On Wed, July 8, 2020 04:23, Rowland penny wrote:> On 08/07/2020 08:50, Mani Wieser via samba wrote: >> >> On 07.07.2020 22:14, Mani Wieser via samba wrote: >> Found it (while having my morning walk with the dog): same as with >> SOA: this is a zone/domain thing and not record >> >> Usage: samba-tool dns delete <server> <zone> <name> >> <A|AAAA|PTR|CNAME|NS|MX|SRV|TXT> <data> >> zone=domain >> name=domain >> data= FQDN of the server you want to delete >> >> Usage: samba-tool dns add <server> <zone> <name> >> <A|AAAA|PTR|CNAME|NS|MX|SRV|TXT> <data> >> same as above >> >> Mani >> >> >> > Close, but not quite correct, 'name=domain' should be 'name=@' > > RowlandThe source of this problem arises from having multiple IPv4 addresses on a samba_server and not configuring smb.conf to only listen on the desired one. When this sever is joined to an existing domain all its address are added. I have not been able to remove the unwanted NS record using samba-tool. samba-tool dns delete localhost brockley.harte-lyne.ca. @ NS 192.168.216.162Password for [administrator at BROCKLEY.HARTE-LYNE.CA]: ERROR(runtime): uncaught exception - (9701, 'WERR_DNS_ERROR_RECORD_DOES_NOT_EXIST') File "/usr/local/lib/python3.7/site-packages/samba/netcmd/__init__.py", line 185, in _run return self.run(*args, **kwargs) File "/usr/local/lib/python3.7/site-packages/samba/netcmd/dns.py", line 1071, in run raise e File "/usr/local/lib/python3.7/site-packages/samba/netcmd/dns.py", line 1067, in run del_rec_buf) I thought that by demoting the second server that this would remove the offending address 192.168.216.162 but I had already corrected the smb.conf on smb4-2 and when it was demoted it removed 192.168.18.162 but not 192.168.216.162. So, I changed smb.conf on smb4-2 to not bind to specified interfaces and tried to rejoin the domain. I would then demote smb4-2 again in anticipation that this time both addresses would be removed. I intended then to reapply the bindings n smb.conf on smb4-2 and finally rejoin with 192.168.216.162 gone. I hope all that is clear to somebody. Of course, nothing is ever that simple. When I attempted to rejoin the domain I got this: ERROR(<class 'samba.join.DCJoinException'>): uncaught exception - Can't join, error: Not removing account SMB4-2$ which looks like a Samba DC account matching the password we already have. To override, remove secrets.ldb and secrets.tdb So, naturally, taking the utility at is word I did this: rm -f /var/db/samba4/private/secrets.ldb /var/db/samba4/private/secrets.tdb And now, when I try to start smab_server on smb4-2 I get this: Jul 8 09:22:27 smb4-2 samba[19755]: samba version 4.10.15 started. Jul 8 09:22:27 smb4-2 samba[19755]: Copyright Andrew Tridgell and the Samba Team 1992-2019 Jul 8 09:22:28 smb4-2 samba[19756]: [2020/07/08 09:22:28.259645, 0] ../../source4/smbd/server.c:773(binary_smbd_main) Jul 8 09:22:28 smb4-2 samba[19756]: binary_smbd_main: samba: using 'standard' process model Jul 8 09:22:28 smb4-2 samba[19761]: [2020/07/08 09:22:28.271651, 0] ../../source4/rpc_server/dcerpc_server.c:3221(add_socket_rpc_tcp_iface) Jul 8 09:22:28 smb4-2 samba[19766]: [2020/07/08 09:22:28.291909, 0] ../../source4/cldap_server/cldap_server.c:130(cldapd_add_socket) Jul 8 09:22:28 smb4-2 samba[19766]: Failed to bind to ipv6::::389 - NT_STATUS_UNSUCCESSFUL Jul 8 09:22:28 smb4-2 samba[19756]: [2020/07/08 09:22:28.315742, 0] ../../lib/util/become_daemon.c:136(daemon_ready) Jul 8 09:22:28 smb4-2 samba[19756]: daemon_ready: daemon 'samba' finished starting up and ready to serve connections Jul 8 09:22:28 smb4-2 samba[19767]: [2020/07/08 09:22:28.320486, 0] ../../source4/kdc/kdc-server.c:585(kdc_add_socket) Jul 8 09:22:28 smb4-2 samba[19767]: Failed to