Rowland Penny
2025-Jul-03 06:38 UTC
[Samba] WERR_DNS_ERROR_DS_UNAVAILABLE when asking for local dns server info
On Thu, 3 Jul 2025 08:09:11 +0200 "CED Ing. Damiano Bolla via samba" <samba at lists.samba.org> wrote:> yes, one parameter passed is -U with the proper user or event better? > --use-krb5-ccache=/tmp/krb5cc_0I think what you are saying is that you have tried with -U and --use-krb5-ccache but it does not work for you. The problem is, it works for myself. adminuser at rpidc1:~ $ sudo kinit Administrator Password for Administrator at SAMDOM.EXAMPLE.COM: adminuser at rpidc1:~ $ sudo klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator at SAMDOM.EXAMPLE.COM Valid starting Expires Service principal 03/07/25 07:18:30 03/07/25 17:18:30 krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM renew until 04/07/25 07:18:10 adminuser at rpidc1:~ $ ls -la /tmp/krb5cc_0 -rw------- 1 root root 1969 Jul 3 07:18 /tmp/krb5cc_0 adminuser at rpidc1:~ $ sudo samba-tool dns serverinfo rpidc1 --use-krb5-ccache=/tmp/krb5cc_0 dwVersion : 0xece0205 fBootMethod : DNS_BOOT_METHOD_DIRECTORY fAdminConfigured : FALSE fAllowUpdate : TRUE fDsAvailable : TRUE pszServerName : rpidc1.samdom.example.com pszDsContainer : CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com aipServerAddrs : ['::1', '127.0.0.1', '192.168.1.2'] aipListenAddrs : ['::1', '127.0.0.1', '192.168.1.2'] aipForwarders : [] dwLogLevel : 0 dwDebugLevel : 0 dwForwardTimeout : 3 dwRpcPrototol : 0x5 dwNameCheckFlag : DNS_ALLOW_MULTIBYTE_NAMES cAddressAnswerLimit : 0 dwRecursionRetry : 3 <------- snip ---------->> > thi is the result of samba-tool testparm, with some possibly > sensitive information changed (it is obviously changed) > > # Global parameters > [global] > ??????? dns forwarder = 192.168.999.11 > ??????? log level = 1 > ??????? netbios name = VDCE > ??????? realm = CONTOSO.LOCAL > ??????? server role = active directory domain controller > ??????? workgroup = CONTOSO >That shows all the services including rpc should be running, just one possibility, you show that you are using '.local' as the TLD, now this could be sanitising, but if it isn't and you cannot re-provision, then turn off Avahi and Bonjour everywhere in your organisation.> > all the remaining parameters are default, this means that the server > is using an internal dns (and it works) > > the question is "how can I find out if RPC server for DNS (that is > NOT the dns server itself, it is the "administrative" part) is > "enabled") ? > > and if it is not enabled.... how do I enable it ?I doubt that your rpc server isn't running, I suspect a dns problem. I take it that there is no other dns server running on the DC and that the DC and clients are using the DC as the domains dns server. Can you post the contents of: /etc/hostname /etc/hosts /etc/krb5.conf /etc/nsswitch.conf Also post the output of 'hostname -I' run on the DC It might also help if you can tell us just what Samba packages you installed and where they came from. Rowland
CED Ing. Damiano Bolla
2025-Jul-03 06:59 UTC
[Samba] WERR_DNS_ERROR_DS_UNAVAILABLE when asking for local dns server info
this is what works
----------------------
root at vdce:/home/damiano/work# cat /etc/hostname
vdce
----------------------
root at vdce:/home/damiano/work# cat /etc/hosts
127.0.0.1?????? localhost
192.168.999.40? vdce.CONTOSO.local???? vdce
----------------------
root at vdce:/home/damiano/work# cat /etc/krb5.conf
[libdefaults]
??????? default_realm = CONTOSO.LOCAL
??????? dns_lookup_realm = false
??????? dns_lookup_kdc = true
[realms]
CONTOSO.LOCAL = {
??????? default_domain = CONTOSO.local
}
[domain_realm]
??????? VDCE = CONTOSO.LOCAL
----------------------
root at vdce:/home/damiano/work# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd:???????? files
group:????????? files
shadow:???????? files
gshadow:??????? files
#hosts:????????? files mdns4_minimal [NOTFOUND=return] dns
hosts:????????? files dns
networks:?????? files
protocols:????? db files
services:?????? db files
ethers:???????? db files
rpc:??????????? db files
netgroup:?????? nis
----------------------
root at vdce:/home/damiano/work# nslookup vdce
Server:???????? 192.168.999.40
Address:??????? 192.168.999.40#53
Name:?? vdce.CONTOSO.local
Address: 192.168.999.40
----------------------
root at vdce:/home/damiano/work#? net --use-krb5-ccache=/tmp/krb5cc_0 -S
virtdc time
Thu Jul? 3 08:50:12 2025
----------------------
root at vdce:/home/damiano/work#? net --use-krb5-ccache=/tmp/krb5cc_0 -S
vdce time
Thu Jul? 3 08:49:31 2025
----------------------
I can use RSAT (from windows machine, clearly) to connect to xx.40 and
administer "active directory users and computers"
---------------------- I have removed the other windows machines from
the report
PS C:\Users\xxxxxxx> repadmin /replsummary
Replication Summary Start Time: 2025-07-03 08:56:54
Source DSA????????? largest delta??? fails/total %%?? error
?VDCD????????????????????? 03m:58s??? 0 /? 10??? 0
Destination DSA???? largest delta??? fails/total %%?? error
?VDCD????????????????????? 59m:57s??? 0 /? 10??? 0
---------------------------------- however....
root at vdce:/home/damiano/work# samba-tool dns serverinfo vdce
--use-krb5-ccache=/tmp/krb5cc_0
ERROR(runtime): Could not contact RPC server
[WERR_DNS_ERROR_DS_UNAVAILABLE] - (9717,
'WERR_DNS_ERROR_DS_UNAVAILABLE')
the question, again....
the question is "how can I find out if RPC server for DNS (that is NOT
the dns server itself, it is the "administrative" part) is
"enabled") ?
and if it is not enabled.... how do I enable it ?
or alternatively, where (what file and possibly what "string") should
I
look for for possible invalid params related to RPC server for DNS ?
Il 2025-07-03 8:38 AM, Rowland Penny via samba ha
scritto:> samba-tool dns serverinfo rpidc1 --use-krb5-ccache=/tmp/krb5cc_0