[Samba] NT_STATUS_CONNECTION_REFUSED Joining Domain - Desperately need help - [SOLVED]
Brent Davidson
brent at texascountrytitle.com
Fri Mar 9 16:57:44 UTC 2018
Found the solution shortly after I sent this e-mail. Needed to add "tls
enabled = no" to the working server to get the other server to restore
functionality.
On 3/8/2018 3:58 PM, Brent Davidson via samba wrote:
> I am desperately in need of help. I have a Centos 7.2 server running Samba
> 4.6.13 as an active directory domain controller. I am trying to join a new
> Centos 7.4 server running Samba 4.6.13 to the domain. The domain command
> will
> not connect to the other server.
>
> I have firewalld and selinux disabled on both servers, I can ping both ways.
> From the new server I was able to do a kinit -U administrator and get a
> kerberos ticket which shows with a klist, however when I go to join the
> domain,
> I get:
>
> ERROR(ldb): uncaught exception - LDAP client internal error:
> NT_STATUS_CONNECTION_REFUSED
> File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line
> 176, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 661,
> in run
> machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
> File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1455, in
> join_DC
> machinepass, use_ntvfs, dns_backend, promote_existing)
> File "/usr/lib64/python2.7/site-packages/samba/join.py", line 89, in
> __init__
> credentials=ctx.creds, lp=ctx.lp)
> File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 57, in
> __init__
> options=options)
> File "/usr/lib64/python2.7/site-packages/samba/__init__.py", line 114, in
> __init__
> self.connect(url, flags, options)
> File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 72, in
> connect
> options=options)
>
> I have been unable to find any details in the logs on the existing server
> when I run this command.
>
> The join command I'm using is:
>
> samba-tool domain join redacteddomain.redacted.com DC
> -U"REDACTEDDOMAIN\administrator" --dns-backend=SAMBA_DLZ
> --option='idmap_ldb:use rfc2307 = yes' -d
> 10
>
> How this problem started:
> I originally had two domain controllers, both of which were running Samba
> 4.5. I was troubleshooting a time sync issue between Windows 10
> workstations
> and the server that appeared to come from a bug in the older Samba 4.5
> version. I update the secondary domain controller to Samba 4.6.13 and that
> appeared to go fine, so I switched over to the primary domain controller
> and tried
> to upgrade it to 4.6.13. Something went wrong, and users were no longer
> able
> to access the domain. I switched to the backup domain controller and
> promoted it to primary and all was well again, so I took the original
> primary
> off-line and tried to solve the issue. After taking the old primary
> off-line,
> DNS stopped resolving for the network. Things get a bit murky at this part
> because my phone was runing off the hook, but I managed to wipe out the
> /var/lib/samba/private folder from one of the servers. Since my backups
> were of the
> old 4.5 database versions and I was unable to roll back the Samba version,
> I had to c
> opy the /var/lib/samba/private folder from one server to the other, then
> remove the server entries for the non-working server.
>
> After that point I had to go into each machine on the network and re-join
> the domain because the trust relationships were no longer valid. (A domain
> SID
> changed somewhere along the way.) All but 5 machines were able to rejoin
> the network, and then suddenly no more could join.
>
> An additional issue is that if I do a samba_dnsupdate --verbose on the
> "working" server, it completes with no errors. However if I do a
> samba_dnsupdate
> --verbose --all-names I receive a ton of "TKEY Unacceptable" messages. I
> have worked through all the options on the wiki.samba.org "TKEY is
> Unacceptable" page and have not made any progress.
>
>
>
> I've got about 60 hours into troubleshooting this problem in the last 4 days
> and I am banging my head against a wall here. I can't seem to find anything
> on google about "join" returning the NT_STATUS_CONNECTION_REFUSED error,
> just smbclient connect attempts, and have exhausted every result returned
> by
> google on the TKEY problem.
>
> Does anyone have any ideas?
