[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO

James Fowler fowlerj at adst.org
Thu May 2 16:59:28 UTC 2019 

Thank you for the quick response:

root at DC2:~# rm -rf /etc/samba/smb.conf

root at dc2:~# ll /etc/samba/     [The lmhosts file I created trying to
troubleshoot: touch /etc/samba/lmhosts. It hasn't been touched.]
total 52
drwxr-xr-x   4 root root  4096 May  2 12:57 ./
drwxr-xr-x 135 root root 12288 May  2 11:05 ../
drwxr-xr-x   2 root root  4096 May  2 09:56 etc/
-rw-r--r--   1 root root     8 Aug  6  2018 gdbcommands
-rw-r--r--   1 root root     0 May  2 09:04 lmhosts
-rw-r--r--   1 root root   376 Apr 30 08:19 shares.conf
-rw-r--r--   1 root root   969 May  2 07:09 smb.conf.bak
-rw-r--r--   1 root root  1075 May  2 09:56 smb.conf.mod1
-rw-r--r--   1 root root  9538 Apr 29 09:20 smb.conf.ucf-dist
drwxr-xr-x   2 root root  4096 Aug  6  2018 tls/
root at dc2:~#


root at DC2:~# samba-tool domain join DOMAIN1.DOMAIN DC
--username='DOMAIN1\EnterpriseAdminUser' --realm='DOMAIN1.DOMAIN'
--site='Default-First-Site' --server='DC1' --dns-backend=BIND9_DLZ
--workgroup='DOMAIN1' -d 3
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
resolve_lmhosts: Attempting lmhosts lookup for name DC1<0x20>
Password for [DOMAIN1\EnterpriseAdminUser]:
workgroup is DOMAIN1
realm is DOMAIN1.DOMAIN
Adding CN=DC2,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN
Adding
CN=DC2,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN
Adding CN=NTDS
Settings,CN=DC2,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN
Using binding ncacn_ip_tcp:DC1[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name DC1<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name DC1<0x20>
Adding SPNs to CN=DC2,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN
Setting account password for DC2$
Enabling account
Adding DNS account CN=dns-DC2,CN=Users,DC=DOMAIN1,DC=DOMAIN with dns/ SPN
Setting account password for dns-DC2
Calling bare provision
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
Looking up IPv4 addresses
More than one IPv4 address found. Using 192.168.1.20
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
ldb_wrap open of hklm.ldb
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
partition_metadata: Migrating partition metadata: open of metadata.tdb
gave: (null)
A Kerberos configuration suitable for Samba AD has been generated at
/var/lib/samba/private/krb5.conf
Provision OK for domain DN DC=DOMAIN1,DC=DOMAIN
Starting replication
Using binding ncacn_ip_tcp:DC1[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name DC1<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name DC1<0x20>
Schema-DN[CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN]
objects[402/1438] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN]
objects[804/1438] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN]
objects[1206/1438] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN]
objects[1555/1438] linked_values[0/0]
Analyze and apply schema objects
Discarding older DRS attribute update to objectClass on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to whenCreated on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to dSASignature on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
754d8904-e4a6-4bd4-b283-49f858a0699b
Discarding older DRS attribute update to objectVersion on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to showInAdvancedViewOnly on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to nTSecurityDescriptor on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to name on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to fSMORoleOwner on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to objectCategory on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to schemaInfo on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
754d8904-e4a6-4bd4-b283-49f858a0699b
Discarding older DRS attribute update to objectClass on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to whenCreated on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to dSASignature on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
754d8904-e4a6-4bd4-b283-49f858a0699b
Discarding older DRS attribute update to objectVersion on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to showInAdvancedViewOnly on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to nTSecurityDescriptor on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to name on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to fSMORoleOwner on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to objectCategory on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to schemaInfo on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
754d8904-e4a6-4bd4-b283-49f858a0699b
Discarding older DRS attribute update to objectClass on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to whenCreated on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to dSASignature on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
754d8904-e4a6-4bd4-b283-49f858a0699b
Discarding older DRS attribute update to objectVersion on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to showInAdvancedViewOnly on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to nTSecurityDescriptor on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to name on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to fSMORoleOwner on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to objectCategory on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
8decff98-ae54-4490-a39d-af0976b37fd5
Discarding older DRS attribute update to schemaInfo on
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN from
754d8904-e4a6-4bd4-b283-49f858a0699b
Replicated 1555 objects (0 linked attributes) for
CN=Schema,CN=Configuration,DC=DOMAIN1,DC=DOMAIN
Partition[CN=Configuration,DC=DOMAIN1,DC=DOMAIN] objects[402/3575]
linked_values[0/31]
Replicated 402 objects (0 linked attributes) for
CN=Configuration,DC=DOMAIN1,DC=DOMAIN
Partition[CN=Configuration,DC=DOMAIN1,DC=DOMAIN] objects[804/3575]
linked_values[0/31]
Replicated 402 objects (0 linked attributes) for
CN=Configuration,DC=DOMAIN1,DC=DOMAIN
Partition[CN=Configuration,DC=DOMAIN1,DC=DOMAIN] objects[1206/3575]
linked_values[0/31]
Replicated 402 objects (0 linked attributes) for
CN=Configuration,DC=DOMAIN1,DC=DOMAIN
Partition[CN=Configuration,DC=DOMAIN1,DC=DOMAIN] objects[1609/3575]
linked_values[0/31]
Replicated 403 objects (0 linked attributes) for
CN=Configuration,DC=DOMAIN1,DC=DOMAIN
Partition[CN=Configuration,DC=DOMAIN1,DC=DOMAIN] objects[1960/3575]
linked_values[31/31]
Replicated 350 objects (31 linked attributes) for
CN=Configuration,DC=DOMAIN1,DC=DOMAIN
Replicating critical objects from the base DN of the domain
Partition[DC=DOMAIN1,DC=DOMAIN] objects[103/122] linked_values[25/51]
Replicated 103 objects (25 linked attributes) for DC=DOMAIN1,DC=DOMAIN
Partition[DC=DOMAIN1,DC=DOMAIN] objects[462/1419] linked_values[38/51]
Replicated 359 objects (38 linked attributes) for DC=DOMAIN1,DC=DOMAIN
Partition[DC=DOMAIN1,DC=DOMAIN] objects[686/1419] linked_values[12/51]
Replicated 222 objects (12 linked attributes) for DC=DOMAIN1,DC=DOMAIN
Partition[DC=DOMAIN1,DC=DOMAIN] objects[779/1419] linked_values[1/51]
Replicated 91 objects (1 linked attributes) for DC=DOMAIN1,DC=DOMAIN
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=DOMAIN1,DC=DOMAIN
Partition[DC=DomainDnsZones,DC=DOMAIN1,DC=DOMAIN] objects[172/31]
linked_values[0/0]
Replicated 172 objects (0 linked attributes) for
DC=DomainDnsZones,DC=DOMAIN1,DC=DOMAIN
Replicating DC=ForestDnsZones,DC=DOMAIN1,DC=DOMAIN
Partition[DC=ForestDnsZones,DC=DOMAIN1,DC=DOMAIN] objects[74/57]
linked_values[0/0]
Replicated 74 objects (0 linked attributes) for
DC=ForestDnsZones,DC=DOMAIN1,DC=DOMAIN
Join failed - cleaning up
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch machine
account password for DOMAIN1 from both secrets.ldb (Could not find entry to
match filter: '(&(flatname=DOMAIN1)(objectclass=primaryDomain))' base:
'cn=Primary Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4636) and from
/var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Deleted CN=DC2,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN
Deleted CN=dns-DC2,CN=Users,DC=DOMAIN1,DC=DOMAIN
Deleted CN=NTDS
Settings,CN=DC2,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN
Deleted
CN=DC2,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN
ERROR(runtime): uncaught exception - (8453, 'WERR_DS_DRA_ACCESS_DENIED')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661,
in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in
join_DC
    ctx.do_join()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1377, in
do_join
    ctx.join_replicate()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 961, in
join_replicate
    exop=drsuapi.DRSUAPI_EXOP_FSMO_RID_ALLOC)
  File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 291, in
replicate
    (level, ctr) = self.drs.DsGetNCChanges(self.drs_handle, req_level, req)
root at DC2:~#


