[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO

James Fowler fowlerj at adst.org
Thu May 2 18:44:18 UTC 2019 

I have read that so many times.  I started out with the simple, prompted
'samba-tool domain join' and built up from there.

Version is:
Samba 4.7.6 from Ubuntu (18.04.2)

Interesting what happens when I take out --site directive (see below).

root at DC2:~# samba-tool domain join DOMAIN1.DOMAIN DC
--username='DOMAIN1\EnterpriseAdminUser' --realm='DOMAIN1.DOMAIN'
--server='DC1' --dns-backend=BIND9_DLZ --workgroup='DOMAIN1' -d 3
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
resolve_lmhosts: Attempting lmhosts lookup for name DC1<0x20>
Password for [DOMAIN1\EnterpriseAdminUser]:
workgroup is DOMAIN1
realm is DOMAIN1.DOMAIN
Adding CN=DC2,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN
Adding
CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN
Join failed - cleaning up
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch machine
account password for DOMAIN1 from both secrets.ldb (Could not find entry to
match filter: '(&(flatname=DOMAIN1)(objectclass=primaryDomain))' base:
'cn=Primary Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4636) and from
/var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Deleted CN=DC2,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN
ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT -
CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN <0000208D: NameErr:
DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
        'CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN'
> <>
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661,
in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in
join_DC
    ctx.do_join()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in
do_join
    ctx.join_add_objects()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 631, in
join_add_objects
    ctx.samdb.add(rec)


On Thu, May 2, 2019 at 2:25 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Thu, 2 May 2019 12:59:28 -0400
> James Fowler <fowlerj at adst.org> wrote:
>
> > root at DC2:~# samba-tool domain join DOMAIN1.DOMAIN DC
> > --username='DOMAIN1\EnterpriseAdminUser' --realm='DOMAIN1.DOMAIN'
> > --site='Default-First-Site' --server='DC1' --dns-backend=BIND9_DLZ
> > --workgroup='DOMAIN1' -d 3
> > GENSEC backend 'gssapi_spnego' registered
> > GENSEC backend 'gssapi_krb5' registered
> > GENSEC backend 'gssapi_krb5_sasl' registered
> > GENSEC backend 'spnego' registered
> > GENSEC backend 'schannel' registered
> > GENSEC backend 'naclrpc_as_system' registered
> > GENSEC backend 'sasl-EXTERNAL' registered
> > GENSEC backend 'ntlmssp' registered
> > GENSEC backend 'ntlmssp_resume_ccache' registered
> > GENSEC backend 'http_basic' registered
> > GENSEC backend 'http_ntlm' registered
> > GENSEC backend 'krb5' registered
> > GENSEC backend 'fake_gssapi_krb5' registered
> > resolve_lmhosts: Attempting lmhosts lookup for name DC1<0x20>
> > Password for [DOMAIN1\EnterpriseAdminUser]:
> > workgroup is DOMAIN1
> > realm is DOMAIN1.DOMAIN
> > Adding CN=DC2,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN
>
> I take it, that it didn't work.
>
> You have this:
>
> --site='Default-First-Site'
>
> Have you created a site called 'Default-First-Site' ? by default it is
> '--site='Default-First-Site-Name'
>
> If you are trying to join the site 'Default-First-Site-Name', then
> there is no need to give the option.
>
> Have you read this:
>
>
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
>
> What version of Samba are you using ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
James Fowler
Chief Information Officer
Association for Diplomatic Studies and Training http://adst.org
Capturing, Preserving, Sharing - Oral Histories of US Diplomacy

More information about the samba mailing list