[Samba] Setup a Samba AD DC as an additional DC
Rowland Penny
rpenny at samba.org
Thu Nov 29 10:41:37 UTC 2018
On Thu, 29 Nov 2018 11:27:12 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Hai Barry,
>
> > Onderwerp: [Samba] Setup a Samba AD DC as an additional DC
> >
> > >What is the running AD DC its os version/build, it was an MS
> > >server?
> > 2 AD DCs Windows 2012, 1 is 2008, but the DC for the join is
> > a 2012 windows DC
>
> Yes, but win 2012 which one? 2012 or 2012R2
> Can you open a dosbox (cmd) and type : ver
> The build nummer is?
>
> >
> > Then question after this.
> > ERROR(runtime): uncaught exception - (9601,
> > 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST')
> >
> > This DC your adding, are you useing bind9_DLZ or internal DNS from
> > samba itself? I suspect resolving problems.
>
> And these are confirmed below.
>
> >
> > From the collected info. ( commented inbetween the lines )
> >
> > > -----------
> > > Checking file: /etc/hosts
> > > 127.0.0.1 localhost
> > > ::1 localhost6
> >
> > >IP_HERE sambadc1.mydomain.tld sambadc1 # for this DC (
> > optional you can add the other DC also, but wait dont add it now. )
> >
> > I added this already but it did not change the result.
> >
> > >> # The following lines are desirable for IPv6 capable hosts
> > >> ::1 localhost ip6-localhost ip6-loopback
> > >> fe00::0 ip6-localnet
> > >> ff02::1 ip6-allnodes
> > >> ff02::2 ip6-allrouters
> > >> ff02::3 ip6-allhosts
> >
> > >> Checking file: /etc/resolv.conf
> > >> search daram.com
> > >> nameserver ##.##.##.20
> >
> > >Here the ip shown above, where is this one resolving to, i
> > hope the ADDC server.
> >
> > Yes to the ADDC Server
> >
> > >If you dont use systemd-resolved, thats fine, but make sure
> > you removed it correctly.
> > >Thats a choice, the howto shown, works fine with it enabled.
> > >But here are the steps to remove it, if you want to remove it.
> > ># but PLEASE, keep this for the last, if we change to much
> > not im not able to find you problem.
> > ># i do suspect resolving problem, yes.
> > ># systemctl disable systemd-resolved
> > ># systemctl stop systemd-resolved
> > ># systemctl mask systemd-resolved
> > ># rm /etc/resolv.conf and create a new one ( you already did
> > this ) # if exists, edit /etc/NetworkManager/NetworkManager.conf
> > ># in the main section, add : dns=none
> > ># reboot.
> > >
> > >but again, i want to know all outcomes first before you
> > change this all.
> >
> > I did not do the "mask" but did the other and I purged the
> > resolved... per Roland's instructions...
> >
> >
> > >nslookup hostname
> > >nslookup hostname.domain.tld
> >
> > :~$ nslookup sambaDC.domain.com
> > Server: 131.192.176.20
> > Address: 131.192.176.20#53
> >
> > Name: sambaDC.domain.com
> > Address: 131.192.176.40
> >
> > >What do you see if you run:
> > >host IP_OF_OTHERDC
> >
> > 20.176.192.131.in-addr.arpa domain name pointer
> > WindowsADDC.domain.com.
> >
> > >host IP_OF_THIS_DC
> >
> > Host 40.176.192.131.in-addr.arpa domain name pointer
> > sambaDC.domain.com.
> >
> > >And
> > >dig a $(hostname -s)
> >
> > ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> a
> > ThisDC-SambaDC-we-want-to-join ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 20641
> > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> > ;; WARNING: recursion requested but not available
> >
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags:; udp: 4096
> > ; COOKIE: 852b24514a370e2a (echoed)
> > ;; QUESTION SECTION:
> > ; sambaDC. IN A
> >
> > ;; Query time: 0 msec
> > ;; SERVER: 131.192.176.20#53(131.192.176.20)
> > <<<Windows ADDC>>>
> > ;; WHEN: Wed Nov 28 02:57:50 CST 2018
> > ;; MSG SIZE rcvd: 51
> >
> > >dig a $(hostname -f)
> >
> > ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> a sambaDC.domain.com
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 1568
> > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> > ;; WARNING: recursion requested but not available
> >
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags:; udp: 4096
> > ; COOKIE: 6f82a8d3d3d97f1d (echoed)
> > ;; QUESTION SECTION:
> > ; sambaDC.domain.com. IN A
> >
> > ;; Query time: 0 msec
> > ;; SERVER: 131.192.176.20#53(131.192.176.20)
> > <<<Windows ADDC>>>
> > ;; WHEN: Wed Nov 28 03:05:39 CST 2018
> > ;; MSG SIZE rcvd: 61
> >
> > >Repeat but now with @ip_of_OTHER-DC at the end. dig
> > >
> > >dig -x ip_of_this_DC
> >
> > dig -x 131.192.176.40 (sambaDC)
> > ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> -x 131.192.176.40
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 44930
> > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> > ;; WARNING: recursion requested but not available
> >
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags:; udp: 4096
> > ; COOKIE: 53854d1f16d34420 (echoed)
> > ;; QUESTION SECTION:
> > ;40.176.192.131.in-addr.arpa. IN PTR
> >
> > ;; Query time: 1 msec
> > ;; SERVER: 131.192.176.20#53(131.192.176.20)
> > ;; WHEN: Wed Nov 28 13:19:14 CST 2018
> > ;; MSG SIZE rcvd: 68
> >
> > >dig -x ip_of_OTHER-DC
> > >Repeat but now with @ip_of_OTHER-DC at the end.
> >
> > dig -x 131.192.176.20 (WinADDC)
> > ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> -x 131.192.176.20
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 25161
> > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> > ;; WARNING: recursion requested but not available
> >
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags:; udp: 4096
> > ; COOKIE: 9aee9cb762be5fc3 (echoed)
> > ;; QUESTION SECTION:
> > ;20.176.192.131.in-addr.arpa. IN PTR
> >
> > ;; Query time: 0 msec
> > ;; SERVER: 131.192.176.20#53(131.192.176.20)
> > ;; WHEN: Wed Nov 28 13:21:20 CST 2018
> > ;; MSG SIZE rcvd: 68
> >
>
> Ok here are lots of things missing or not working.
> What i did see here for example are.
> > ;; WARNING: recursion requested but not available
> > > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> ANSWER: 0 << thats not good.
>
> PTR checks on the DC its records are failing also.
> You dont get answers from the DNS server(s)...
>
> Look, what i wanted to see was.
> dig -x 192.168.0.1
> ; <<>> DiG 9.6-ESV-R4 <<>> -x 192.168.0.1
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6253
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;1.0.168.192.in-addr.arpa. IN PTR
>
> ;; ANSWER SECTION:
> 1.0.168.192.in-addr.arpa. 900 IN PTR dc1.internal.domain.tld.
>
> ;; AUTHORITY SECTION:
> 0.168.192.in-addr.arpa. 1308 IN NS dc1.internal.domain.tld.
>
> ;; Query time: 25 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Thu Nov 29 11:11:19 2018
> ;; MSG SIZE rcvd: 101
>
> At least we have a thing to look/check now.
> I dont know much about the internal DNS of samba, i only use
> Bind9_DLZ, so i would say upgrade the DNS to bind9_DLZ. But now we
> know where to look, Rowland may be able to say things about the
> internal DNS.
>
> Everything below here is atm, not really relevant, above needs to be
> fixed first.
>
> Few other questions, are you running a Cert server on the MS server,
> if so, make sure you export the CARoot cert and add it on you samba
> servers and create the samba client certificates. After thats done,
> and the dns is checked again then we can look at:
>
> > '(&(flatname=DARAM)(objectclass=primaryDomain))' base:
> > 'cn=Primary Domains': No such object: dsdb_search at
> > ../source4/dsdb/common/util.c:4705) and from
> > /var/lib/samba/private/secrets.tdb:
> > NT_STATUS_CANT_ACCESS_DOMAIN_INFO ERROR(ldb): uncaught exception -
> > LDAP error 1
>
>
>
> > >
> > >
> > > -----------
> > > Checking file: /etc/krb5.conf
> > > [libdefaults]
> > > default_realm = MYDOMAIN.COM
> >
> > #Here add :
> > ; for Windows 2008 with AES this make sure its matches better
> > with the windows.
