Startup errors when DNS/[primary-dc].[domain] on [primary-dc]$ spn exists
Michael Croes
mycroes at gmail.com
Tue Mar 26 06:57:50 MDT 2013
Hi all,
Fixed (part of) the issue. I did a clean provision on a clone, looked at
the entries in the secrets.ldb (discovered yesterday that actually I do
have some entries under cn=Principals there, was looking in sam.ldb all the
time), discovered that the new provision didn't have any DNS/... entries at
all. So I started by deleting that one, and the spn on [dc]$. After that I
still ran into the same issue where the spn DNS/[dc].[domain] is added to
[dc]$.
Then when running samba with -d 3 I saw something about spn updates being
executed and remember there was some spn_update... file. Took me less than
a minute to find it and notice there was a DNS/[dc].[domain] line in there.
I'm not sure how I should have gotten updates on this file, but now I just
copied it from source4/setup. Same goes for the dns_update_list, that one
was outdated as well, so I copied it over.
So now everything is working fine, the only issue I can't get my head
around is that samba stops working properly when the DNS/[dc].[domain] spn
exists on [dc]$, which still seems strange to me.
Anyway, big thanks to Andrew for supporting me on IRC as well.
Regards,
Michael
2013/3/25 Michael Croes <mycroes at gmail.com>
> Hi Andrew,
>
> Thanks for your response.
>
> > [2013/03/25 12:38:52, 0] ../source4/smbd/server.c:475(binary_smbd_main)
>> > samba: using 'standard' process model
>> > [2013/03/25 12:38:52, 0]
>> > ../source4/smbd/service_task.c:35(task_server_terminate)
>> > task_server_terminate: [Failed to obtain server credentials for DNS,
>> > despite finding it in the samdb! NT_STATUS_CANT_ACCESS_DOMAIN_INFO
>> > ]
>> > [2013/03/25 12:38:52, 0] ../source4/smbd/server.c:210(samba_terminate)
>> > samba_terminate: Failed to obtain server credentials for DNS, despite
>> > finding it in the samdb! NT_STATUS_CANT_ACCESS_DOMAIN_INFO
>>
>> This means that the DNS server found an account in the domain that it
>> would expect to use, but not the matching values in secrets.ldb.
>>
>
> If I run with -d 2 I get the following output (see also the separate email
> if you like):
>
> Could not find DNS/adc.mijlweg.visser.eu principal in secrets database:
> NT_STATUS_CANT_ACCESS_DOMAIN_
> INFO: Could not find entry to match filter: '(&(|(realm=MIJLWEG.VISSER.EU
> )(flatname=VISSER))(servicePrincipalName=DNS/adc.mijlweg.visser.eu))'
> base: 'cn=Principals': No such object: (null)
>
> task_server_terminate: [Failed to obtain server credentials for DNS,
> despite finding it in the samdb! NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> ]
>
> To me this seems as if it wants to load data from some object in
> 'cn=Principals'. However, source4/scripting/bin/samba_upgradedns starting
> from line 424:
> # Special stuff for DLZ backend
> if opts.dns_backend == "BIND9_DLZ":
> # Check if dns-HOSTNAME account exists and create it if required
> try:
> dn = 'samAccountName=dns-%s,CN=Principals' % hostname
> msg = ldbs.secrets.search(expression='(dn=%s)' % dn,
> attrs=['secret'])
> dnssecret = msg[0]['secret'][0]
> except Exception:
> logger.info("Adding dns-%s account" % hostname)
>
> try:
> msg = ldbs.sam.search(base=domaindn,
> scope=ldb.SCOPE_DEFAULT,
> expression='(sAMAccountName=dns-%s)'
> % (hostname),
> attrs=['clearTextPassword'])
> dn = msg[0].dn
> ldbs.sam.delete(dn)
> except Exception:
> pass
>
> dnspass = samba.generate_random_password(128, 255)
> setup_add_ldif(ldbs.sam,
> setup_path("provision_dns_add_samba.ldif"), {
> "DNSDOMAIN": dnsdomain,
> "DOMAINDN": domaindn,
> "DNSPASS_B64": b64encode(dnspass.encode('utf-16-le')),
> "HOSTNAME" : hostname,
> "DNSNAME" : dnsname }
> )
>
> secretsdb_setup_dns(ldbs.secrets, names,
> paths.private_dir, realm=names.realm,
> dnsdomain=names.dnsdomain,
> dns_keytab_path=paths.dns_keytab,
> dnspass=dnspass)
> else:
> logger.info("dns-%s account already exists" % hostname)
>
> Seems to me this should only be related to Bind DLZ (at least the file
> says so).
>
> I already ran 'samba_upgradedns --dns-backend=SAMBA_INTERNAL', and I also
> tried samba_upgradeprovision because the original provision dates to over 2
> years ago (but has been upgradeprovisioned in between), but that doesn't
> help either.
>
> I'm also not really sure about the secrets.ldb entry missing, what entry
> would it be missing, and can I just check it with a ldbsearch?
> Regards,
>
> Michael
>
More information about the samba-technical
mailing list