>
> Here's the extended debugging from the join command:
>
> [root at new-dc ~]#samba-tool domain join redacteddomain.redacted.com DC
> -U"REDACTEDDOMAIN\administrator" --dns-backend=SAMBA_INTERNAL
> --option='idmap_ldb:use rfc2307 = yes' -d 10 INFO: Current debug levels:
> all: 10
> tdb: 10
> printdrivers: 10
> lanman: 10
> smb: 10
> rpc_parse: 10
> rpc_srv: 10
> rpc_cli: 10
> passdb: 10
> sam: 10
> auth: 10
> winbind: 10
> vfs: 10
> idmap: 10
> quota: 10
> acls: 10
> locking: 10
> msdfs: 10
> dmapi: 10
> registry: 10
> scavenger: 10
> dns: 10
> ldb: 10
> tevent: 10
> auth_audit: 10
> auth_json_audit: 10
> kerberos: 10
> drs_repl: 10
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255
> netmask=255.255.252.0
> added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255
> netmask=255.255.252.0
> added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255
> netmask=255.255.252.0
> added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255
> netmask=255.255.252.0
> Finding a writeable DC for domain 'redacteddomain.redacted.com'
> added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255
> netmask=255.255.252.0
> added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255
> netmask=255.255.252.0
> finddcs: searching for a DC by DNS domain redacteddomain.redacted.com
> finddcs: looking for SRV records for _ldap._tcp.redacteddomain.redacted.com
> resolve_lmhosts: Attempting lmhosts lookup for name
> _ldap._tcp.redacteddomain.redacted.com<0x0>
> getlmhostsent: lmhost entry: 127.0.0.1 localhost
> getlmhostsent: lmhost entry: 10.10.11.4 old-dc.redacteddomain.redacted.com
> ads_dns_lookup_srv: 2 records returned in the answer section.
> ads_dns_parse_rr_srv: Parsed old-dc.redacteddomain.redacted.com [100, 389,
> 0]
> ads_dns_parse_rr_srv: Parsed old-dc.redacteddomain.redacted.com [0, 100,
> 389]
> finddcs: DNS SRV response 0 at '10.10.11.4'
> finddcs: DNS SRV response 1 at '10.10.11.4'
> finddcs: performing CLDAP query on 10.10.11.4
> &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
> command : LOGON_SAM_LOGON_RESPONSE_EX (23)
> sbz : 0x0000 (0)
> server_type : 0x000013fd (5117)
> 1: NBT_SERVER_PDC
> 1: NBT_SERVER_GC
> 1: NBT_SERVER_LDAP
> 1: NBT_SERVER_DS
> 1: NBT_SERVER_KDC
> 1: NBT_SERVER_TIMESERV
> 1: NBT_SERVER_CLOSEST
> 1: NBT_SERVER_WRITABLE
> 1: NBT_SERVER_GOOD_TIMESERV
> 0: NBT_SERVER_NDNC
> 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
> 1: NBT_SERVER_FULL_SECRET_DOMAIN_6
> 0: NBT_SERVER_ADS_WEB_SERVICE
> 0: NBT_SERVER_DS_8
> 0: NBT_SERVER_HAS_DNS_NAME
> 0: NBT_SERVER_IS_DEFAULT_NC
> 0: NBT_SERVER_FOREST_ROOT
> domain_uuid : 5b3dff07-e3e8-4ef7-956d-e076f01f31b7
> forest : 'redacteddomain.redacted.com'
> dns_domain : 'redacteddomain.redacted.com'
> pdc_dns_name : 'old-dc.redacteddomain.redacted.com'
> domain_name : 'REDACTEDDOMAIN'
> pdc_name : 'OLD-DC'
> user_name : ''
> server_site : 'Default-First-Site-Name'
> client_site : 'Default-First-Site-Name'
> sockaddr_size : 0x00 (0)
> sockaddr: struct nbt_sockaddr
> sockaddr_family : 0x00000000 (0)
> pdc_ip : (null)
> remaining : DATA_BLOB length=0
> next_closest_site : NULL
> nt_version : 0x00000005 (5)
> 1: NETLOGON_NT_VERSION_1
> 0: NETLOGON_NT_VERSION_5
> 1: NETLOGON_NT_VERSION_5EX
> 0: NETLOGON_NT_VERSION_5EX_WITH_IP
> 0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
> 0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
> 0: NETLOGON_NT_VERSION_PDC
> 0: NETLOGON_NT_VERSION_IP
> 0: NETLOGON_NT_VERSION_LOCAL
> 0: NETLOGON_NT_VERSION_GC
> lmnt_token : 0xffff (65535)
> lm20_token : 0xffff (65535)
> finddcs: Found matching DC 10.10.11.4 with server_type=0x000013fd
> Found DC old-dc.redacteddomain.redacted.com
> Security token SIDs (1):
> SID[ 0]: S-1-5-18
> Privileges (0xFFFFFFFFFFFFFFFF):
> Privilege[ 0]: SeMachineAccountPrivilege
> Privilege[ 1]: SeTakeOwnershipPrivilege
> Privilege[ 2]: SeBackupPrivilege
> Privilege[ 3]: SeRestorePrivilege
> Privilege[ 4]: SeRemoteShutdownPrivilege
> Privilege[ 5]: SePrintOperatorPrivilege
> Privilege[ 6]: SeAddUsersPrivilege
> Privilege[ 7]: SeDiskOperatorPrivilege
> Privilege[ 8]: SeSecurityPrivilege
> Privilege[ 9]: SeSystemtimePrivilege
> Privilege[ 10]: SeShutdownPrivilege
> Privilege[ 11]: SeDebugPrivilege
> Privilege[ 12]: SeSystemEnvironmentPrivilege
> Privilege[ 13]: SeSystemProfilePrivilege
> Privilege[ 14]: SeProfileSingleProcessPrivilege
> Privilege[ 15]: SeIncreaseBasePriorityPrivilege
> Privilege[ 16]: SeLoadDriverPrivilege
> Privilege[ 17]: SeCreatePagefilePrivilege
> Privilege[ 18]: SeIncreaseQuotaPrivilege
> Privilege[ 19]: SeChangeNotifyPrivilege
> Privilege[ 20]: SeUndockPrivilege
> Privilege[ 21]: SeManageVolumePrivilege
> Privilege[ 22]: SeImpersonatePrivilege
> Privilege[ 23]: SeCreateGlobalPrivilege
> Privilege[ 24]: SeEnableDelegationPrivilege
> Rights (0x 0):
> lpcfg_servicenumber: couldn't find ldb
> added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255
> netmask=255.255.252.0
> added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255
> netmask=255.255.252.0
> resolve_lmhosts: Attempting lmhosts lookup for name
> old-dc.redacteddomain.redacted.com<0x20>
> getlmhostsent: lmhost entry: 127.0.0.1 localhost
> getlmhostsent: lmhost entry: 10.10.11.4 old-dc.redacteddomain.redacted.com
> Failed to connect to ldap URL 'ldap://old-dc.redacteddomain.redacted.com' -
> LDAP client internal error: NT_STATUS_CONNECTION_REFUSED
> Failed to connect to 'ldap://old-dc.redacteddomain.redacted.com' with
> backend 'ldap': LDAP client internal error: NT_STATUS_CONNECTION_REFUSED
> ERROR(ldb): uncaught exception - LDAP client internal error:
> NT_STATUS_CONNECTION_REFUSED
> File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line
> 176, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 661,
> in run
> machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
> File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1455, in
> join_DC
> machinepass, use_ntvfs, dns_backend, promote_existing)
> File "/usr/lib64/python2.7/site-packages/samba/join.py", line 89, in
> __init__
> credentials=ctx.creds, lp=ctx.lp)
> File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 57, in
> __init__
> options=options)
> File "/usr/lib64/python2.7/site-packages/samba/__init__.py", line 114, in
> __init__
> self.connect(url, flags, options)
> File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 72, in
> connect
> options=options)
>
> WARNING-FRAUDULENT FUNDING INSTRUCTIONS
>
>
>
> Email hacking and fraud are on the rise to fraudulently misdirect funds.
> Please call your escrow officer immediately using contract information
> found
> from an independent source, such as the sales contract or internet, to
> verify
> any funding instructions received. We are not responsible for any wires
> sent
> by you to an incorrect bank account.
>
WARNING-FRAUDULENT FUNDING INSTRUCTIONS
Email hacking and fraud are on the rise to fraudulently misdirect funds. Please call your escrow officer immediately using contract information found from an independent source, such as the sales contract or internet, to verify any funding instructions received. We are not responsible for any wires sent by you to an incorrect bank account.
More information about the samba
mailing list