[Samba] NT_STATUS_CONNECTION_REFUSED Joining Domain - Desperately need help

Thu Mar 8 21:58:43 UTC 2018

I am desperately in need of help. I have a Centos 7.2 server running Samba 4.6.13 as an active directory domain controller. I am trying to join a new Centos 7.4 server running Samba 4.6.13 to the domain. The domain command will not connect to the other server. 

I have firewalld and selinux disabled on both servers, I can ping both ways. From the new server I was able to do a kinit -U administrator and get a kerberos ticket which shows with a klist, however when I go to join the domain, I get: 

ERROR(ldb): uncaught exception - LDAP client internal error: NT_STATUS_CONNECTION_REFUSED 
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run 
return self.run(*args, **kwargs) 
File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 661, in run 
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) 
File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1455, in join_DC 
machinepass, use_ntvfs, dns_backend, promote_existing) 
File "/usr/lib64/python2.7/site-packages/samba/join.py", line 89, in __init__ 
credentials=ctx.creds, lp=ctx.lp) 
File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 57, in __init__ 
options=options) 
File "/usr/lib64/python2.7/site-packages/samba/__init__.py", line 114, in __init__ 
self.connect(url, flags, options) 
File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 72, in connect 
options=options) 

I have been unable to find any details in the logs on the existing server when I run this command. 

The join command I'm using is: 

samba-tool domain join redacteddomain.redacted.com DC -U"REDACTEDDOMAIN\administrator" --dns-backend=SAMBA_DLZ --option='idmap_ldb:use rfc2307 = yes' -d 10 

How this problem started: 
I originally had two domain controllers, both of which were running Samba 4.5. I was troubleshooting a time sync issue between Windows 10 workstations and the server that appeared to come from a bug in the older Samba 4.5 version. I update the secondary domain controller to Samba 4.6.13 and that appeared to go fine, so I switched over to the primary domain controller and tried to upgrade it to 4.6.13. Something went wrong, and users were no longer able to access the domain. I switched to the backup domain controller and promoted it to primary and all was well again, so I took the original primary off-line and tried to solve the issue. After taking the old primary off-line, DNS stopped resolving for the network. Things get a bit murky at this part because my phone was runing off the hook, but I managed to wipe out the /var/lib/samba/private folder from one of the servers. Since my backups were of the old 4.5 database versions and I was unable to roll back the Samba version, I had to copy the /var/lib/samba/private folder from one server to the other, then remove the server entries for the non-working server. 

After that point I had to go into each machine on the network and re-join the domain because the trust relationships were no longer valid. (A domain SID changed somewhere along the way.) All but 5 machines were able to rejoin the network, and then suddenly no more could join. 

An additional issue is that if I do a samba_dnsupdate --verbose on the "working" server, it completes with no errors. However if I do a samba_dnsupdate --verbose --all-names I receive a ton of "TKEY Unacceptable" messages. I have worked through all the options on the wiki.samba.org "TKEY is Unacceptable" page and have not made any progress. 

I've got about 60 hours into troubleshooting this problem in the last 4 days and I am banging my head against a wall here. I can't seem to find anything on google about "join" returning the NT_STATUS_CONNECTION_REFUSED error, just smbclient connect attempts, and have exhausted every result returned by google on the TKEY problem. 

Does anyone have any ideas? 

Here's the extended debugging from the join command: 

