Am 15.02.21 um 16:06 schrieb Rowland penny via samba:> On 15/02/2021 14:48, cn--- via samba wrote:
>> Hello All,
>> sorry for the long post...
>> I have deployed a RODC in a remote site. The Site and the subnet were
>> already created but had no DC. I have set up the RODC as I would a
>> normal DC. This is on Contos 8 with Sernet packages. And did a join
>> like this:
>>
>> samba-tool domain join HQ.DOMAIN.DE RODC --site=DMZ
>> --dns-backend=BIND9_DLZ -U"DOMAIN-02\Administrator"
>>
>> This completed successfully. The RODC was created in the Sites and
>> Services app. The replication with one DC is also listed there.
>
>
> Do you have 'dns.keytab' in /var/lib/samba/bind-dns/ ?
Yes I copied this before I first started samba-ad service just to make sure.
>
> If you don't (I am willing to bet you don't), run
'samba_upgradedns' and
> downgrade to the internal dns server, then run it again, but add
> '--dns-backend=BIND9_DLZ'. This will upgrade you to the Bind9 dns
server
> again, but this time with the 'dns.keytab' in the correct location.
I ran this already but tried it again:
[root at rodc ~]# samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/bind-dns/dns/HQ.DOMAIN.DE.zone
DNS records will be automatically created
DNS partitions already exist
DSDB Transaction [rollback] at [Mon, 15 Feb 2021 16:16:02.417149 CET]
duration [3056]
Traceback (most recent call last):
File "/usr/sbin/samba_upgradedns", line 439, in <module>
ldbs.sam.modify(m)
_ldb.LdbError: (1, 'Invalid LDB reply type 1')
But Bind starts and runs OK. Again trying to update DNS:
Feb 15 16:16:44 dc2.hq.domain.de named[944332]: samba_dlz: added
rdataset 87.1.168.192.in-addr.arpa '87.1.168.192.in-addr.arpa.
1200 IN PTR BR-FH9Y503.hq.domain.de.'
Feb 15 16:16:44 dc2.hq.domain.de named[944332]: samba_dlz: committed
transaction on zone 1.168.192.in-addr.arpa
Feb 15 16:17:52 dc2.hq.domain.de named[944332]: samba_dlz: starting
transaction on zone hq.domain.de
Feb 15 16:17:52 dc2.hq.domain.de named[944332]: samba_dlz: disallowing
update of signer=RODC\$\@HQ.domain.DE name=rodc.hq.domain.de type=A
error=insufficient access rights
Feb 15 16:17:52 dc2.hq.domain.de named[944332]: client @0x7f39b801cc40
10.1.0.77#49117/key RODC\$\@HQ.domain.DE: updating zone
'hq.domain.de/NONE': update failed: rejected by secure update (REFUSED)
Feb 15 16:17:52 dc2.hq.domain.de named[944332]: samba_dlz: cancelling
transaction on zone hq.domain.de
Feb 15 16:17:52 dc2.hq.domain.de smbd[1123481]: [2021/02/15
16:17:52.578833, 1]
../../source3/smbd/service.c:355(create_connection_session_info)
Feb 15 16:17:52 dc2.hq.domain.de smbd[1123481]:
create_connection_session_info: guest user (from session setup) not
permitted to access this share (IPC$)
Feb 15 16:17:52 dc2.hq.domain.de smbd[1123481]: [2021/02/15
16:17:52.578922, 1] ../../source3/smbd/service.c:544(make_connection_snum)
Feb 15 16:17:52 dc2.hq.domain.de smbd[1123481]:
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
Feb 15 16:17:52 dc2.hq.domain.de smbd[1123482]: [2021/02/15
16:17:52.618969, 1]
../../source3/smbd/service.c:355(create_connection_session_info)
Feb 15 16:17:52 dc2.hq.domain.de smbd[1123482]:
create_connection_session_info: guest user (from session setup) not
permitted to access this share (IPC$)
Feb 15 16:17:52 dc2.hq.domain.de smbd[1123482]: [2021/02/15
16:17:52.619059, 1] ../../source3/smbd/service.c:544(make_connection_snum)
Feb 15 16:17:52 dc2.hq.domain.de smbd[1123482]:
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
And on the remote DC I get this:
Feb 15 16:17:52 dc2.hq.domain.de named[944332]: samba_dlz: starting
transaction on zone hq.domain.de
Feb 15 16:17:52 dc2.hq.domain.de named[944332]: samba_dlz: disallowing
update of signer=RODC\$\@HQ.domain.DE name=rodc.hq.domain.de type=A
error=insufficient access rights
Feb 15 16:17:52 dc2.hq.domain.de named[944332]: client @0x7f39b801cc40
10.1.0.77#49117/key RODC\$\@HQ.domain.DE: updating zone
'hq.domain.de/NONE': update failed: rejected by secure update (REFUSED)
Feb 15 16:17:52 dc2.hq.domain.de named[944332]: samba_dlz: cancelling
transaction on zone hq.domain.de
Feb 15 16:17:52 dc2.hq.domain.de smbd[1123481]: [2021/02/15
16:17:52.578833, 1]
../../source3/smbd/service.c:355(create_connection_session_info)
Feb 15 16:17:52 dc2.hq.domain.de smbd[1123481]:
create_connection_session_info: guest user (from session setup) not
permitted to access this share (IPC$)
Feb 15 16:17:52 dc2.hq.domain.de smbd[1123481]: [2021/02/15
16:17:52.578922, 1] ../../source3/smbd/service.c:544(make_connection_snum)
Feb 15 16:17:52 dc2.hq.domain.de smbd[1123481]:
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
Feb 15 16:17:52 dc2.hq.domain.de smbd[1123482]: [2021/02/15
16:17:52.618969, 1]
../../source3/smbd/service.c:355(create_connection_session_info)
Feb 15 16:17:52 dc2.hq.domain.de smbd[1123482]:
create_connection_session_info: guest user (from session setup) not
permitted to access this share (IPC$)
Feb 15 16:17:52 dc2.hq.domain.de smbd[1123482]: [2021/02/15
16:17:52.619059, 1] ../../source3/smbd/service.c:544(make_connection_snum)
Feb 15 16:17:52 dc2.hq.domain.de smbd[1123482]:
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
Regards
Christian
--
Dr. Christian Naumer
Vice President
Unit Head Bioprocess Development
B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
phone +49-6251-9331-30 / fax +49-6251-9331-11
Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Adriaan Moelker (Vorstandsvorsitzender),
Lukas Linnig
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen