[Samba] Setup a Samba AD DC as an additional DC
L.P.H. van Belle
belle at bazuin.nl
Thu Nov 29 10:27:12 UTC 2018
Hai Barry,
> Onderwerp: [Samba] Setup a Samba AD DC as an additional DC
>
> >What is the running AD DC its os version/build, it was an MS server?
> 2 AD DCs Windows 2012, 1 is 2008, but the DC for the join is
> a 2012 windows DC
Yes, but win 2012 which one? 2012 or 2012R2
Can you open a dosbox (cmd) and type : ver
The build nummer is?
>
> Then question after this.
> ERROR(runtime): uncaught exception - (9601,
> 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST')
>
> This DC your adding, are you useing bind9_DLZ or internal DNS from samba itself?
> I suspect resolving problems.
And these are confirmed below.
>
> From the collected info. ( commented inbetween the lines )
>
> > -----------
> > Checking file: /etc/hosts
> > 127.0.0.1 localhost
> > ::1 localhost6
>
> >IP_HERE sambadc1.mydomain.tld sambadc1 # for this DC (
> optional you can add the other DC also, but wait dont add it now. )
>
> I added this already but it did not change the result.
>
> >> # The following lines are desirable for IPv6 capable hosts
> >> ::1 localhost ip6-localhost ip6-loopback
> >> fe00::0 ip6-localnet
> >> ff02::1 ip6-allnodes
> >> ff02::2 ip6-allrouters
> >> ff02::3 ip6-allhosts
>
> >> Checking file: /etc/resolv.conf
> >> search daram.com
> >> nameserver ##.##.##.20
>
> >Here the ip shown above, where is this one resolving to, i
> hope the ADDC server.
>
> Yes to the ADDC Server
>
> >If you dont use systemd-resolved, thats fine, but make sure
> you removed it correctly.
> >Thats a choice, the howto shown, works fine with it enabled.
> >But here are the steps to remove it, if you want to remove it.
> ># but PLEASE, keep this for the last, if we change to much
> not im not able to find you problem.
> ># i do suspect resolving problem, yes.
> ># systemctl disable systemd-resolved
> ># systemctl stop systemd-resolved
> ># systemctl mask systemd-resolved
> ># rm /etc/resolv.conf and create a new one ( you already did
> this ) # if exists, edit /etc/NetworkManager/NetworkManager.conf
> ># in the main section, add : dns=none
> ># reboot.
> >
> >but again, i want to know all outcomes first before you
> change this all.
>
> I did not do the "mask" but did the other and I purged the
> resolved... per Roland's instructions...
>
>
> >nslookup hostname
> >nslookup hostname.domain.tld
>
> :~$ nslookup sambaDC.domain.com
> Server: 131.192.176.20
> Address: 131.192.176.20#53
>
> Name: sambaDC.domain.com
> Address: 131.192.176.40
>
> >What do you see if you run:
> >host IP_OF_OTHERDC
>
> 20.176.192.131.in-addr.arpa domain name pointer
> WindowsADDC.domain.com.
>
> >host IP_OF_THIS_DC
>
> Host 40.176.192.131.in-addr.arpa domain name pointer
> sambaDC.domain.com.
>
> >And
> >dig a $(hostname -s)
>
> ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> a ThisDC-SambaDC-we-want-to-join
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 20641
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: 852b24514a370e2a (echoed)
> ;; QUESTION SECTION:
> ; sambaDC. IN A
>
> ;; Query time: 0 msec
> ;; SERVER: 131.192.176.20#53(131.192.176.20)
> <<<Windows ADDC>>>
> ;; WHEN: Wed Nov 28 02:57:50 CST 2018
> ;; MSG SIZE rcvd: 51
>
> >dig a $(hostname -f)
>
> ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> a sambaDC.domain.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 1568
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: 6f82a8d3d3d97f1d (echoed)
> ;; QUESTION SECTION:
> ; sambaDC.domain.com. IN A
>
> ;; Query time: 0 msec
> ;; SERVER: 131.192.176.20#53(131.192.176.20)
> <<<Windows ADDC>>>
> ;; WHEN: Wed Nov 28 03:05:39 CST 2018
> ;; MSG SIZE rcvd: 61
>
> >Repeat but now with @ip_of_OTHER-DC at the end. dig
> >
> >dig -x ip_of_this_DC
>
> dig -x 131.192.176.40 (sambaDC)
> ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> -x 131.192.176.40
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 44930
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: 53854d1f16d34420 (echoed)
> ;; QUESTION SECTION:
> ;40.176.192.131.in-addr.arpa. IN PTR
>
> ;; Query time: 1 msec
> ;; SERVER: 131.192.176.20#53(131.192.176.20)
> ;; WHEN: Wed Nov 28 13:19:14 CST 2018
> ;; MSG SIZE rcvd: 68
>
> >dig -x ip_of_OTHER-DC
> >Repeat but now with @ip_of_OTHER-DC at the end.
>
> dig -x 131.192.176.20 (WinADDC)
> ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> -x 131.192.176.20
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 25161
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: 9aee9cb762be5fc3 (echoed)
> ;; QUESTION SECTION:
> ;20.176.192.131.in-addr.arpa. IN PTR
>
> ;; Query time: 0 msec
> ;; SERVER: 131.192.176.20#53(131.192.176.20)
> ;; WHEN: Wed Nov 28 13:21:20 CST 2018
> ;; MSG SIZE rcvd: 68
>
Ok here are lots of things missing or not working.
What i did see here for example are.
> ;; WARNING: recursion requested but not available
> > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
ANSWER: 0 << thats not good.
PTR checks on the DC its records are failing also.
You dont get answers from the DNS server(s)...
Look, what i wanted to see was.
dig -x 192.168.0.1
; <<>> DiG 9.6-ESV-R4 <<>> -x 192.168.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6253
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;1.0.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
1.0.168.192.in-addr.arpa. 900 IN PTR dc1.internal.domain.tld.
;; AUTHORITY SECTION:
0.168.192.in-addr.arpa. 1308 IN NS dc1.internal.domain.tld.
;; Query time: 25 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Nov 29 11:11:19 2018
;; MSG SIZE rcvd: 101
At least we have a thing to look/check now.
I dont know much about the internal DNS of samba, i only use Bind9_DLZ, so i would say upgrade the DNS to bind9_DLZ.
But now we know where to look, Rowland may be able to say things about the internal DNS.
Everything below here is atm, not really relevant, above needs to be fixed first.
Few other questions, are you running a Cert server on the MS server, if so, make sure you export the CARoot cert
and add it on you samba servers and create the samba client certificates.
After thats done, and the dns is checked again then we can look at:
> '(&(flatname=DARAM)(objectclass=primaryDomain))' base:
> 'cn=Primary Domains': No such object: dsdb_search at
> ../source4/dsdb/common/util.c:4705) and from
> /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> ERROR(ldb): uncaught exception - LDAP error 1
> >
> >
> > -----------
> > Checking file: /etc/krb5.conf
> > [libdefaults]
> > default_realm = MYDOMAIN.COM
>
> #Here add :
> ; for Windows 2008 with AES this make sure its matches better
> with the windows.
> default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
> des-cbc-crc des-cbc-md5
> default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
> des-cbc-crc des-cbc-md5
> permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
> des-cbc-crc des-cbc-md5
>
> >
> > # The following krb5.conf variables are only for MIT Kerberos.
> > kdc_timesync = 1
> > ccache_type = 4
> > forwardable = true
> > proxiable = true
> >
> > # The following encryption type specification will be used by MIT
> > Kerberos .... Removed a bit to shorten the e-mail.
> >
> >
> > -----------
> > Checking file: /etc/nsswitch.conf
> > # /etc/nsswitch.conf
> > #
> > # Example configuration of GNU Name Service Switch functionality.
> > # If you have the `glibc-doc-reference' and `info' packages
> installed,
> > try:
> > # `info libc "Name Service Switch"' for information about this file.
> >
> > passwd: compat systemd
> > group: compat systemd
> > shadow: compat
> > gshadow: files
> >
> > hosts: files dns
> > networks: files
> >
> > protocols: db files
> > services: db files
> > ethers: db files
> > rpc: db files
> >
> > netgroup: nis
> >
> > -----------
> > Warning, does not exist
>
> >I was expecting output here for the command.
> >Check_file_exists "${SMBCONF}"
>
> I have been deleting smb.conf before I run the samba-tool.
> It creates a new one even though the join fails.
>
> >Can you run these 2 commands :
> samba -b | grep 'CONFIGFILE' | awk '{print $NF}'
>
> /etc/samba/smb.conf (because I made an attempt to join the
> domain with samba-tool)
>
> smbd -b | grep 'CONFIGFILE' | awk '{print $NF}'
>
> /etc/samba/smb.conf
>
> >> -----------
> >> No username map detected.
> >Fine for a AD DC.