[root at new-dc ~]#samba-tool domain join redacteddomain.redacted.com DC -U"REDACTEDDOMAIN\administrator" --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes' -d 10 INFO: Current debug levels: 
all: 10 
tdb: 10 
printdrivers: 10 
lanman: 10 
smb: 10 
rpc_parse: 10 
rpc_srv: 10 
rpc_cli: 10 
passdb: 10 
sam: 10 
auth: 10 
winbind: 10 
vfs: 10 
idmap: 10 
quota: 10 
acls: 10 
locking: 10 
msdfs: 10 
dmapi: 10 
registry: 10 
scavenger: 10 
dns: 10 
ldb: 10 
tevent: 10 
auth_audit: 10 
auth_json_audit: 10 
kerberos: 10 
drs_repl: 10 
GENSEC backend 'gssapi_spnego' registered 
GENSEC backend 'gssapi_krb5' registered 
GENSEC backend 'gssapi_krb5_sasl' registered 
GENSEC backend 'spnego' registered 
GENSEC backend 'schannel' registered 
GENSEC backend 'naclrpc_as_system' registered 
GENSEC backend 'sasl-EXTERNAL' registered 
GENSEC backend 'ntlmssp' registered 
GENSEC backend 'ntlmssp_resume_ccache' registered 
GENSEC backend 'http_basic' registered 
GENSEC backend 'http_ntlm' registered 
GENSEC backend 'krb5' registered 
GENSEC backend 'fake_gssapi_krb5' registered 
added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255 netmask=255.255.252.0 
added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255 netmask=255.255.252.0 
added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255 netmask=255.255.252.0 
added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255 netmask=255.255.252.0 
Finding a writeable DC for domain 'redacteddomain.redacted.com' 
added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255 netmask=255.255.252.0 
added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255 netmask=255.255.252.0 
finddcs: searching for a DC by DNS domain redacteddomain.redacted.com 
finddcs: looking for SRV records for _ldap._tcp.redacteddomain.redacted.com 
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.redacteddomain.redacted.com<0x0> 
getlmhostsent: lmhost entry: 127.0.0.1 localhost 
getlmhostsent: lmhost entry: 10.10.11.4 old-dc.redacteddomain.redacted.com 
ads_dns_lookup_srv: 2 records returned in the answer section. 
ads_dns_parse_rr_srv: Parsed old-dc.redacteddomain.redacted.com [100, 389, 0] 
ads_dns_parse_rr_srv: Parsed old-dc.redacteddomain.redacted.com [0, 100, 389] 
finddcs: DNS SRV response 0 at '10.10.11.4' 
finddcs: DNS SRV response 1 at '10.10.11.4' 
finddcs: performing CLDAP query on 10.10.11.4 
&response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX 
command : LOGON_SAM_LOGON_RESPONSE_EX (23) 
sbz : 0x0000 (0) 
server_type : 0x000013fd (5117) 
1: NBT_SERVER_PDC 
1: NBT_SERVER_GC 
1: NBT_SERVER_LDAP 
1: NBT_SERVER_DS 
1: NBT_SERVER_KDC 
1: NBT_SERVER_TIMESERV 
1: NBT_SERVER_CLOSEST 
1: NBT_SERVER_WRITABLE 
1: NBT_SERVER_GOOD_TIMESERV 
0: NBT_SERVER_NDNC 
0: NBT_SERVER_SELECT_SECRET_DOMAIN_6 
1: NBT_SERVER_FULL_SECRET_DOMAIN_6 
0: NBT_SERVER_ADS_WEB_SERVICE 
0: NBT_SERVER_DS_8 
0: NBT_SERVER_HAS_DNS_NAME 
0: NBT_SERVER_IS_DEFAULT_NC 
0: NBT_SERVER_FOREST_ROOT 
domain_uuid : 5b3dff07-e3e8-4ef7-956d-e076f01f31b7 
forest : 'redacteddomain.redacted.com' 
dns_domain : 'redacteddomain.redacted.com' 
pdc_dns_name : 'old-dc.redacteddomain.redacted.com' 
domain_name : 'REDACTEDDOMAIN' 
pdc_name : 'OLD-DC' 
user_name : '' 
server_site : 'Default-First-Site-Name' 
client_site : 'Default-First-Site-Name' 
sockaddr_size : 0x00 (0) 
sockaddr: struct nbt_sockaddr 
sockaddr_family : 0x00000000 (0) 
pdc_ip : (null) 
remaining : DATA_BLOB length=0 
next_closest_site : NULL 
nt_version : 0x00000005 (5) 
1: NETLOGON_NT_VERSION_1 
