[Samba] Can't access DNS from RSAT

Taylor Hammerling thammerling at tcsbasys.com
Tue Dec 12 17:30:05 UTC 2017 

Daniel, I could kiss you :D  I am using the default SSL certs in samba.

I tried connecting to the new DC using it's FQDN instead of it's IP, and
BAM, it connected just fine.  Couldn't really tell you why, but as long as
I can access it I'm happy!

On Tue, Dec 12, 2017 at 11:20 AM, Daniel Carrasco <d.carrasco at i2tic.com>
wrote:

> Are you using the default ssl certs in samba?.
>
> I had a similar issue, and after create my own certificate with all common
> names used on my domain (for example domain.com, dc1.domain.com and
> dc2.domain.com), I'm able to manage the dns using RSAT using that named.
> With ip address still failing.
>
> Greetings!!
>
> El 12 dic. 2017 6:13 p. m., "Taylor Hammerling via samba" <
> samba at lists.samba.org> escribió:
>
>> The user is a member of "Domain Admins" so they should be able to access
>> the DNS (as is evident by the fact that they can access the DNS thru RSAT
>> on the initial DC).
>> But just to be thorough I have added "Domain Admins" to the group
>> "DnsAdmins" and tested again, still get the "access denied" error from
>> within windows.
>>
>> On Tue, Dec 12, 2017 at 11:01 AM, lingpanda101 via samba <
>> samba at lists.samba.org> wrote:
>>
>> > On 12/12/2017 11:24 AM, Taylor Hammerling via samba wrote:
>> >
>> >> I found this page https://bugzilla.samba.org/show_bug.cgi?id=12807
>> which
>> >> seemed to have someone experiencing the same issue I am.
>> >> I tried adding "allow dcerpc auth level connect:dnsserver = yes" to my
>> >> smb.conf, rebooted the server, but still I get the an access denied
>> >> message
>> >> in windows.
>> >> However, what is logged in the log.samba files has changed since adding
>> >> this option to my smb.conf.  it now shows
>> >>
>> >> [2017/12/12 10:21:02.936834,  2]
>> >> ../source4/rpc_server/dcerpc_server.c:1824(dcesrv_request)
>> >>    dcesrv_request: restrict access by min_auth_level[0x4] to
>> [dnsserver]
>> >> with auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:
>> >> 172.28.9.100:49994]
>> >>
>> >> when I try to open the DNS Management RSAT
>> >>
>> >> On Tue, Dec 12, 2017 at 10:04 AM, Taylor Hammerling <
>> >> thammerling at tcsbasys.com> wrote:
>> >>
>> >> I cranked up the log level to 3 and found this in the log.samba file
>> when
>> >>> trying to open the DNS Manager RSAT from my client machine (which is
>> >>> joined
>> >>> to the same domain as the DCs)
>> >>>
>> >>> [2017/12/12 09:59:30.601170,  2] ../source4/rpc_server/dcerpc_
>> >>> server.c:1804(dcesrv_request)
>> >>>    dcesrv_request: restrict auth_level_connect access to [dnsserver]
>> with
>> >>> auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:
>> 172.28.9.100:49960
>> >>> ]
>> >>>
>> >>> On Tue, Dec 12, 2017 at 9:47 AM, Taylor Hammerling <
>> >>> thammerling at tcsbasys.com> wrote:
>> >>>
>> >>> Good morning all!
>> >>>>
>> >>>> I have two DCs, both running Samba 4.7.3.  I have just joined the
>> second
>> >>>> DC to the domain.  The second DC is replicating AD objects
>> perfectly, I
>> >>>> verified this by running "samba-tool drs showrepl" as well as using
>> the
>> >>>> ADUC RSAT snapin and adding a user to one DC, then switching the DC
>> that
>> >>>> ADUC connects to and verifying that the user was properly replicated.
>> >>>>
>> >>>> The DNS objects are alos replicating properly.  I checked this by
>> >>>> running
>> >>>> "samba-dnsupdate" as well as by running nslookup, switching the
>> server
>> >>>> to
>> >>>> the new DC and doing a couple of lookups.
>> >>>>
>> >>>> Unfortunately, I can't access the DNS on the new DC thru the DNS
>> Manager
>> >>>> RSAT snapin.  I get an "access denied" error.  There are no entries
>> in
>> >>>> any
>> >>>> of the samba logs when I attempt to open the DNS Manager snapin
>> either.
>> >>>>
>> >>>> I CAN access the DNS on the original DC using the DNS Manager RSAT
>> >>>> snapin.
>> >>>>
>> >>>> I'm hoping (and suspecting) this will just be an easy fix of
>> >>>> chmodding/chowing something...
>> >>>> I've spent the last hour googling and have come up with nada.
>> >>>>
>> >>>> Any help you can provide would be VERY appreciated!
>> >>>>
>> >>>> --
>> >>>> *Taylor Hammerling* |  *IT Manager*
>> >>>> 2800 Laura Lane | Middleton, WI 53562
>> <https://maps.google.com/?q=2800+Laura+Lane+%7C+Middleton,+WI+53562&entry=gmail&source=g>
>> >>>> *O *(608) 669-9070 *| C *(608) 512-7849
>> >>>> tcsbasys.com | ubiquistat.com
>> >>>>
>> >>>>
>> >>>
>> >>> --
>> >>> *Taylor Hammerling* |  *IT Manager*
>> >>> 2800 Laura Lane | Middleton, WI 53562
>> <https://maps.google.com/?q=2800+Laura+Lane+%7C+Middleton,+WI+53562&entry=gmail&source=g>
>> >>> *O *(608) 669-9070 *| C *(608) 512-7849
>> >>> tcsbasys.com | ubiquistat.com
>> >>>
>> >>>
>> >>
>> >> Is your user part of the DNS admins group?
>> >
>> > --
>> > --
>> > James
>> >
>> >
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions:  https://lists.samba.org/mailman/options/samba
>> >
>>
>>
>>
>> --
>> *Taylor Hammerling* |  *IT Manager*
>> 2800 Laura Lane | Middleton, WI 53562
>> <https://maps.google.com/?q=2800+Laura+Lane+%7C+Middleton,+WI+53562&entry=gmail&source=g>
>> *O *(608) 669-9070 *| C *(608) 512-7849
>> tcsbasys.com | ubiquistat.com
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>


-- 
*Taylor Hammerling* |  *IT Manager*
2800 Laura Lane | Middleton, WI 53562
*O *(608) 669-9070 *| C *(608) 512-7849
tcsbasys.com | ubiquistat.com

More information about the samba mailing list