> > default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
> > des-cbc-crc des-cbc-md5
> > default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
> > des-cbc-crc des-cbc-md5
> > permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
> > des-cbc-crc des-cbc-md5
> >
> > >
> > > # The following krb5.conf variables are only for MIT Kerberos.
> > > kdc_timesync = 1
> > > ccache_type = 4
> > > forwardable = true
> > > proxiable = true
> > >
> > > # The following encryption type specification will be used by MIT
> > > Kerberos .... Removed a bit to shorten the e-mail.
> > >
> > >
> > > -----------
> > > Checking file: /etc/nsswitch.conf
> > > # /etc/nsswitch.conf
> > > #
> > > # Example configuration of GNU Name Service Switch functionality.
> > > # If you have the `glibc-doc-reference' and `info' packages
> > installed,
> > > try:
> > > # `info libc "Name Service Switch"' for information about this
> > > file.
> > >
> > > passwd: compat systemd
> > > group: compat systemd
> > > shadow: compat
> > > gshadow: files
> > >
> > > hosts: files dns
> > > networks: files
> > >
> > > protocols: db files
> > > services: db files
> > > ethers: db files
> > > rpc: db files
> > >
> > > netgroup: nis
> > >
> > > -----------
> > > Warning, does not exist
> >
> > >I was expecting output here for the command.
> > >Check_file_exists "${SMBCONF}"
> >
> > I have been deleting smb.conf before I run the samba-tool.
> > It creates a new one even though the join fails.
> >
> > >Can you run these 2 commands :
> > samba -b | grep 'CONFIGFILE' | awk '{print $NF}'
> >
> > /etc/samba/smb.conf (because I made an attempt to join the
> > domain with samba-tool)
> >
> > smbd -b | grep 'CONFIGFILE' | awk '{print $NF}'
> >
> > /etc/samba/smb.conf
> >
> > >> -----------
> > >> No username map detected.
> > >Fine for a AD DC.
> >
> > >>
> > >> -----------
> > >>
> > >> Installed packages, running: dpkg -l | egrep
> > >>"samba|winbind|krb5|smb|acl|xattr"
> > >> ii acl 2.2.52-3build1
> > >> amd64 Access control list utilities
> > >>.......... Removed part to shorten mail.
> > >> SMB/CIFS clients for Unix
> > >> ii winbind
> > >> 2:4.9.3+nmu-1~ubuntu1804 amd64 service to
> > >> resolve user and group information from Windows NT servers
> > >> -----------
> > >
> > >This looks ok to me.
> >
> > >Last, i'll add this script into the other script in some time.
> >
> > >Get and run this one on the DC.
> > >https://raw.githubusercontent.com/thctlo/samba4/master/samba-info.sh
> > The Windows DC..? Well with bash it doesn't work... so I
> > assume you mean the DC we're trying to setup.
