[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Rowland Penny
rpenny at samba.org
Fri May 3 07:07:36 UTC 2019
On Thu, 2 May 2019 16:51:02 -0400
James Fowler <fowlerj at adst.org> wrote:
See inline comments
> root at DC2:~# cat /etc/resolv.conf
> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
> resolvconf(8)
> # and managed by Zentyal.
> #
> # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE
> OVERWRITTEN #
> nameserver 192.168.1.254
> #search domain1.domain
I would do two things here, the first is 'apt-get purge resolvconf',
you do not want anything changing /etc/resolv.conf on a DC.
The second is, uncomment the 'search' line.
There is also that word 'Zentyal', was/is this computer a Zentyal DC ?
>
> /etc/hostname
> cat /etc/hostname
> DC2
>
> /etc/hosts
> root at DC2:~cat /etc/hosts
> 127.0.0.1 localhost.localdomain localhost
> 127.0.1.1 DC2.DOMAIN1.DOMAIN DC2
> 192.168.1.19 otherserver.DOMAIN1.DOMAIN otherserver
> 192.168.1.20 DC2.DOMAIN1.DOMAIN DC2
> 192.168.1.254 DC1.DOMAIN1.local DC1
>
You should only have the new DC's info in /etc/hosts, anything else
should be found by DNS. There is also '127.0.1.1' , is there another
DNS server running ? (dnsmasq, netplan etc)
> root at DC2:/etc/bind# cat named.conf
> include "/etc/bind/named.conf.options";
> include "/etc/bind/keys";
You do not need the '/etc/bind/keys' line
>
> // prime the server with knowledge of the root servers
> zone "." {
> type hint;
> file "/etc/bind/db.root";
> };
>
> // be authoritative for the localhost forward and reverse zones, and
> for // broadcast zones as per RFC 1912
>
> zone "localhost" {
> type master;
> file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
> type master;
> file "/etc/bind/db.127";
> };
>
> zone "0.in-addr.arpa" {
> type master;
> file "/etc/bind/db.0";
> };
>
> zone "255.in-addr.arpa" {
> type master;
> file "/etc/bind/db.255";
> };
Why is the above in /etc/bind/named.conf ?
There should just be an include line like this:
include "/etc/bind/named.conf.default-zones";
> root at DC2:/etc/bind# cat named.conf.local
> // Generated by Zentyal
Why? they seem to be making a right mess of it ;-)
Mine is just:
include "/var/lib/samba/bind-dns/named.conf";
>
> root at DC2:/etc/bind# cat named.conf.options
>
> options {
> sortlist {
> { 192.168.1.0/24 ;{ 192.168.1.0/24 ; };};
> };
> directory "/var/cache/bind";
> auth-nxdomain no; # conform to RFC1035
>
> allow-query { any; };
> allow-recursion { trusted; };
> allow-query-cache { trusted; };
> allow-transfer { internal-local-nets; };
> };
>
> logging { category lame-servers { null; }; };
If that again is managed by Zentyal, well they got some things right,
but missed a major thing, this is mine:
options {
directory "/var/cache/bind";
version "0.0.7";
notify no;
empty-zones-enable no;
allow-query { 127.0.0.1; 192.168.0.0/24; };
allow-recursion { 192.168.0.0/24; 127.0.0.1/32; };
forwarders { 8.8.8.8; 8.8.4.4; };
allow-transfer { none; };
dnssec-validation no;
dnssec-enable no;
dnssec-lookaside no;
listen-on-v6 { none; };
listen-on port 53 { 192.168.0.6; 127.0.0.1; };
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
};
From all this, it is clear your DNS is not working as a Samba AD DC
would expect.
Rowland
More information about the samba
mailing list