On Thu, May 2, 2019 at 12:27 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Thu, 2 May 2019 11:56:30 -0400
> James Fowler via samba <samba at lists.samba.org> wrote:
>
> > So we have two different Samba servers we are trying to connect to
> > what was originally a Windows 2003 AD and was raised to 2008R2 (both
> > Forest and Domain).
> > (We really only need to connect one of them - the one hosting Samba
> > 4.7.6).
> >
> > Any ideas or suggestions are helpful!  We've scoured the lists
> > (Rowland - you are amazing), but still not found what is wrong (we
> > think it is probably a config issue on the Win2k8R2 DC).
> >
> > Thank you in advance!
> >
> > James
> >
> >
> > There is presently a single Windows 2k8R2 domain controller.
> > Our focus is on Samba 4.7.6 on Ubuntu.  We also get the same error
> > with Samba 4.6.7 on Ubuntu (same smb.conf).
> >
> > We can connect to all of the necessary ports on the Win2k8R2 DC from
> > both servers hosting Samba.
> >
> > Here are details from Samba 4.7.6 join attempt and troubleshooting
> >
> > *smb.conf:*
>
> If you are joining a new DC to an existing domain, why do you have a
> smb.conf ?
> Does it already exist ?
> From all the cruft in it, it looks like it does.
> If it does exist, then remove it and try again.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
James Fowler
Chief Information Officer
Association for Diplomatic Studies and Training http://adst.org
Capturing, Preserving, Sharing - Oral Histories of US Diplomacy

More information about the samba mailing list