Startup errors when DNS/[primary-dc].[domain] on [primary-dc]$ spn exists

Michael Croes mycroes at gmail.com
Tue Mar 26 06:57:50 MDT 2013 

Hi all,

Fixed (part of) the issue. I did a clean provision on a clone, looked at
the entries in the secrets.ldb (discovered yesterday that actually I do
have some entries under cn=Principals there, was looking in sam.ldb all the
time), discovered that the new provision didn't have any DNS/... entries at
all. So I started by deleting that one, and the spn on [dc]$. After that I
still ran into the same issue where the spn DNS/[dc].[domain] is added to
[dc]$.

Then when running samba with -d 3 I saw something about spn updates being
executed and remember there was some spn_update... file. Took me less than
a minute to find it and notice there was a DNS/[dc].[domain] line in there.
I'm not sure how I should have gotten updates on this file, but now I just
copied it from source4/setup. Same goes for the dns_update_list, that one
was outdated as well, so I copied it over.

So now everything is working fine, the only issue I can't get my head
around is that samba stops working properly when the DNS/[dc].[domain] spn
exists on [dc]$, which still seems strange to me.

Anyway, big thanks to Andrew for supporting me on IRC as well.
Regards,

Michael


2013/3/25 Michael Croes <mycroes at gmail.com>

> Hi Andrew,
>
> Thanks for your response.
>
>  > [2013/03/25 12:38:52,  0] ../source4/smbd/server.c:475(binary_smbd_main)
>> >   samba: using 'standard' process model
>> > [2013/03/25 12:38:52,  0]
>> > ../source4/smbd/service_task.c:35(task_server_terminate)
>> >   task_server_terminate: [Failed to obtain server credentials for DNS,
>> > despite finding it in the samdb! NT_STATUS_CANT_ACCESS_DOMAIN_INFO
>> >   ]
>> > [2013/03/25 12:38:52,  0] ../source4/smbd/server.c:210(samba_terminate)
>> >   samba_terminate: Failed to obtain server credentials for DNS, despite
>> > finding it in the samdb! NT_STATUS_CANT_ACCESS_DOMAIN_INFO
>>
>> This means that the DNS server found an account in the domain that it
>> would expect to use, but not the matching values in secrets.ldb.
>>
>
> If I run with -d 2 I get the following output (see also the separate email
> if you like):
>
> Could not find DNS/adc.mijlweg.visser.eu principal in secrets database:
> NT_STATUS_CANT_ACCESS_DOMAIN_
> INFO: Could not find entry to match filter: '(&(|(realm=MIJLWEG.VISSER.EU
> )(flatname=VISSER))(servicePrincipalName=DNS/adc.mijlweg.visser.eu))'
> base: 'cn=Principals': No such object: (null)
>
> task_server_terminate: [Failed to obtain server credentials for DNS,
> despite finding it in the samdb! NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> ]
>
> To me this seems as if it wants to load data from some object in
> 'cn=Principals'. However, source4/scripting/bin/samba_upgradedns starting
> from line 424:
>     # Special stuff for DLZ backend
>     if opts.dns_backend == "BIND9_DLZ":
>         # Check if dns-HOSTNAME account exists and create it if required
>         try:
>             dn = 'samAccountName=dns-%s,CN=Principals' % hostname
>             msg = ldbs.secrets.search(expression='(dn=%s)' % dn,
> attrs=['secret'])
>             dnssecret = msg[0]['secret'][0]
>         except Exception:
>             logger.info("Adding dns-%s account" % hostname)
>
>             try:
>                 msg = ldbs.sam.search(base=domaindn,
> scope=ldb.SCOPE_DEFAULT,
>                                       expression='(sAMAccountName=dns-%s)'
> % (hostname),
>                                       attrs=['clearTextPassword'])
>                 dn = msg[0].dn
>                 ldbs.sam.delete(dn)
>             except Exception:
>                 pass
>
>             dnspass = samba.generate_random_password(128, 255)
>             setup_add_ldif(ldbs.sam,
> setup_path("provision_dns_add_samba.ldif"), {
>                     "DNSDOMAIN": dnsdomain,
>                     "DOMAINDN": domaindn,
>                     "DNSPASS_B64": b64encode(dnspass.encode('utf-16-le')),
>                     "HOSTNAME" : hostname,
>                     "DNSNAME" : dnsname }
>                            )
>
>             secretsdb_setup_dns(ldbs.secrets, names,
>                                 paths.private_dir, realm=names.realm,
>                                 dnsdomain=names.dnsdomain,
>                                 dns_keytab_path=paths.dns_keytab,
> dnspass=dnspass)
>         else:
>             logger.info("dns-%s account already exists" % hostname)
>
> Seems to me this should only be related to Bind DLZ (at least the file
> says so).
>
> I already ran 'samba_upgradedns --dns-backend=SAMBA_INTERNAL', and I also
> tried samba_upgradeprovision because the original provision dates to over 2
> years ago (but has been upgradeprovisioned in between), but that doesn't
> help either.
>
> I'm also not really sure about the secrets.ldb entry missing, what entry
> would it be missing, and can I just check it with a ldbsearch?
> Regards,
>
> Michael
>

More information about the samba-technical mailing list