[Samba] Unable to manage dns (ERR_DNS_ERROR_DS_UNAVAILABLE)

Peter Beck peter at datentraeger.li
Sun Jun 14 05:18:01 MDT 2015


Hi guys,

when trying to do anything dns related on a samba4 dc (additional dc
which should replace an 2003 server) I always got an
"WERR_DNS_ERROR_DS_UNAVAILABLE" error. The zones seem to be replicated
to the samba server as i can dig whatever record I want and it gets
resolved, I am just unable to manage anything on the samba server. It's
also not possible to add the samba server to the windows dns mmc.

I've already tried to switch (and reprovision) from internal dns to
bind-dlz (Bind 9.9.5), but it's the same error.

The system is Debian Jessie 8.0.1 with Samba 4.1.17, no firewall active
on both (windows and debian) systems.

[root at unxads001 ~]# samba-tool dns serverinfo unxads001 -Uadministrator%password
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:unxads001[,sign]
Mapped to DCERPC endpoint 135
added interface eth1 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=10.1.1.22 bcast=10.1.1.255 netmask=255.255.255.0
added interface eth1 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=10.1.1.22 bcast=10.1.1.255 netmask=255.255.255.0
Mapped to DCERPC endpoint 1024
added interface eth1 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=10.1.1.22 bcast=10.1.1.255 netmask=255.255.255.0
added interface eth1 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=10.1.1.22 bcast=10.1.1.255 netmask=255.255.255.0
ERROR(runtime): uncaught exception - (9717, 'WERR_DNS_ERROR_DS_UNAVAILABLE')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 711, in run
    None, 'ServerInfo')

Replication seems to work just fine (on both sides, the windows dc and
the samba dc). I have added the dns partition replicas manually with
ntdsutil according to the wiki-pages [1]

[root at unxads001 ~]# samba-tool drs showrepl

Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:unxads001.domain.local,seal]
Mapped to DCERPC endpoint 135
added interface eth1 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=10.1.1.22 bcast=10.1.1.255 netmask=255.255.255.0
added interface eth1 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=10.1.1.22 bcast=10.1.1.255 netmask=255.255.255.0
Mapped to DCERPC endpoint 1024
added interface eth1 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=10.1.1.22 bcast=10.1.1.255 netmask=255.255.255.0
added interface eth1 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=10.1.1.22 bcast=10.1.1.255 netmask=255.255.255.0
added interface eth1 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=10.1.1.22 bcast=10.1.1.255 netmask=255.255.255.0
added interface eth1 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=10.1.1.22 bcast=10.1.1.255 netmask=255.255.255.0

Default-First-Site\UNXADS001
DSA Options: 0x00000001
DSA object GUID: 9f8694eb-ad7a-4304-9d25-96a3ad88cd8a
DSA invocationId: 756659bd-aca4-4cbb-97b0-d8b0e929632b

==== INBOUND NEIGHBORS ====

CN=Schema,CN=Configuration,DC=domain,DC=local
    Default-First-Site\WINADS001 via RPC
        DSA object GUID: 40d36407-6187-49c4-89a9-827492be6963
        Last attempt @ Sun Jun 14 12:19:56 2015 CEST was successful
        0 consecutive failure(s).
        Last success @ Sun Jun 14 12:19:56 2015 CEST

CN=Configuration,DC=domain,DC=local
    Default-First-Site\WINADS001 via RPC
        DSA object GUID: 40d36407-6187-49c4-89a9-827492be6963
        Last attempt @ Sun Jun 14 12:19:56 2015 CEST was successful
        0 consecutive failure(s).
        Last success @ Sun Jun 14 12:19:56 2015 CEST

DC=DomainDnsZones,DC=domain,DC=local
    Default-First-Site\WINADS001 via RPC
        DSA object GUID: 40d36407-6187-49c4-89a9-827492be6963
        Last attempt @ Sun Jun 14 12:19:56 2015 CEST was successful
        0 consecutive failure(s).
        Last success @ Sun Jun 14 12:19:56 2015 CEST

DC=ForestDnsZones,DC=domain,DC=local
    Default-First-Site\WINADS001 via RPC
        DSA object GUID: 40d36407-6187-49c4-89a9-827492be6963
        Last attempt @ Sun Jun 14 12:19:56 2015 CEST was successful
        0 consecutive failure(s).
        Last success @ Sun Jun 14 12:19:56 2015 CEST

DC=domain,DC=local
    Default-First-Site\WINADS001 via RPC
        DSA object GUID: 40d36407-6187-49c4-89a9-827492be6963
        Last attempt @ Sun Jun 14 12:19:56 2015 CEST was successful
        0 consecutive failure(s).
        Last success @ Sun Jun 14 12:19:56 2015 CEST

==== OUTBOUND NEIGHBORS ====

CN=Schema,CN=Configuration,DC=domain,DC=local
    Default-First-Site\WINADS001 via RPC
        DSA object GUID: 40d36407-6187-49c4-89a9-827492be6963
        Last attempt @ Sun Jun 14 12:14:46 2015 CEST was successful
        0 consecutive failure(s).
        Last success @ Sun Jun 14 12:14:46 2015 CEST

CN=Configuration,DC=domain,DC=local
    Default-First-Site\WINADS001 via RPC
        DSA object GUID: 40d36407-6187-49c4-89a9-827492be6963
        Last attempt @ Sun Jun 14 12:14:46 2015 CEST was successful
        0 consecutive failure(s).
        Last success @ Sun Jun 14 12:14:46 2015 CEST

DC=DomainDnsZones,DC=domain,DC=local
    Default-First-Site\WINADS001 via RPC
        DSA object GUID: 40d36407-6187-49c4-89a9-827492be6963
        Last attempt @ Sun Jun 14 12:14:46 2015 CEST was successful
        0 consecutive failure(s).
        Last success @ Sun Jun 14 12:14:46 2015 CEST

DC=ForestDnsZones,DC=domain,DC=local
    Default-First-Site\WINADS001 via RPC
        DSA object GUID: 40d36407-6187-49c4-89a9-827492be6963
        Last attempt @ Sun Jun 14 12:14:46 2015 CEST was successful
        0 consecutive failure(s).
        Last success @ Sun Jun 14 12:14:46 2015 CEST

DC=domain,DC=local
    Default-First-Site\WINADS001 via RPC
        DSA object GUID: 40d36407-6187-49c4-89a9-827492be6963
        Last attempt @ Sun Jun 14 12:14:46 2015 CEST was successful
        0 consecutive failure(s).
        Last success @ Sun Jun 14 12:14:46 2015 CEST

==== KCC CONNECTION OBJECTS ====

Connection --
    Connection name: 7069717d-4dea-46e9-8be8-243c8e5b9474
    Enabled        : TRUE
    Server DNS name : winads001.domain.local
    Server DN name  : CN=NTDS Settings,CN=WINADS001,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=domain,DC=local
        TransportType: RPC
        options: 0x00000001
Warning: No NC replicated for Connection!


And the function level is set to 2003

Domain and forest function level for domain 'DC=domain,DC=local'

Forest function level: (Windows) 2003
Domain function level: (Windows) 2003
Lowest function level of a DC: (Windows) 2003


In my resolv.conf there is the correct domain and both servers listed -
does not matter which one I choose as the first - the result is the same.

domain domain.local
search domain.local
nameserver 192.168.0.5 (the windows dc)
nameserver 192.168.0.22 (the samba dc)


samba_dnsupdate --verbose is telling me, that there are no DNS updates
needed

My smb.conf is having the line "nsupdate command = nsupdate" included.

Any clues to get the dns management working on the samba side ? Couldn't
find something on my own researching this issue...only others having
similar issues....

I once had similar issues two years ago [2]

Thanks
Peter

[1] https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting#DNS_Replication_from_Windows_AD_DC_fails

[2] https://lists.samba.org/archive/samba/2013-February/171749.html





More information about the samba mailing list