[Samba] Setup a Samba AD DC as an additional DC
Barry D. Adkins
Barry at daram.com
Sat Dec 1 21:51:33 UTC 2018
Here are the ouputs of the previous diagnostics you asked for:
:~$ nslookup sambaDC
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: sambaDC.domain.com
Address: 131.192.176.40
:~$ nslookup sambaDC.domain.com
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: sambaDC.domain.com
Address: 131.192.176.40
:~$ host 131.192.176.20
20.176.192.131.in-addr.arpa domain name pointer Win2012DC.domain.com.
:~$ host 131.192.176.40
40.176.192.131.in-addr.arpa domain name pointer sambaDC.
40.176.192.131.in-addr.arpa domain name pointer sambaDC.local.
>>> Barry Comment: the name server for the Win Domain is set in Ubuntu Netplan. I don't know why it did not find "pointer sambaDC.domain.com."
>>> I did not create a HOSTS file or make any entries as it was not on your "how-to". Tried to follow exactly as you mentioned. I'm working on getting this corrected.
:~$ dig a $(sambaDC -s)
sambaDC: command not found
; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64202
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 73734 IN NS l.root-servers.net.
. 73734 IN NS d.root-servers.net.
. 73734 IN NS h.root-servers.net.
. 73734 IN NS j.root-servers.net.
. 73734 IN NS f.root-servers.net.
. 73734 IN NS i.root-servers.net.
. 73734 IN NS k.root-servers.net.
. 73734 IN NS e.root-servers.net.
. 73734 IN NS a.root-servers.net.
. 73734 IN NS b.root-servers.net.
. 73734 IN NS g.root-servers.net.
. 73734 IN NS m.root-servers.net.
. 73734 IN NS c.root-servers.net.
;; Query time: 8 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sat Dec 01 15:17:54 CST 2018
;; MSG SIZE rcvd: 239
:~$ dig a $(sambaDC -f)
sambaDC: command not found
; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37248
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 7168 IN NS c.root-servers.net.
. 7168 IN NS m.root-servers.net.
. 7168 IN NS g.root-servers.net.
. 7168 IN NS b.root-servers.net.
. 7168 IN NS a.root-servers.net.
. 7168 IN NS e.root-servers.net.
. 7168 IN NS k.root-servers.net.
. 7168 IN NS i.root-servers.net.
. 7168 IN NS f.root-servers.net.
. 7168 IN NS j.root-servers.net.
. 7168 IN NS h.root-servers.net.
. 7168 IN NS d.root-servers.net.
. 7168 IN NS l.root-servers.net.
;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sat Dec 01 15:18:26 CST 2018
;; MSG SIZE rcvd: 239
:~$ dig -x 131.192.176.40
; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> -x 131.192.176.40
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44804
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;40.176.192.131.in-addr.arpa. IN PTR
;; ANSWER SECTION:
40.176.192.131.in-addr.arpa. 0 IN PTR sambaDC.
40.176.192.131.in-addr.arpa. 0 IN PTR sambaDC.local.
;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sat Dec 01 15:20:02 CST 2018
;; MSG SIZE rcvd: 106
:~$ dig -x 131.192.176.20
; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> -x 131.192.176.20
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13875
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;20.176.192.131.in-addr.arpa. IN PTR
;; ANSWER SECTION:
20.176.192.131.in-addr.arpa. 983 IN PTR Win2012DC.domain.com.
;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sat Dec 01 15:20:29 CST 2018
;; MSG SIZE rcvd: 89
****************
SAMBA-DEBUG-INFO
****************
Collected config --- 2018-12-01-13:30 -----------
Hostname: houdcu01
DNS Domain: daram.com
FQDN: sambaDC.domain.com
ipaddress: 131.192.176.40
-----------
Samba is not being run as a DC or a Unix domain member.
Checking file: /etc/os-release
NAME="Ubuntu"
VERSION="18.04.1 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.1 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
-----------
Warning, /etc/devuan_version does not exist
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: ens2f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:1e:67:79:11:b8 brd ff:ff:ff:ff:ff:ff
inet 131.192.176.40/24 brd 131.192.176.255 scope global ens2f0
inet6 fe80::21e:67ff:fe79:11b8/64 scope link
3: ens2f1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 00:1e:67:79:11:b9 brd ff:ff:ff:ff:ff:ff
-----------
Checking file: /etc/hosts
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
-----------
Checking file: /etc/resolv.conf
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "systemd-resolve --status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.
nameserver 127.0.0.53
search domain.com
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = DOMAIN.COM
; Note, this is added because other software may need it.
