[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO

James Fowler fowlerj at adst.org
Thu May 2 20:51:02 UTC 2019


root at DC2:~# cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by
resolvconf(8)
# and managed by Zentyal.
#
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
#
nameserver 192.168.1.254
#search domain1.domain

/etc/hostname
cat /etc/hostname
DC2

/etc/hosts
root at DC2:~cat /etc/hosts
127.0.0.1       localhost.localdomain localhost
127.0.1.1       DC2.DOMAIN1.DOMAIN DC2
192.168.1.19    otherserver.DOMAIN1.DOMAIN otherserver
192.168.1.20    DC2.DOMAIN1.DOMAIN DC2
192.168.1.254   DC1.DOMAIN1.local DC1

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

/etc/krb5.conf (and an earlier version)
root at DC2:~# cat /etc/krb5.conf
[libdefaults]
        default_realm = DOMAIN1.DOMAIN
        dns_lookup_realm = false
        dns_lookup_kdc = true
root at DC2:~# cat /etc/krb5.conf.bak
[libdefaults]
    default_realm = DOMAIN1.DOMAIN
    dns_lookup_kdc = true
    dns_lookup_realm = false
    rdns = no

BIND9 (really long files here - only /etc/bind/named.conf +named.conf.*)

root at DC2:/etc/bind# cat named.conf
include "/etc/bind/named.conf.options";
include "/etc/bind/keys";

// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

include "/etc/bind/named.conf.local";
root at DC2:/etc/bind#

root at DC2:/etc/bind# cat named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};


root at DC2:/etc/bind#

root at DC2:/etc/bind# cat named.conf.local
// Generated by Zentyal

acl "trusted" {
    localhost;
    localnets;
};

acl "internal-local-nets" {
    192.168.1.0/24;
};


zone "domain1.domain." IN {
    type master;
    file "/etc/bind/db.domain1.domain";
};


zone "1.168.192.in-addr.arpa" {
    type master;
    file "/etc/bind/db.1.168.192";
    update-policy {
        // The only allowed dynamic updates are PTR records
        grant domain1.domain. subdomain 1.168.192.in-addr.arpa. PTR TXT;
        // Grant from localhost
        grant local-ddns zonesub any;
    };
};

zone "10.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "16.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "17.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "18.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "19.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "20.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "21.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "22.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "23.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "24.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "25.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "26.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "27.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "28.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "29.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "30.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "31.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "168.192.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
root at DC2:/etc/bind#

root at DC2:/etc/bind# cat named.conf.options

options {
     sortlist {
            { 192.168.1.0/24 ;{ 192.168.1.0/24 ; };};
    };
    directory "/var/cache/bind";

    // If there is a firewall between you and nameservers you want
    // to talk to, you might need to uncomment the query-source
    // directive below.  Previous versions of BIND always asked
    // questions using port 53, but BIND 8.1 and later use an unprivileged
    // port by default.

    //query-source address * port 53;
    //transfer-source * port 53;
    //notify-source * port 53;



    auth-nxdomain no;    # conform to RFC1035

    allow-query { any; };
    allow-recursion { trusted; };
    allow-query-cache { trusted; };
    allow-transfer { internal-local-nets; };
};

logging { category lame-servers { null; }; };
root at DC2:/etc/bind#



On Thu, May 2, 2019 at 3:06 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Thu, 2 May 2019 14:44:18 -0400
> James Fowler <fowlerj at adst.org> wrote:
>
> > I have read that so many times.  I started out with the simple,
> > prompted 'samba-tool domain join' and built up from there.
> >
> > Version is:
> > Samba 4.7.6 from Ubuntu (18.04.2)
> >
> > Interesting what happens when I take out --site directive (see below).
> >
> > root at DC2:~# samba-tool domain join DOMAIN1.DOMAIN DC
> > --username='DOMAIN1\EnterpriseAdminUser' --realm='DOMAIN1.DOMAIN'
> > --server='DC1' --dns-backend=BIND9_DLZ --workgroup='DOMAIN1' -d 3
> > Password for [DOMAIN1\EnterpriseAdminUser]:
> > workgroup is DOMAIN1
> > realm is DOMAIN1.DOMAIN
> > Adding CN=DC2,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN
> > Adding
> >
> CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN
> > Join failed - cleaning up
> > ldb_wrap open of secrets.ldb
> > Could not find machine account in secrets database: Failed to fetch
> > machine account password for DOMAIN1 from both secrets.ldb (Could not
> > find entry to match filter:
> > '(&(flatname=DOMAIN1)(objectclass=primaryDomain))' base: 'cn=Primary
> > Domains': No such object: dsdb_search
> > at ../source4/dsdb/common/util.c:4636) and
> > from /var/lib/samba/private/secrets.tdb:
> > NT_STATUS_CANT_ACCESS_DOMAIN_INFO Deleted CN=DC2,OU=Domain
> > Controllers,DC=DOMAIN1,DC=DOMAIN ERROR(ldb): uncaught exception -
> > LDAP error 32 LDAP_NO_SUCH_OBJECT -
> > CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN <0000208D: NameErr:
> > DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
> > 'CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN'
> > > <>
> >   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> > line 176, in _run
> >     return self.run(*args, **kwargs)
> >   File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py",
> > line 661, in run
> >     machinepass=machinepass, use_ntvfs=use_ntvfs,
> > dns_backend=dns_backend) File
> > "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in
> > join_DC ctx.do_join()
> >   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in
> > do_join
> >     ctx.join_add_objects()
> >   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 631, in
> > join_add_objects
> >     ctx.samdb.add(rec)
>
> I wonder if it is a dns problem ?
>
> can you post the contents of the following files:
>
> /etc/resolv.conf
> /etc/hostname
> /etc/hosts
> /etc/krb5.conf
>
> 4.7.6 is EOL as far as Samba is concerned, you can find a later version
> here:
>
> http://apt.van-belle.nl/
>
> Is bind9 installed, if so can you post the conf files.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
James Fowler
Chief Information Officer
Association for Diplomatic Studies and Training http://adst.org
Capturing, Preserving, Sharing - Oral Histories of US Diplomacy


More information about the samba mailing list