[Samba] Can't access DNS from RSAT

Tue Dec 12 17:34:35 UTC 2017

I'm glad to help you ;)

I think that is for security reasons. The samba installer creates a
certificate for the domain and fqdn, and if you try to connect using the ip
adress then the certificate is detected as non valid and rejected, then you
got an access denied error.

Greetings.

El 12 dic. 2017 6:30 p. m., "Taylor Hammerling" <thammerling at tcsbasys.com>
escribió:

> Daniel, I could kiss you :D  I am using the default SSL certs in samba.
>
> I tried connecting to the new DC using it's FQDN instead of it's IP, and
> BAM, it connected just fine.  Couldn't really tell you why, but as long as
> I can access it I'm happy!
>
> On Tue, Dec 12, 2017 at 11:20 AM, Daniel Carrasco <d.carrasco at i2tic.com>
> wrote:
>
>> Are you using the default ssl certs in samba?.
>>
>> I had a similar issue, and after create my own certificate with all
>> common names used on my domain (for example domain.com, dc1.domain.com
>> and dc2.domain.com), I'm able to manage the dns using RSAT using that
>> named. With ip address still failing.
>>
>> Greetings!!
>>
>> El 12 dic. 2017 6:13 p. m., "Taylor Hammerling via samba" <
>> samba at lists.samba.org> escribió:
>>
>>> The user is a member of "Domain Admins" so they should be able to access
>>> the DNS (as is evident by the fact that they can access the DNS thru RSAT
>>> on the initial DC).
>>> But just to be thorough I have added "Domain Admins" to the group
>>> "DnsAdmins" and tested again, still get the "access denied" error from
>>> within windows.
>>>
>>> On Tue, Dec 12, 2017 at 11:01 AM, lingpanda101 via samba <
>>> samba at lists.samba.org> wrote:
>>>
>>> > On 12/12/2017 11:24 AM, Taylor Hammerling via samba wrote:
>>> >
>>> >> I found this page https://bugzilla.samba.org/show_bug.cgi?id=12807
>>> which
>>> >> seemed to have someone experiencing the same issue I am.
>>> >> I tried adding "allow dcerpc auth level connect:dnsserver = yes" to my
>>> >> smb.conf, rebooted the server, but still I get the an access denied
>>> >> message
>>> >> in windows.
>>> >> However, what is logged in the log.samba files has changed since
>>> adding
>>> >> this option to my smb.conf.  it now shows
>>> >>
>>> >> [2017/12/12 10:21:02.936834,  2]
>>> >> ../source4/rpc_server/dcerpc_server.c:1824(dcesrv_request)
>>> >>    dcesrv_request: restrict access by min_auth_level[0x4] to
>>> [dnsserver]
>>> >> with auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:
>>> >> 172.28.9.100:49994]
>>> >>
>>> >> when I try to open the DNS Management RSAT
>>> >>
>>> >> On Tue, Dec 12, 2017 at 10:04 AM, Taylor Hammerling <
>>> >> thammerling at tcsbasys.com> wrote:
>>> >>
>>> >> I cranked up the log level to 3 and found this in the log.samba file
>>> when
>>> >>> trying to open the DNS Manager RSAT from my client machine (which is
>>> >>> joined
>>> >>> to the same domain as the DCs)
>>> >>>
>>> >>> [2017/12/12 09:59:30.601170,  2] ../source4/rpc_server/dcerpc_
>>> >>> server.c:1804(dcesrv_request)
>>> >>>    dcesrv_request: restrict auth_level_connect access to [dnsserver]
>>> with
>>> >>> auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:
>>> 172.28.9.100:49960
>>> >>> ]
>>> >>>
>>> >>> On Tue, Dec 12, 2017 at 9:47 AM, Taylor Hammerling <
>>> >>> thammerling at tcsbasys.com> wrote:
>>> >>>
>>> >>> Good morning all!
>>> >>>>
>>> >>>> I have two DCs, both running Samba 4.7.3.  I have just joined the
>>> second
>>> >>>> DC to the domain.  The second DC is replicating AD objects
>>> perfectly, I
>>> >>>> verified this by running "samba-tool drs showrepl" as well as using
>>> the
>>> >>>> ADUC RSAT snapin and adding a user to one DC, then switching the DC
>>> that
>>> >>>> ADUC connects to and verifying that the user was properly
>>> replicated.
>>> >>>>
>>> >>>> The DNS objects are alos replicating properly.  I checked this by
>>> >>>> running
>>> >>>> "samba-dnsupdate" as well as by running nslookup, switching the
>>> server
>>> >>>> to
>>> >>>> the new DC and doing a couple of lookups.
>>> >>>>
>>> >>>> Unfortunately, I can't access the DNS on the new DC thru the DNS
>>> Manager
>>> >>>> RSAT snapin.  I get an "access denied" error.  There are no entries
>>> in
>>> >>>> any
>>> >>>> of the samba logs when I attempt to open the DNS Manager snapin
>>> either.
>>> >>>>
>>> >>>> I CAN access the DNS on the original DC using the DNS Manager RSAT
>>> >>>> snapin.
>>> >>>>
>>> >>>> I'm hoping (and suspecting) this will just be an easy fix of
>>> >>>> chmodding/chowing something...
>>> >>>> I've spent the last hour googling and have come up with nada.
>>> >>>>
>>> >>>> Any help you can provide would be VERY appreciated!
>>> >>>>
>>> >>>> --
>>> >>>> *Taylor Hammerling* |  *IT Manager*
>>> >>>> 2800 Laura Lane | Middleton, WI 53562
>>> <https://maps.google.com/?q=2800+Laura+Lane+%7C+Middleton,+WI+53562&entry=gmail&source=g>
>>> >>>> *O *(608) 669-9070 *| C *(608) 512-7849
>>> >>>> tcsbasys.com | ubiquistat.com
>>> >>>>
>>> >>>>
>>> >>>
>>> >>> --
>>> >>> *Taylor Hammerling* |  *IT Manager*
>>> >>> 2800 Laura Lane | Middleton, WI 53562
>>> <https://maps.google.com/?q=2800+Laura+Lane+%7C+Middleton,+WI+53562&entry=gmail&source=g>
>>> >>> *O *(608) 669-9070 *| C *(608) 512-7849
>>> >>> tcsbasys.com | ubiquistat.com
>>> >>>
>>> >>>
>>> >>
>>> >> Is your user part of the DNS admins group?
>>> >
>>> > --
>>> > --
>>> > James
>>> >
>>> >
>>> > --
>>> > To unsubscribe from this list go to the following URL and read the
>>> > instructions:  https://lists.samba.org/mailman/options/samba
>>> >
>>>
>>>
>>>
>>> --
>>> *Taylor Hammerling* |  *IT Manager*
>>> 2800 Laura Lane | Middleton, WI 53562
>>> <https://maps.google.com/?q=2800+Laura+Lane+%7C+Middleton,+WI+53562&entry=gmail&source=g>
>>> *O *(608) 669-9070 *| C *(608) 512-7849
>>> tcsbasys.com | ubiquistat.com
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>
>
>
> --
> *Taylor Hammerling* |  *IT Manager*
> 2800 Laura Lane | Middleton, WI 53562
> <https://maps.google.com/?q=2800+Laura+Lane+%7C+Middleton,+WI+53562&entry=gmail&source=g>
> *O *(608) 669-9070 *| C *(608) 512-7849
> tcsbasys.com | ubiquistat.com
>