bind to :::88 TCP - NT_STATUS_UNSUCCESSFUL Jul 8 09:22:28 smb4-2 samba[19767]: [2020/07/08 09:22:28.326224, 0] ../../source4/kdc/kdc-server.c:585(kdc_add_socket) Jul 8 09:22:28 smb4-2 samba[19767]: Failed to bind to :::464 TCP - NT_STATUS_UNSUCCESSFUL Jul 8 09:22:28 smb4-2 samba[19773]: [2020/07/08 09:22:28.335088, 0] ../../source4/smbd/service_task.c:36(task_server_terminate) Jul 8 09:22:28 smb4-2 samba[19773]: task_server_terminate: task_server_terminate: [Failed to obtain server credentials, perhaps a standalone server?: NT_STATUS_CANT_ACCESS_DOMAIN_INFO Jul 8 09:22:28 smb4-2 samba[19773]: ] Jul 8 09:22:28 smb4-2 samba[19756]: [2020/07/08 09:22:28.342972, 0] ../../source4/smbd/server.c:371(samba_terminate) Jul 8 09:22:28 smb4-2 samba[19756]: samba_terminate: samba_terminate of samba 19756: Failed to obtain server credentials, perhaps a standalone server?: NT_STATUS_CANT_ACCESS_DOMAIN_INFO Jul 8 09:22:28 smb4-2 samba[19756]: Jul 8 09:22:31 smb4-2 samba[19765]: [2020/07/08 09:22:31.745567, 0] ../../source4/ldap_server/ldap_server.c:1074(add_socket) Jul 8 09:22:31 smb4-2 samba[19765]: ldapsrv failed to bind to :::389 - NT_STATUS_UNSUCCESSFUL So, why is this happening and how is it fixed. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Unencrypted messages have no legal claim to privacy Do NOT open attachments nor follow links sent by e-Mail James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
On 08/07/2020 14:43, James B. Byrne wrote:> > On Wed, July 8, 2020 04:23, Rowland penny wrote: >> On 08/07/2020 08:50, Mani Wieser via samba wrote: >>> On 07.07.2020 22:14, Mani Wieser via samba wrote: >>> Found it (while having my morning walk with the dog): same as with >>> SOA: this is a zone/domain thing and not record >>> >>> Usage: samba-tool dns delete <server> <zone> <name> >>> <A|AAAA|PTR|CNAME|NS|MX|SRV|TXT> <data> >>> zone=domain >>> name=domain >>> data= FQDN of the server you want to delete >>> >>> Usage: samba-tool dns add <server> <zone> <name> >>> <A|AAAA|PTR|CNAME|NS|MX|SRV|TXT> <data> >>> same as above >>> >>> Mani >>> >>> >>> >> Close, but not quite correct, 'name=domain' should be 'name=@' >> >> Rowland > The source of this problem arises from having multiple IPv4 addresses on a > samba_server and not configuring smb.conf to only listen on the desired one. > When this sever is joined to an existing domain all its address are added. I > have not been able to remove the unwanted NS record using samba-tool. > > samba-tool dns delete localhost brockley.harte-lyne.ca. @ NS > 192.168.216.162Password for [administrator at BROCKLEY.HARTE-LYNE.CA]: > ERROR(runtime): uncaught exception - (9701, > 'WERR_DNS_ERROR_RECORD_DOES_NOT_EXIST') > File "/usr/local/lib/python3.7/site-packages/samba/netcmd/__init__.py", line > 185, in _run > return self.run(*args, **kwargs) > File "/usr/local/lib/python3.7/site-packages/samba/netcmd/dns.py", line 1071, > in run > raise e > File "/usr/local/lib/python3.7/site-packages/samba/netcmd/dns.py", line 1067, > in run > del_rec_buf) > > I thought that by demoting the second server that this would remove the > offending address 192.168.216.162 but I had already corrected the smb.conf on > smb4-2 and when it was demoted it removed 192.168.18.162 but not > 192.168.216.162. > > So, I changed smb.conf on smb4-2 to not bind to specified interfaces and tried > to rejoin the domain. I would then demote smb4-2 again in anticipation that > this time both addresses would be removed. I intended then to reapply the > bindings n smb.conf on smb4-2 and finally rejoin with 192.168.216.162 gone. I > hope all that is clear to somebody. > > Of course, nothing is ever that simple. When I attempted to rejoin the domain > I got this: > > ERROR(<class 'samba.join.DCJoinException'>): uncaught exception - Can't join, > error: Not removing account SMB4-2$ which looks like a Samba DC account > matching the password we already have. To override, remove secrets.ldb and > secrets.tdb > > So, naturally, taking the utility at is word I did this: > > rm -f /var/db/samba4/private/secrets.ldb /var/db/samba4/private/secrets.tdb > > And now, when I try to start smab_server on smb4-2 I get this: > > Jul 8 09:22:27 smb4-2 samba[19755]: samba version 4.10.15 started. > Jul 8 09:22:27 smb4-2 samba[19755]: Copyright Andrew Tridgell and the Samba > Team 1992-2019 > Jul 8 09:22:28 smb4-2 samba[19756]: [2020/07/08 09:22:28.259645, 0] > ../../source4/smbd/server.c:773(binary_smbd_main) > Jul 8 09:22:28 smb4-2 samba[19756]: binary_smbd_main: samba: using > 'standard' process model > Jul 8 09:22:28 smb4-2 samba[19761]: [2020/07/08 09:22:28.271651, 0] > ../../source4/rpc_server/dcerpc_server.c:3221(add_socket_rpc_tcp_iface) > Jul 8 09:22:28 smb4-2 samba[19766]: [2020/07/08 09:22:28.291909, 0] > ../../source4/cldap_server/cldap_server.c:130(cldapd_add_socket) > Jul 8 09:22:28 smb4-2 samba[19766]: Failed to bind to ipv6::::389 - > NT_STATUS_UNSUCCESSFUL > Jul 8 09:22:28 smb4-2 samba[19756]: [2020/07/08 09:22:28.315742, 0] > ../../lib/util/become_daemon.c:136(daemon_ready) > Jul 8 09:22:28 smb4-2 samba[19756]: daemon_ready: daemon 'samba' finished > starting up and ready to serve connections > Jul 8 09:22:28 smb4-2 samba[19767]: [2020/07/08 09:22:28.320486, 0] > ../../source4/kdc/kdc-server.c:585(kdc_add_socket) > Jul 8 09:22:28 smb4-2 samba[19767]: Failed to bind to :::88 TCP - > NT_STATUS_UNSUCCESSFUL > Jul 8 09:22:28 smb4-2 samba[19767]: [2020/07/08 09:22:28.326224, 0] > ../../source4/kdc/kdc-server.c:585(kdc_add_socket) > Jul 8 09:22:28 smb4-2 samba[19767]: Failed to bind to :::464 TCP - > NT_STATUS_UNSUCCESSFUL > Jul 8 09:22:28 smb4-2 samba[19773]: [2020/07/08 09:22:28.335088, 0] > ../../source4/smbd/service_task.c:36(task_server_terminate) > Jul 8 09:22:28 smb4-2 samba[19773]: task_server_terminate: > task_server_terminate: [Failed to obtain server credentials, perhaps a > standalone server?: NT_STATUS_CANT_ACCESS_DOMAIN_INFO > Jul 8 09:22:28 smb4-2 samba[19773]: ] > Jul 8 09:22:28 smb4-2 samba[19756]: [2020/07/08 09:22:28.342972, 0] > ../../source4/smbd/server.c:371(samba_terminate) > Jul 8 09:22:28 smb4-2 samba[19756]: samba_terminate: samba_terminate of > samba 19756: Failed to obtain server credentials, perhaps a standalone server?: > NT_STATUS_CANT_ACCESS_DOMAIN_INFO > Jul 8 09:22:28 smb4-2 samba[19756]: > Jul 8 09:22:31 smb4-2 samba[19765]: [2020/07/08 09:22:31.745567, 0] > ../../source4/ldap_server/ldap_server.c:1074(add_socket) > Jul 8 09:22:31 smb4-2 samba[19765]: ldapsrv failed to bind to :::389 - > NT_STATUS_UNSUCCESSFUL > > So, why is this happening and how is it fixed. >This is because it is an 'A' record and not an 'NS' record. Rowland
This is in smbd.log:
Could not find machine account in secrets database: Failed to fetch machine
account password from secrets.ldb: Could not find entry to match filter:
'(&(flatname=BROCKLEY)(objectclass=primaryDomain))' base:
'cn=Primary
Domains': No such object: dsdb_search at
../../source4/dsdb/common/util.c:4733 and failed to open
/var/db/samba4/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
[2020/07/08 09:46:32.561883, 0]
../../source4/smbd/service_task.c:36(task_server_terminate)
task_server_terminate: task_server_terminate: [Failed to obtain server
credentials, perhaps a standalone server?: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Why was I be told to remove the secrets.?db files if doing that that prevents
the samba_server from starting at all?
