[Samba] NT_STATUS_CONNECTION_REFUSED Joining Domain - Desperately need help
Brent Davidson
brent at texascountrytitle.com
Thu Mar 8 21:58:43 UTC 2018
I am desperately in need of help. I have a Centos 7.2 server running Samba 4.6.13 as an active directory domain controller. I am trying to join a new Centos 7.4 server running Samba 4.6.13 to the domain. The domain command will not connect to the other server.
I have firewalld and selinux disabled on both servers, I can ping both ways. From the new server I was able to do a kinit -U administrator and get a kerberos ticket which shows with a klist, however when I go to join the domain, I get:
ERROR(ldb): uncaught exception - LDAP client internal error: NT_STATUS_CONNECTION_REFUSED
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 661, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1455, in join_DC
machinepass, use_ntvfs, dns_backend, promote_existing)
File "/usr/lib64/python2.7/site-packages/samba/join.py", line 89, in __init__
credentials=ctx.creds, lp=ctx.lp)
File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 57, in __init__
options=options)
File "/usr/lib64/python2.7/site-packages/samba/__init__.py", line 114, in __init__
self.connect(url, flags, options)
File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 72, in connect
options=options)
I have been unable to find any details in the logs on the existing server when I run this command.
The join command I'm using is:
samba-tool domain join redacteddomain.redacted.com DC -U"REDACTEDDOMAIN\administrator" --dns-backend=SAMBA_DLZ --option='idmap_ldb:use rfc2307 = yes' -d 10
How this problem started:
I originally had two domain controllers, both of which were running Samba 4.5. I was troubleshooting a time sync issue between Windows 10 workstations and the server that appeared to come from a bug in the older Samba 4.5 version. I update the secondary domain controller to Samba 4.6.13 and that appeared to go fine, so I switched over to the primary domain controller and tried to upgrade it to 4.6.13. Something went wrong, and users were no longer able to access the domain. I switched to the backup domain controller and promoted it to primary and all was well again, so I took the original primary off-line and tried to solve the issue. After taking the old primary off-line, DNS stopped resolving for the network. Things get a bit murky at this part because my phone was runing off the hook, but I managed to wipe out the /var/lib/samba/private folder from one of the servers. Since my backups were of the old 4.5 database versions and I was unable to roll back the Samba version, I had to copy the /var/lib/samba/private folder from one server to the other, then remove the server entries for the non-working server.
After that point I had to go into each machine on the network and re-join the domain because the trust relationships were no longer valid. (A domain SID changed somewhere along the way.) All but 5 machines were able to rejoin the network, and then suddenly no more could join.
An additional issue is that if I do a samba_dnsupdate --verbose on the "working" server, it completes with no errors. However if I do a samba_dnsupdate --verbose --all-names I receive a ton of "TKEY Unacceptable" messages. I have worked through all the options on the wiki.samba.org "TKEY is Unacceptable" page and have not made any progress.
I've got about 60 hours into troubleshooting this problem in the last 4 days and I am banging my head against a wall here. I can't seem to find anything on google about "join" returning the NT_STATUS_CONNECTION_REFUSED error, just smbclient connect attempts, and have exhausted every result returned by google on the TKEY problem.
Does anyone have any ideas?
Here's the extended debugging from the join command:
[root at new-dc ~]#samba-tool domain join redacteddomain.redacted.com DC -U"REDACTEDDOMAIN\administrator" --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes' -d 10 INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
tevent: 10
auth_audit: 10
auth_json_audit: 10
kerberos: 10
drs_repl: 10
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255 netmask=255.255.252.0
added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255 netmask=255.255.252.0
added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255 netmask=255.255.252.0
added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255 netmask=255.255.252.0
Finding a writeable DC for domain 'redacteddomain.redacted.com'
added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255 netmask=255.255.252.0
added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255 netmask=255.255.252.0
finddcs: searching for a DC by DNS domain redacteddomain.redacted.com
finddcs: looking for SRV records for _ldap._tcp.redacteddomain.redacted.com
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.redacteddomain.redacted.com<0x0>
getlmhostsent: lmhost entry: 127.0.0.1 localhost
getlmhostsent: lmhost entry: 10.10.11.4 old-dc.redacteddomain.redacted.com
ads_dns_lookup_srv: 2 records returned in the answer section.
