On Wed Aug 2 10:25:00 2023 Rowland Penny via samba <samba at
lists.samba.org> wrote:
> On 02/08/2023 15:04, Mark Foley via samba wrote:
>
> > Yeah, those command on my system simply return the 'help'
syntax info for the host command.
Actually, I must correct this a bit. Running those commands on my current dc
give the "prohibited character found" error.
> >> I suggest you start Samba, wait a short while and then try again.
> >
> > Do you mean to start Samba on the new DC (which I haven't done
yet) or [re]start
> > Samba on the current DC?
>
> When you 'join' a new DC to the domain, only minimal critical DNS
> records are created annd the GUID records are not amongst them. When
> Samba on the new DC is started, a script <samba_dnsupdate> is run (it
> then runs every 10 minutes after that). This script uses a file
> <dns_update_list> to check if various DNS records for the DC exist,
if
> they do not exist, they are created, amongst these DNS records is:
>
> ${IF_DC}CNAME ${NTDSGUID}._msdcs.${DNSFOREST} ${HOSTNAME}
>
> So the GUID record possibly doesn't exist on your new DC because you
> haven't started it.
>
> Rowland
Per the wiki, I ran 'samba' on the new DC, then tried the
'samba-tool drs showrepl'
on the new DC. No go:
# samba-tool drs showrepl
Failed to connect host 127.0.0.1 on port 135 - NT_STATUS_CONNECTION_REFUSED
Failed to connect host 127.0.0.1 (dc1.hprs.local) on port 135 -
NT_STATUS_CONNECTION_REFUSED.
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to
dc1.hprs.local failed - drsException: DRS connection to dc1.hprs.local failed:
(3221226038, 'The transport-connection attempt was refused by the remote
system.')
File "/usr/lib64/python3.9/site-packages/samba/netcmd/drs.py", line
55, in drsuapi_connect
(ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) =
drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
File "/usr/lib64/python3.9/site-packages/samba/drs_utils.py", line
71, in drsuapi_connect
raise drsException("DRS connection to %s failed: %s" % (server,
e))
I then tried 'samba-tool drs showrepl' on the current DC and got:
# samba-tool drs showrepl
:
: (bunch of gensec stuff)
:
Default-First-Site-Name\MAIL
DSA Options: 0x00000001
DSA object GUID: 48c0208f-0646-42f6-89bf-dc9b81b3442c
DSA invocationId: efd15371-9645-4a1a-b9eb-f4db28add590
==== INBOUND NEIGHBORS ===
Sealed 64 bytes, and got 76 bytes header/signature.
Unsealed 2816 bytes, with 76 bytes header/signature.
CN=Schema,CN=Configuration,DC=hprs,DC=local
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 0d2a3ba9-4ade-45de-85c7-321ba69caee0
Last attempt @ Wed Aug 2 16:31:57 2023 EDT failed, result 2
(WERR_FILE_NOT_FOUND)
2678 consecutive failure(s).
Last success @ NTTIME(0)
The above starting with "Default-First-Site-Name\DC1 via RPC" was be
repeated
4 more times, but note the failure which occured in each repeat. After that:
==== OUTBOUND NEIGHBORS ===
Sealed 64 bytes, and got 76 bytes header/signature.
Unsealed 32 bytes, with 76 bytes header/signature.
==== KCC CONNECTION OBJECTS ===
Connection --
Connection name: 34b6cbf3-f021-4922-9b55-6dc26cb833be
Enabled : TRUE
Server DNS name : dc1.hprs.local
Server DN name : CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hprs,DC=local
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Kerberos commands still not working:
# kinit administrator
Password for administrator at hprs.local:
kinit: KDC reply did not match expectations while getting initial credentials
# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)
/etc/resolv.conf still not working with the new DC's IP.
All these failures are likely because samba failed, /var/log/syslog:
Aug 2 16:53:14 DC1 samba[16433]: [2023/08/02 16:53:14.573450, 0]
../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
Aug 2 16:53:14 DC1 samba[16433]: /usr/sbin/samba_dnsupdate: response to
GSS-TSIG query was unsuccessful
:
: (another 26 errors like this)
:
Aug 2 16:53:15 DC1 samba[16433]: [2023/08/02 16:53:15.236106, 0]
../../source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done)
Aug 2 16:53:15 DC1 samba[16433]: dnsupdate_nameupdate_done: Failed DNS update
with exit code 27
As it stands, samba doesn't run, kerberos doesn't run, DNS not working.
Note that the 1st place I'm failing per the wiki procedure is with:
# host -t CNAME 0d2a3ba9-4ade-45de-85c7-321ba69caee0._msdcs.hprs.local.
ERROR(runtime): uncaught exception - (9711,
'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
I'm about ready to give up and start from scratch, maybe going back and
attempting to
upgrade the existing Samba 4.8.2 if you think the current course is irredeemable
and out of control.
I started down the "upgrade" line of thinking in thread
"Upgrading from Samba 4.8.2 to 4.15.5"
from January 28th, but advice from you and others was to try adding a DC and
"promoting" it. Is that still viable?
I could also give this 2nd DC another clean retry by removing it from the
domain, wiping the drive and starting over. Perhaps joining with a
specified backend so DNS works right away -- or getting that to work before
moving on. At the same time I could put the latest BIND package on the current
4.8.2 DC and get away from the "prohibited character found" error.
--Mark :(