>
> >>
> >> -----------
> >>
> >> Installed packages, running: dpkg -l | egrep
> >>"samba|winbind|krb5|smb|acl|xattr"
> >> ii acl 2.2.52-3build1
> >> amd64 Access control list utilities
> >>.......... Removed part to shorten mail.
> >> SMB/CIFS clients for Unix
> >> ii winbind
> >> 2:4.9.3+nmu-1~ubuntu1804 amd64 service to
> >> resolve user and group information from Windows NT servers
> >> -----------
> >
> >This looks ok to me.
>
> >Last, i'll add this script into the other script in some time.
>
> >Get and run this one on the DC.
> >https://raw.githubusercontent.com/thctlo/samba4/master/samba-info.sh
> The Windows DC..? Well with bash it doesn't work... so I
> assume you mean the DC we're trying to setup.
>
> 1:~$ sudo /tmp/samba-info.sh
> Could not find machine account in secrets database: Failed to
> fetch machine account password for DARAM from both
> secrets.ldb (Could not find entry to match filter:
> '(&(flatname=DARAM)(objectclass=primaryDomain))' base:
> 'cn=Primary Domains': No such object: dsdb_search at
> ../source4/dsdb/common/util.c:4705) and from
> /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> ERROR(ldb): uncaught exception - LDAP error 1
> LDAP_OPERATIONS_ERROR - <000004DC: LdapErr: DSID-0C09079A,
> comment: In order to perform this operation a successful bind
> must be completed on the connection., data 0, v23f0> <>
> File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 177, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
> 469, in run
> master = get_fsmo_roleowner(samdb, dn, short_name)
> File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
> 42, in get_fsmo_roleowner
> scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
> Could not find machine account in secrets database: Failed to
> fetch machine account password for DARAM from both
> secrets.ldb (Could not find entry to match filter:
> '(&(flatname=DARAM)(objectclass=primaryDomain))' base:
> 'cn=Primary Domains': No such object: dsdb_search at
> ../source4/dsdb/common/util.c:4705) and from
> /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> ERROR(ldb): uncaught exception - LDAP error 1
> LDAP_OPERATIONS_ERROR - <000004DC: LdapErr: DSID-0C09079A,
> comment: In order to perform this operation a successful bind
> must be completed on the connection., data 0, v23f0> <>
> File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 177, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
> 469, in run
> master = get_fsmo_roleowner(samdb, dn, short_name)
> File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
> 42, in get_fsmo_roleowner
> scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
> Could not find machine account in secrets database: Failed to
> fetch machine account password for DARAM from both
> secrets.ldb (Could not find entry to match filter:
> '(&(flatname=DARAM)(objectclass=primaryDomain))' base:
> 'cn=Primary Domains': No such object: dsdb_search at
> ../source4/dsdb/common/util.c:4705) and from
> /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> ERROR(ldb): uncaught exception - LDAP error 1
> LDAP_OPERATIONS_ERROR - <000004DC: LdapErr: DSID-0C09073B,
> comment: In order to perform this operation a successful bind
> must be completed on the connection., data 0, v1772> <>
> File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 177, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
> 469, in run
> master = get_fsmo_roleowner(samdb, dn, short_name)
> File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
> 42, in get_fsmo_roleowner
> scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
> This script was tested with Debian Jessie and Stretch
> Server info: detected (command
> and where to look)
> This server hostname = sambaDC (hostname
> -s and /etc/hosts and DNS server)
> This server FQDN (hostname) = sambaDC.domain.com (hostname
> -f and /etc/hosts and DNS server)
> This server primary dnsdomain = domain.com (hostname -d
> and /etc/resolv.conf and DNS server)
> This server IP address(ses) = 131.192.176.40 (hostname -i
> (-I) and /etc/networking/interfaces and DNS server
> The DC with FSMO roles = (samba-tool fsmo show)
> The DC (with FSMO) Site name = (samba-tool fsmo show)
> The Default Naming Context = (samba-tool fsmo show)
> The Kerberos REALM name used = DOMAIN.COM (kinit and
> /etc/krb5.conf and resolving)
> The Ipadres of DC win2012DC-Site2.domain.com = 131.192.180.22
> The Ipadres of DC win2012DC-Site1.domain.com = 131.192.176.20
> 131.192.176.18
And again, we are missing info here.
I did keep all of the original post so its more easy to track this problem.
Rowland, you any more suggestions, im pro for.
- fix the dns resolving.
- cleanup the current join, remove from the domain.
- setup/join samba with bind9_dlz.
For sofar,
Louis
More information about the samba
mailing list