsZones.mydomain.org.uk ldap/dc2.mydomain.org.uk/ForestDnsZones.mydomain.org.uk ---> everything below this line is not correct as it relates to DC1, not DC2 <--- HOST/dc1.mydomain.org.uk HOST/dc1.mydomain.org.uk/MYDOMAIN ldap/dc1.mydomain.org.uk/MYDOMAIN GC/dc1.mydomain.org.uk/mydomain.org.uk ldap/dc1.mydomain.org.uk HOST/dc1.mydomain.org.uk/mydomain.org.uk ldap/dc1.mydomain.org.uk/mydomain.org.uk 00000000-1111-2222-3333-4444444/ffffffff-gggg-hhhh-iiii-jjjjjjjjjj/mydomain.org.uk ldap/ffffffff-gggg-hhhh-iiii-jjjjjjjjjj._msdcs.mydomain.org.uk RestrictedKrbHost/dc1.mydomain.org.uk ldap/dc1.mydomain.org.uk/DomainDnsZones.mydomain.org.uk ldap/dc1.mydomain.org.uk/ForestDnsZones.mydomain.org.uk I ran 'sudo samba-tool spn delete' for each of the entries that I felt shouldn't have been there, e.g. $ sudo samba-tool spn delete HOST/dc1.mydomain.org.uk DC2$ $ sudo samba-tool spn delete HOST/dc1.mydomain.org.uk/MYDOMAIN DC2$ etc. After that point, I was able to join DC1 to the domain without any issue. Jonathan [1] https://xkcd.com/979/ -- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein