samba - Jul 2025 - WERR_DNS_ERROR_DS_UNAVAILABLE when asking for local dns server info

yes, one parameter passed is -U with the proper user or event better? 
--use-krb5-ccache=/tmp/krb5cc_0

thi is the result of samba-tool testparm, with some possibly sensitive 
information changed (it is obviously changed)

# Global parameters
[global]
 ??????? dns forwarder = 192.168.999.11
 ??????? log level = 1
 ??????? netbios name = VDCE
 ??????? realm = CONTOSO.LOCAL
 ??????? server role = active directory domain controller
 ??????? workgroup = CONTOSO

[sysvol]
 ??????? path = /var/lib/samba/sysvol
 ??????? read only = No

[netlogon]
 ??????? path = /var/lib/samba/sysvol/aclonigo.local/scripts
 ??????? read only = No

all the remaining parameters are default, this means that the server is 
using an internal dns (and it works)

the question is "how can I find out if RPC server for DNS (that is NOT 
the dns server itself, it is the "administrative" part) is
"enabled") ?

and if it is not enabled.... how do I enable it ?

or alternatively, where (what file and possibly what "string") should
I
look for for possible invalid params related to RPC server for DNS ?

Thanks




Il 2025-07-02 1:43 PM, Rowland Penny via samba ha
scritto:
> On Wed, 2 Jul 2025 13:22:28 +0200
> "CED Ing. Damiano Bolla via samba" <samba at
lists.samba.org> wrote:
>
>> Hello
>>
>> VDCE is a samba version 4.22.2 debian running as
>> ROLE_ACTIVE_DIRECTORY_DC
>>
>> I can access the server with RSAT and change the AD configuration
>> (users, computers) and it will replicate
>>
>> DNS works (as in nslookup) but apparently the RPC management is not
>> active
>>
>> # samba-tool dns serverinfo vdce
>>
>> provide the password and the reply is
> Yes but the password for who ?
>
> If I try it as above, I get prompted for:
>
> Password for [SAMDOM\root]:
>
>> ERROR(runtime): Could not contact RPC server
>> [WERR_DNS_ERROR_DS_UNAVAILABLE] - (9717,
>> 'WERR_DNS_ERROR_DS_UNAVAILABLE') File
>> "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line
119, in f
>> return attr(*args)
>>
> But I get a different error, but it does work if I supply
'-Urowland'
> on the end of the command and then enter my password.
>
> If that doesn't help, please post the output of 'samba-tool
testparm'
>
> Rowland
>

On Thu, 3 Jul 2025 08:09:11 +0200
"CED Ing. Damiano Bolla via samba" <samba at lists.samba.org>
wrote:
> yes, one parameter passed is -U with the proper user or event better? 
> --use-krb5-ccache=/tmp/krb5cc_0
I think what you are saying is that you have tried with -U and
--use-krb5-ccache but it does not work for you.

The problem is, it works for myself.

adminuser at rpidc1:~ $ sudo kinit Administrator
Password for Administrator at SAMDOM.EXAMPLE.COM: 
adminuser at rpidc1:~ $ sudo klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at SAMDOM.EXAMPLE.COM

Valid starting     Expires            Service principal
03/07/25 07:18:30  03/07/25 17:18:30  krbtgt/SAMDOM.EXAMPLE.COM at
SAMDOM.EXAMPLE.COM
	renew until 04/07/25 07:18:10

adminuser at rpidc1:~ $ ls -la /tmp/krb5cc_0 
-rw------- 1 root root 1969 Jul  3 07:18 /tmp/krb5cc_0

adminuser at rpidc1:~ $ sudo samba-tool dns serverinfo rpidc1
--use-krb5-ccache=/tmp/krb5cc_0
  dwVersion                   : 0xece0205
  fBootMethod                 : DNS_BOOT_METHOD_DIRECTORY
  fAdminConfigured            : FALSE
  fAllowUpdate                : TRUE
  fDsAvailable                : TRUE
  pszServerName               : rpidc1.samdom.example.com
  pszDsContainer              :
CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
  aipServerAddrs              : ['::1', '127.0.0.1',
'192.168.1.2']
  aipListenAddrs              : ['::1', '127.0.0.1',
'192.168.1.2']
  aipForwarders               : []
  dwLogLevel                  : 0
  dwDebugLevel                : 0
  dwForwardTimeout            : 3
  dwRpcPrototol               : 0x5
  dwNameCheckFlag             : DNS_ALLOW_MULTIBYTE_NAMES
  cAddressAnswerLimit         : 0
  dwRecursionRetry            : 3
<------- snip ---------->
> 
> thi is the result of samba-tool testparm, with some possibly
> sensitive information changed (it is obviously changed)
> 
> # Global parameters
> [global]
>  ??????? dns forwarder = 192.168.999.11
>  ??????? log level = 1
>  ??????? netbios name = VDCE
>  ??????? realm = CONTOSO.LOCAL
>  ??????? server role = active directory domain controller
>  ??????? workgroup = CONTOSO
> 
That shows all the services including rpc should be running, just one
possibility, you show that you are using '.local' as the TLD, now this
could be sanitising, but if it isn't and you cannot re-provision, then
turn off Avahi and Bonjour everywhere in your organisation.
> 
> all the remaining parameters are default, this means that the server
> is using an internal dns (and it works)
> 
> the question is "how can I find out if RPC server for DNS (that is
> NOT the dns server itself, it is the "administrative" part) is
> "enabled") ?
> 
> and if it is not enabled.... how do I enable it ?
I doubt that your rpc server isn't running, I suspect a dns problem.

I take it that there is no other dns server running on the DC and that
the DC and clients are using the DC as the domains dns server.

Can you post the contents of:

/etc/hostname
/etc/hosts
/etc/krb5.conf
/etc/nsswitch.conf

Also post the output of  'hostname -I' run on the DC
It might also help if you can tell us just what Samba packages you
installed and where they came from.

Rowland