; Some recommend to remove : des-cbc-crc des-cbc-md5 but for compatibility leave it in.
; For Windows 2008 with AES
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat systemd
group: compat systemd
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Warning, does not exist
-----------
No username map detected.
-----------
Installed packages, running: dpkg -l | egrep "samba|winbind|krb5|smb|acl|xattr"
ii acl 2.2.52-3build1 amd64 Access control list utilities
ii krb5-config 2.6 all Configuration files for Kerberos Version 5
ii krb5-locales 1.16-2build1 all internationalization support for MIT Kerberos
ii krb5-user 1.16-2build1 amd64 basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.52-3build1 amd64 Access control list shared library
ii libacl1-dev 2.2.52-3build1 amd64 Access control list static libraries and headers
ii libgssapi-krb5-2:amd64 1.16-2build1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-26-heimdal:amd64 7.5.0+dfsg-1 amd64 Heimdal Kerberos - libraries
ii libkrb5-3:amd64 1.16-2build1 amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.16-2build1 amd64 MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.9.3+nmu-1~ubuntu1804 amd64 Samba nameservice integration plugins
ii libpam-winbind:amd64 2:4.9.3+nmu-1~ubuntu1804 amd64 Windows domain authentication integration plugin
ii libwbclient0:amd64 2:4.9.3+nmu-1~ubuntu1804 amd64 Samba winbind client library
ii python-samba 2:4.9.3+nmu-1~ubuntu1804 amd64 Python bindings for Samba
ii samba 2:4.9.3+nmu-1~ubuntu1804 amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.9.3+nmu-1~ubuntu1804 all common files used by both the Samba server and client
ii samba-common-bin 2:4.9.3+nmu-1~ubuntu1804 amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.9.3+nmu-1~ubuntu1804 amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.9.3+nmu-1~ubuntu1804 amd64 Samba core libraries
ii samba-vfs-modules:amd64 2:4.9.3+nmu-1~ubuntu1804 amd64 Samba Virtual FileSystem plugins
ii winbind 2:4.9.3+nmu-1~ubuntu1804 amd64 service to resolve user and group information from Windows NT servers
-----------
****************
SAMBA-INFO
****************
:~$ sudo ./samba-info.sh
INFO: Current debug levels:
all: 8
tdb: 8
printdrivers: 8
lanman: 8
smb: 8
rpc_parse: 8
rpc_srv: 8
rpc_cli: 8
passdb: 8
sam: 8
auth: 8
winbind: 8
vfs: 8
idmap: 8
quota: 8
acls: 8
locking: 8
msdfs: 8
dmapi: 8
registry: 8
scavenger: 8
dns: 8
ldb: 8
tevent: 8
auth_audit: 8
auth_json_audit: 8
kerberos: 8
drs_repl: 8
smb2: 8
smb2_credits: 8
dsdb_audit: 8
dsdb_json_audit: 8
dsdb_password_audit: 8
dsdb_password_json_audit: 8
dsdb_transaction_audit: 8
dsdb_transaction_json_audit: 8
dsdb_group_audit: 8
dsdb_group_json_audit: 8
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4705) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
added interface ens2f0 ip=131.192.176.40 bcast=131.192.176.255 netmask=255.255.255.0
added interface ens2f0 ip=131.192.176.40 bcast=131.192.176.255 netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name daram.com<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory
ERROR(ldb): uncaught exception - LDAP error 1 LDAP_OPERATIONS_ERROR - <000004DC: LdapErr: DSID-0C09079A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v23f0> <>
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 469, in run
master = get_fsmo_roleowner(samdb, dn, short_name)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 42, in get_fsmo_roleowner
scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
INFO: Current debug levels:
all: 8
tdb: 8
printdrivers: 8
lanman: 8
smb: 8
rpc_parse: 8
rpc_srv: 8
rpc_cli: 8
passdb: 8
sam: 8
auth: 8
winbind: 8
vfs: 8
idmap: 8
quota: 8
acls: 8
locking: 8
msdfs: 8
dmapi: 8
registry: 8
scavenger: 8
dns: 8
ldb: 8
tevent: 8
auth_audit: 8
auth_json_audit: 8
kerberos: 8
drs_repl: 8
smb2: 8