> >
> > 1:~$ sudo /tmp/samba-info.sh
> > Could not find machine account in secrets database: Failed to
> > fetch machine account password for DARAM from both
> > secrets.ldb (Could not find entry to match filter:
> > '(&(flatname=DARAM)(objectclass=primaryDomain))' base:
> > 'cn=Primary Domains': No such object: dsdb_search at
> > ../source4/dsdb/common/util.c:4705) and from
> > /var/lib/samba/private/secrets.tdb:
> > NT_STATUS_CANT_ACCESS_DOMAIN_INFO ERROR(ldb): uncaught exception -
> > LDAP error 1 LDAP_OPERATIONS_ERROR - <000004DC: LdapErr:
> > DSID-0C09079A, comment: In order to perform this operation a
> > successful bind must be completed on the connection., data 0,
> > v23f0> <> File
> > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> > line 177, in _run
> > return self.run(*args, **kwargs)
> > File
> > "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
> > 469, in run
> > master = get_fsmo_roleowner(samdb, dn, short_name)
> > File
> > "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
> > 42, in get_fsmo_roleowner
> > scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
> > Could not find machine account in secrets database: Failed to
> > fetch machine account password for DARAM from both
> > secrets.ldb (Could not find entry to match filter:
> > '(&(flatname=DARAM)(objectclass=primaryDomain))' base:
> > 'cn=Primary Domains': No such object: dsdb_search at
> > ../source4/dsdb/common/util.c:4705) and from
> > /var/lib/samba/private/secrets.tdb:
> > NT_STATUS_CANT_ACCESS_DOMAIN_INFO ERROR(ldb): uncaught exception -
> > LDAP error 1 LDAP_OPERATIONS_ERROR - <000004DC: LdapErr:
> > DSID-0C09079A, comment: In order to perform this operation a
> > successful bind must be completed on the connection., data 0,
> > v23f0> <> File
> > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> > line 177, in _run
> > return self.run(*args, **kwargs)
> > File
> > "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
> > 469, in run
> > master = get_fsmo_roleowner(samdb, dn, short_name)
> > File
> > "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
> > 42, in get_fsmo_roleowner
> > scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
> > Could not find machine account in secrets database: Failed to
> > fetch machine account password for DARAM from both
> > secrets.ldb (Could not find entry to match filter:
> > '(&(flatname=DARAM)(objectclass=primaryDomain))' base:
> > 'cn=Primary Domains': No such object: dsdb_search at
> > ../source4/dsdb/common/util.c:4705) and from
> > /var/lib/samba/private/secrets.tdb:
> > NT_STATUS_CANT_ACCESS_DOMAIN_INFO ERROR(ldb): uncaught exception -
> > LDAP error 1 LDAP_OPERATIONS_ERROR - <000004DC: LdapErr:
> > DSID-0C09073B, comment: In order to perform this operation a
> > successful bind must be completed on the connection., data 0,
> > v1772> <> File
> > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> > line 177, in _run
> > return self.run(*args, **kwargs)
> > File
> > "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
> > 469, in run
> > master = get_fsmo_roleowner(samdb, dn, short_name)
> > File
> > "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
> > 42, in get_fsmo_roleowner
> > scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
> > This script was tested with Debian Jessie and Stretch
> > Server info: detected (command
> > and where to look)
> > This server hostname = sambaDC (hostname
> > -s and /etc/hosts and DNS server)
> > This server FQDN (hostname) = sambaDC.domain.com (hostname
> > -f and /etc/hosts and DNS server)
> > This server primary dnsdomain = domain.com (hostname -d
> > and /etc/resolv.conf and DNS server)
> > This server IP address(ses) = 131.192.176.40 (hostname -i
> > (-I) and /etc/networking/interfaces and DNS server
> > The DC with FSMO roles = (samba-tool fsmo show)
> > The DC (with FSMO) Site name = (samba-tool fsmo show)
> > The Default Naming Context = (samba-tool fsmo show)
> > The Kerberos REALM name used = DOMAIN.COM (kinit and
> > /etc/krb5.conf and resolving)
> > The Ipadres of DC win2012DC-Site2.domain.com = 131.192.180.22
> > The Ipadres of DC win2012DC-Site1.domain.com = 131.192.176.20
> > 131.192.176.18
>
> And again, we are missing info here.
>
> I did keep all of the original post so its more easy to track this
> problem.
>
> Rowland, you any more suggestions, im pro for.
> - fix the dns resolving.
That definitely needs to work
> - cleanup the current join, remove from the domain.
I don't think he ever joined, but cleaning out anything to do with the
new DC from the Windows DC should't harm anything and cleaning
out /var/lib/samba will also help.
> - setup/join samba with bind9_dlz.
You do not actually have to set up Bind9 before a provision/join, it
just needs to be installed, then add '--dns-backend=BIND9_DLZ' to the
join command, he can worry about setting up Bind9 once the DC actually
joins ;-)
Rowland
More information about the samba
mailing list