Startup errors when DNS/[primary-dc].[domain] on [primary-dc]$ spn exists

Mon Mar 25 15:53:48 MDT 2013

Hi Andrew,

Thanks for your response.

> [2013/03/25 12:38:52,  0] ../source4/smbd/server.c:475(binary_smbd_main)
> >   samba: using 'standard' process model
> > [2013/03/25 12:38:52,  0]
> > ../source4/smbd/service_task.c:35(task_server_terminate)
> >   task_server_terminate: [Failed to obtain server credentials for DNS,
> > despite finding it in the samdb! NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> >   ]
> > [2013/03/25 12:38:52,  0] ../source4/smbd/server.c:210(samba_terminate)
> >   samba_terminate: Failed to obtain server credentials for DNS, despite
> > finding it in the samdb! NT_STATUS_CANT_ACCESS_DOMAIN_INFO
>
> This means that the DNS server found an account in the domain that it
> would expect to use, but not the matching values in secrets.ldb.
>

If I run with -d 2 I get the following output (see also the separate email
if you like):
Could not find DNS/adc.mijlweg.visser.eu principal in secrets database:
NT_STATUS_CANT_ACCESS_DOMAIN_
INFO: Could not find entry to match filter: '(&(|(realm=MIJLWEG.VISSER.EU
)(flatname=VISSER))(servicePrincipalName=DNS/adc.mijlweg.visser.eu))' base:
'cn=Principals': No such object: (null)

task_server_terminate: [Failed to obtain server credentials for DNS,
despite finding it in the samdb! NT_STATUS_CANT_ACCESS_DOMAIN_INFO
]

To me this seems as if it wants to load data from some object in
'cn=Principals'. However, source4/scripting/bin/samba_upgradedns starting
from line 424:
    # Special stuff for DLZ backend
    if opts.dns_backend == "BIND9_DLZ":
        # Check if dns-HOSTNAME account exists and create it if required
        try:
            dn = 'samAccountName=dns-%s,CN=Principals' % hostname
            msg = ldbs.secrets.search(expression='(dn=%s)' % dn,
attrs=['secret'])
            dnssecret = msg[0]['secret'][0]
        except Exception:
            logger.info("Adding dns-%s account" % hostname)

            try:
                msg = ldbs.sam.search(base=domaindn,
scope=ldb.SCOPE_DEFAULT,
                                      expression='(sAMAccountName=dns-%s)'
% (hostname),
                                      attrs=['clearTextPassword'])
                dn = msg[0].dn
                ldbs.sam.delete(dn)
            except Exception:
                pass

            dnspass = samba.generate_random_password(128, 255)
            setup_add_ldif(ldbs.sam,
setup_path("provision_dns_add_samba.ldif"), {
                    "DNSDOMAIN": dnsdomain,
                    "DOMAINDN": domaindn,
                    "DNSPASS_B64": b64encode(dnspass.encode('utf-16-le')),
                    "HOSTNAME" : hostname,
                    "DNSNAME" : dnsname }
                           )

            secretsdb_setup_dns(ldbs.secrets, names,
                                paths.private_dir, realm=names.realm,
                                dnsdomain=names.dnsdomain,
                                dns_keytab_path=paths.dns_keytab,
dnspass=dnspass)
        else:
            logger.info("dns-%s account already exists" % hostname)

Seems to me this should only be related to Bind DLZ (at least the file says
so).

I already ran 'samba_upgradedns --dns-backend=SAMBA_INTERNAL', and I also
tried samba_upgradeprovision because the original provision dates to over 2
years ago (but has been upgradeprovisioned in between), but that doesn't
help either.

I'm also not really sure about the secrets.ldb entry missing, what entry
would it be missing, and can I just check it with a ldbsearch?
Regards,

Michael