smb2_credits: 8
dsdb_audit: 8
dsdb_json_audit: 8
dsdb_password_audit: 8
dsdb_password_json_audit: 8
dsdb_transaction_audit: 8
dsdb_transaction_json_audit: 8
dsdb_group_audit: 8
dsdb_group_json_audit: 8
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4705) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
added interface ens2f0 ip=131.192.176.40 bcast=131.192.176.255 netmask=255.255.255.0
added interface ens2f0 ip=131.192.176.40 bcast=131.192.176.255 netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name daram.com<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory
ERROR(ldb): uncaught exception - LDAP error 1 LDAP_OPERATIONS_ERROR - <000004DC: LdapErr: DSID-0C09079A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v23f0> <>
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 469, in run
master = get_fsmo_roleowner(samdb, dn, short_name)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 42, in get_fsmo_roleowner
scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
INFO: Current debug levels:
all: 8
tdb: 8
printdrivers: 8
lanman: 8
smb: 8
rpc_parse: 8
rpc_srv: 8
rpc_cli: 8
passdb: 8
sam: 8
auth: 8
winbind: 8
vfs: 8
idmap: 8
quota: 8
acls: 8
locking: 8
msdfs: 8
dmapi: 8
registry: 8
scavenger: 8
dns: 8
ldb: 8
tevent: 8
auth_audit: 8
auth_json_audit: 8
kerberos: 8
drs_repl: 8
smb2: 8
smb2_credits: 8
dsdb_audit: 8
dsdb_json_audit: 8
dsdb_password_audit: 8
dsdb_password_json_audit: 8
dsdb_transaction_audit: 8
dsdb_transaction_json_audit: 8
dsdb_group_audit: 8
dsdb_group_json_audit: 8
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4705) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
added interface ens2f0 ip=131.192.176.40 bcast=131.192.176.255 netmask=255.255.255.0
added interface ens2f0 ip=131.192.176.40 bcast=131.192.176.255 netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name daram.com<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory
ERROR(ldb): uncaught exception - LDAP error 1 LDAP_OPERATIONS_ERROR - <000004DC: LdapErr: DSID-0C09079A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v23f0> <>
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 469, in run
master = get_fsmo_roleowner(samdb, dn, short_name)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 42, in get_fsmo_roleowner
scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
INFO: Current debug levels:
all: 8
tdb: 8
printdrivers: 8
lanman: 8
smb: 8
rpc_parse: 8
rpc_srv: 8
rpc_cli: 8
passdb: 8
sam: 8
auth: 8
winbind: 8
vfs: 8
idmap: 8
quota: 8
acls: 8
locking: 8
msdfs: 8
dmapi: 8
registry: 8
scavenger: 8
dns: 8
ldb: 8
tevent: 8
auth_audit: 8
auth_json_audit: 8
kerberos: 8
drs_repl: 8
smb2: 8
smb2_credits: 8
dsdb_audit: 8
dsdb_json_audit: 8
dsdb_password_audit: 8
dsdb_password_json_audit: 8
dsdb_transaction_audit: 8
dsdb_transaction_json_audit: 8
dsdb_group_audit: 8
dsdb_group_json_audit: 8
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
added interface ens2f0 ip=131.192.176.40 bcast=131.192.176.255 netmask=255.255.255.0
added interface ens2f0 ip=131.192.176.40 bcast=131.192.176.255 netmask=255.255.255.0
added interface ens2f0 ip=131.192.176.40 bcast=131.192.176.255 netmask=255.255.255.0
added interface ens2f0 ip=131.192.176.40 bcast=131.192.176.255 netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name houdc01.daram.com<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory
finddcs: response 0 at '131.192.176.6'
finddcs: response 1 at '2002:83c0:b007::83c0:b007'
finddcs: response 2 at '2002:83c0:b006::83c0:b006'
finddcs: response 3 at '2002:83c0:b015::83c0:b015'
finddcs: response 4 at '2002:83c0:b008::83c0:b008'
finddcs: performing CLDAP query on 131.192.176.6
finddcs: Found matching DC 131.192.176.6 with server_type=0x000011fc
>>>> Very frustrating
-Barry Adkins
More information about the samba
mailing list