0: NETLOGON_NT_VERSION_5 
1: NETLOGON_NT_VERSION_5EX 
0: NETLOGON_NT_VERSION_5EX_WITH_IP 
0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE 
0: NETLOGON_NT_VERSION_AVOID_NT4EMUL 
0: NETLOGON_NT_VERSION_PDC 
0: NETLOGON_NT_VERSION_IP 
0: NETLOGON_NT_VERSION_LOCAL 
0: NETLOGON_NT_VERSION_GC 
lmnt_token : 0xffff (65535) 
lm20_token : 0xffff (65535) 
finddcs: Found matching DC 10.10.11.4 with server_type=0x000013fd 
Found DC old-dc.redacteddomain.redacted.com 
Security token SIDs (1): 
SID[ 0]: S-1-5-18 
Privileges (0xFFFFFFFFFFFFFFFF): 
Privilege[ 0]: SeMachineAccountPrivilege 
Privilege[ 1]: SeTakeOwnershipPrivilege 
Privilege[ 2]: SeBackupPrivilege 
Privilege[ 3]: SeRestorePrivilege 
Privilege[ 4]: SeRemoteShutdownPrivilege 
Privilege[ 5]: SePrintOperatorPrivilege 
Privilege[ 6]: SeAddUsersPrivilege 
Privilege[ 7]: SeDiskOperatorPrivilege 
Privilege[ 8]: SeSecurityPrivilege 
Privilege[ 9]: SeSystemtimePrivilege 
Privilege[ 10]: SeShutdownPrivilege 
Privilege[ 11]: SeDebugPrivilege 
Privilege[ 12]: SeSystemEnvironmentPrivilege 
Privilege[ 13]: SeSystemProfilePrivilege 
Privilege[ 14]: SeProfileSingleProcessPrivilege 
Privilege[ 15]: SeIncreaseBasePriorityPrivilege 
Privilege[ 16]: SeLoadDriverPrivilege 
Privilege[ 17]: SeCreatePagefilePrivilege 
Privilege[ 18]: SeIncreaseQuotaPrivilege 
Privilege[ 19]: SeChangeNotifyPrivilege 
Privilege[ 20]: SeUndockPrivilege 
Privilege[ 21]: SeManageVolumePrivilege 
Privilege[ 22]: SeImpersonatePrivilege 
Privilege[ 23]: SeCreateGlobalPrivilege 
Privilege[ 24]: SeEnableDelegationPrivilege 
Rights (0x 0): 
lpcfg_servicenumber: couldn't find ldb 
added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255 netmask=255.255.252.0 
added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255 netmask=255.255.252.0 
resolve_lmhosts: Attempting lmhosts lookup for name old-dc.redacteddomain.redacted.com<0x20> 
getlmhostsent: lmhost entry: 127.0.0.1 localhost 
getlmhostsent: lmhost entry: 10.10.11.4 old-dc.redacteddomain.redacted.com 
Failed to connect to ldap URL 'ldap://old-dc.redacteddomain.redacted.com' - LDAP client internal error: NT_STATUS_CONNECTION_REFUSED 
Failed to connect to 'ldap://old-dc.redacteddomain.redacted.com' with backend 'ldap': LDAP client internal error: NT_STATUS_CONNECTION_REFUSED 
ERROR(ldb): uncaught exception - LDAP client internal error: NT_STATUS_CONNECTION_REFUSED 
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run 
return self.run(*args, **kwargs) 
File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 661, in run 
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) 
File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1455, in join_DC 
machinepass, use_ntvfs, dns_backend, promote_existing) 
File "/usr/lib64/python2.7/site-packages/samba/join.py", line 89, in __init__ 
credentials=ctx.creds, lp=ctx.lp) 
File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 57, in __init__ 
options=options) 
File "/usr/lib64/python2.7/site-packages/samba/__init__.py", line 114, in __init__ 
self.connect(url, flags, options) 
File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 72, in connect 
options=options) 

WARNING-FRAUDULENT FUNDING INSTRUCTIONS

Email hacking and fraud are on the rise to fraudulently misdirect funds. Please call your escrow officer immediately using contract information found from an independent source, such as the sales contract or internet, to verify any funding instructions received. We are not responsible for any wires sent by you to an incorrect bank account. 