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Unencrypted messages have no legal claim to privacy
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
On 08/07/2020 14:50, James B. Byrne wrote:> This is in smbd.log: > > Could not find machine account in secrets database: Failed to fetch machine > account password from secrets.ldb: Could not find entry to match filter: > '(&(flatname=BROCKLEY)(objectclass=primaryDomain))' base: 'cn=Primary > Domains': No such object: dsdb_search at > ../../source4/dsdb/common/util.c:4733 and failed to open > /var/db/samba4/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO > [2020/07/08 09:46:32.561883, 0] > ../../source4/smbd/service_task.c:36(task_server_terminate) > task_server_terminate: task_server_terminate: [Failed to obtain server > credentials, perhaps a standalone server?: NT_STATUS_CANT_ACCESS_DOMAIN_INFO > > > Why was I be told to remove the secrets.?db files if doing that that prevents > the samba_server from starting at all? > >I do not remember telling you to remove secrets.tdb from a running DC. You might remove it from a dead or demoted DC, because when it is re-joined as a DC, secrets.tdb will be recreated. Have you checked if it does exist, you get a similar message if you run samba-tool as a normal user. Rowland
The original DNS, was that a Windows 2003 or lower server? Because this looks familiar. (&(flatname=BROCKLEY)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search... Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > James B. Byrne via samba > Verzonden: woensdag 8 juli 2020 15:50 > Aan: Rowland penny; samba at lists.samba.org > Onderwerp: Re: [Samba] How to delete an unwanted NS record > > This is in smbd.log: > > Could not find machine account in secrets database: Failed > to fetch machine > account password from secrets.ldb: Could not find entry to > match filter: > '(&(flatname=BROCKLEY)(objectclass=primaryDomain))' base: 'cn=Primary > Domains': No such object: dsdb_search at > ../../source4/dsdb/common/util.c:4733 and failed to open > /var/db/samba4/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO > [2020/07/08 09:46:32.561883, 0] > ../../source4/smbd/service_task.c:36(task_server_terminate) > task_server_terminate: task_server_terminate: [Failed to > obtain server > credentials, perhaps a standalone server?: > NT_STATUS_CANT_ACCESS_DOMAIN_INFO > > > Why was I be told to remove the secrets.?db files if doing > that that prevents > the samba_server from starting at all? > > > -- > *** e-Mail is NOT a SECURE channel *** > Do NOT transmit sensitive data via e-Mail > Unencrypted messages have no legal claim to privacy > Do NOT open attachments nor follow links sent by e-Mail > > James B. Byrne mailto:ByrneJB at Harte-Lyne.ca > Harte & Lyne Limited http://www.harte-lyne.ca > 9 Brockley Drive vox: +1 905 561 1241 > Hamilton, Ontario fax: +1 905 561 0757 > Canada L8E 3C3 > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On 08/07/2020 15:05, L.P.H. van Belle via samba wrote:> The original DNS, was that a Windows 2003 or lower server? > > Because this looks familiar. > (&(flatname=BROCKLEY)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search...It should, you will have something similar in /var/lib/samba/private/secrets.ldb Rowland
Wed Jul 8 14:02:23 UTC 2020, Rowland penny wrote:>> On 08/07/2020 14:50, James B. Byrne wrote: >> >> Why was I be told to remove the secrets.?db files if doing that that prevents >> the samba_server from starting at all? > > > I do not remember telling you to remove secrets.tdb from a running DC.You did not. The error message when I attempted to rejoin the domain with the recently demoted DC said: ERROR(<class 'samba.join.DCJoinException'>): uncaught exception - Can't join, error: Not removing account SMB4-2$ which looks like a Samba DC account matching the password we already have. To override, remove secrets.ldb and secrets.tdb Which I dutifully removed per the instructions. I did not put that message into the code.> You might remove it from a dead or demoted DC, because when it is > re-joined as a DC, secrets.tdb will be recreated.The samba_server was demoted first. It was restarted without issue. I then attempted to rejoin the domain with the resultant error given above. That error message does not appear to me to have any interpretation other than the one I acted upon. Now the samba_server will not start, and it cannot be joined to the domain if it will not start. In any case, the server recreates the secrets databases during the startup process and then fails with the error: [2020/07/08 09:46:32.561758, 1] ../../auth/credentials/credentials_secrets.c:426(cli_credentials_set_machine_account_db_ctx) Could not find machine account in secrets database: Failed to fetch machine account password from secrets.ldb: Could not find entry to match filter: '(&(flatname=BROCKLEY)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../../source4/dsdb/common/util.c:4733 and failed to open /var/db/samba4/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO Clearly there exist other artifacts from the previous join that persist (could not find entry to match filter: '(&(flatname=BROCKLEY)) and which are preventing the server from restarting. I can blow away the entire samba directory contents completely and then reinstall the software of course, but that would not be acceptable in a production environment. I need a solution to this that does not require so drastic a step. I appreciate the help. I had no intention to imply that anyone had mislead me. But the error message cannot be gainsaid. Sincerely, -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Unencrypted messages have no legal claim to privacy Do NOT open attachments nor follow links sent by e-Mail James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3