ads_dns_parse_rr_srv: Parsed old-dc.redacteddomain.redacted.com [100, 389, 0]
ads_dns_parse_rr_srv: Parsed old-dc.redacteddomain.redacted.com [0, 100, 389]
finddcs: DNS SRV response 0 at '10.10.11.4'
finddcs: DNS SRV response 1 at '10.10.11.4'
finddcs: performing CLDAP query on 10.10.11.4
&response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
command : LOGON_SAM_LOGON_RESPONSE_EX (23)
sbz : 0x0000 (0)
server_type : 0x000013fd (5117)
1: NBT_SERVER_PDC
1: NBT_SERVER_GC
1: NBT_SERVER_LDAP
1: NBT_SERVER_DS
1: NBT_SERVER_KDC
1: NBT_SERVER_TIMESERV
1: NBT_SERVER_CLOSEST
1: NBT_SERVER_WRITABLE
1: NBT_SERVER_GOOD_TIMESERV
0: NBT_SERVER_NDNC
0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
1: NBT_SERVER_FULL_SECRET_DOMAIN_6
0: NBT_SERVER_ADS_WEB_SERVICE
0: NBT_SERVER_DS_8
0: NBT_SERVER_HAS_DNS_NAME
0: NBT_SERVER_IS_DEFAULT_NC
0: NBT_SERVER_FOREST_ROOT
domain_uuid : 5b3dff07-e3e8-4ef7-956d-e076f01f31b7
forest : 'redacteddomain.redacted.com'
dns_domain : 'redacteddomain.redacted.com'
pdc_dns_name : 'old-dc.redacteddomain.redacted.com'
domain_name : 'REDACTEDDOMAIN'
pdc_name : 'OLD-DC'
user_name : ''
server_site : 'Default-First-Site-Name'
client_site : 'Default-First-Site-Name'
sockaddr_size : 0x00 (0)
sockaddr: struct nbt_sockaddr
sockaddr_family : 0x00000000 (0)
pdc_ip : (null)
remaining : DATA_BLOB length=0
next_closest_site : NULL
nt_version : 0x00000005 (5)
1: NETLOGON_NT_VERSION_1
0: NETLOGON_NT_VERSION_5
1: NETLOGON_NT_VERSION_5EX
0: NETLOGON_NT_VERSION_5EX_WITH_IP
0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
0: NETLOGON_NT_VERSION_PDC
0: NETLOGON_NT_VERSION_IP
0: NETLOGON_NT_VERSION_LOCAL
0: NETLOGON_NT_VERSION_GC
lmnt_token : 0xffff (65535)
lm20_token : 0xffff (65535)
finddcs: Found matching DC 10.10.11.4 with server_type=0x000013fd
Found DC old-dc.redacteddomain.redacted.com
Security token SIDs (1):
SID[ 0]: S-1-5-18
Privileges (0xFFFFFFFFFFFFFFFF):
Privilege[ 0]: SeMachineAccountPrivilege
Privilege[ 1]: SeTakeOwnershipPrivilege
Privilege[ 2]: SeBackupPrivilege
Privilege[ 3]: SeRestorePrivilege
Privilege[ 4]: SeRemoteShutdownPrivilege
Privilege[ 5]: SePrintOperatorPrivilege
Privilege[ 6]: SeAddUsersPrivilege
Privilege[ 7]: SeDiskOperatorPrivilege
Privilege[ 8]: SeSecurityPrivilege
Privilege[ 9]: SeSystemtimePrivilege
Privilege[ 10]: SeShutdownPrivilege
Privilege[ 11]: SeDebugPrivilege
Privilege[ 12]: SeSystemEnvironmentPrivilege
Privilege[ 13]: SeSystemProfilePrivilege
Privilege[ 14]: SeProfileSingleProcessPrivilege
Privilege[ 15]: SeIncreaseBasePriorityPrivilege
Privilege[ 16]: SeLoadDriverPrivilege
Privilege[ 17]: SeCreatePagefilePrivilege
Privilege[ 18]: SeIncreaseQuotaPrivilege
Privilege[ 19]: SeChangeNotifyPrivilege
Privilege[ 20]: SeUndockPrivilege
Privilege[ 21]: SeManageVolumePrivilege
Privilege[ 22]: SeImpersonatePrivilege
Privilege[ 23]: SeCreateGlobalPrivilege
Privilege[ 24]: SeEnableDelegationPrivilege
Rights (0x 0):
lpcfg_servicenumber: couldn't find ldb
added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255 netmask=255.255.252.0
added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255 netmask=255.255.252.0
resolve_lmhosts: Attempting lmhosts lookup for name old-dc.redacteddomain.redacted.com<0x20>
getlmhostsent: lmhost entry: 127.0.0.1 localhost
getlmhostsent: lmhost entry: 10.10.11.4 old-dc.redacteddomain.redacted.com
Failed to connect to ldap URL 'ldap://old-dc.redacteddomain.redacted.com' - LDAP client internal error: NT_STATUS_CONNECTION_REFUSED
Failed to connect to 'ldap://old-dc.redacteddomain.redacted.com' with backend 'ldap': LDAP client internal error: NT_STATUS_CONNECTION_REFUSED
ERROR(ldb): uncaught exception - LDAP client internal error: NT_STATUS_CONNECTION_REFUSED
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 661, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1455, in join_DC
machinepass, use_ntvfs, dns_backend, promote_existing)
File "/usr/lib64/python2.7/site-packages/samba/join.py", line 89, in __init__
credentials=ctx.creds, lp=ctx.lp)
File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 57, in __init__
options=options)
File "/usr/lib64/python2.7/site-packages/samba/__init__.py", line 114, in __init__
self.connect(url, flags, options)
File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 72, in connect
options=options)
WARNING-FRAUDULENT FUNDING INSTRUCTIONS
Email hacking and fraud are on the rise to fraudulently misdirect funds. Please call your escrow officer immediately using contract information found from an independent source, such as the sales contract or internet, to verify any funding instructions received. We are not responsible for any wires sent by you to an incorrect bank account.
More information about the samba
mailing list