[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO
L.P.H. van Belle
belle at bazuin.nl
Fri May 3 06:37:46 UTC 2019
Hai James,
An other question, is exchange installed in the windows environment?
If not thats only good.
Ok you need some rewriting some parts i see several things you need to fix.
I'll comment below.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> James Fowler via samba
> Verzonden: donderdag 2 mei 2019 22:51
> Aan: Rowland Penny
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or
> NT_STATUS_CANT_ACCESS_DOMAIN_INFO
>
> root at DC2:~# cat /etc/resolv.conf
> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
> resolvconf(8)
> # and managed by Zentyal.
> #
> # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE
> OVERWRITTEN
> #
> nameserver 192.168.1.254
> #search domain1.domain
Remove # and set that search to the the primary dnsdomain, should be ok.
>
> /etc/hostname
> cat /etc/hostname
> DC2
>
I changed hosts ..
> /etc/hosts
> root at DC2:~cat /etc/hosts
Correct this part.
127.0.0.1 localhost localhost.localdomain
192.168.1.19 otherserver.DOMAIN1.DOMAIN otherserver
192.168.1.20 DC2.DOMAIN1.DOMAIN DC2
192.168.1.254 DC1.DOMAIN1.local DC1
>
> # The following lines are desirable for IPv6 capable hosts
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> /etc/krb5.conf (and an earlier version)
> root at DC2:~# cat /etc/krb5.conf
> [libdefaults]
> default_realm = DOMAIN1.DOMAIN
> dns_lookup_realm = false
> dns_lookup_kdc = true
> root at DC2:~# cat /etc/krb5.conf.bak
> [libdefaults]
> default_realm = DOMAIN1.DOMAIN
> dns_lookup_kdc = true
> dns_lookup_realm = false
> rdns = no
>
> BIND9 (really long files here - only /etc/bind/named.conf
> +named.conf.*)
>
> root at DC2:/etc/bind# cat named.conf
> include "/etc/bind/named.conf.options";
> include "/etc/bind/keys";
>
> // prime the server with knowledge of the root servers
> zone "." {
> type hint;
> file "/etc/bind/db.root";
> };
>
> // be authoritative for the localhost forward and reverse
> zones, and for
> // broadcast zones as per RFC 1912
>
> zone "localhost" {
> type master;
> file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
> type master;
> file "/etc/bind/db.127";
> };
>
> zone "0.in-addr.arpa" {
> type master;
> file "/etc/bind/db.0";
> };
>
> zone "255.in-addr.arpa" {
> type master;
> file "/etc/bind/db.255";
> };
>
> include "/etc/bind/named.conf.local";
> root at DC2:/etc/bind#
>
> root at DC2:/etc/bind# cat named.conf.default-zones
> // prime the server with knowledge of the root servers
> zone "." {
> type hint;
> file "/etc/bind/db.root";
> };
>
> // be authoritative for the localhost forward and reverse
> zones, and for
> // broadcast zones as per RFC 1912
>
> zone "localhost" {
> type master;
> file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
> type master;
> file "/etc/bind/db.127";
> };
>
> zone "0.in-addr.arpa" {
> type master;
> file "/etc/bind/db.0";
> };
>
> zone "255.in-addr.arpa" {
> type master;
> file "/etc/bind/db.255";
> };
>
>
> root at DC2:/etc/bind#
>
> root at DC2:/etc/bind# cat named.conf.local
> // Generated by Zentyal
>
> acl "trusted" {
> localhost;
> localnets;
> };
>
> acl "internal-local-nets" {
> 192.168.1.0/24;
> };
>
>
Remove this part below thats your main problem.
> zone "domain1.domain." IN {
> type master;
> file "/etc/bind/db.domain1.domain";
> };
>
>
> zone "1.168.192.in-addr.arpa" {
> type master;
> file "/etc/bind/db.1.168.192";
> update-policy {
> // The only allowed dynamic updates are PTR records
> grant domain1.domain. subdomain
> 1.168.192.in-addr.arpa. PTR TXT;
> // Grant from localhost
> grant local-ddns zonesub any;
> };
> };
>
^^^^
Upto here..
Samba and bind9 flat files are not supported.
> zone "10.in-addr.arpa" {
> type master;
> file "/etc/bind/db.empty";
> };
> zone "16.172.in-addr.arpa" {
> type master;
> file "/etc/bind/db.empty";
> };
> zone "17.172.in-addr.arpa" {
> type master;
> file "/etc/bind/db.empty";
> };
> zone "18.172.in-addr.arpa" {
> type master;
> file "/etc/bind/db.empty";
> };
> zone "19.172.in-addr.arpa" {
> type master;
> file "/etc/bind/db.empty";
> };
> zone "20.172.in-addr.arpa" {
> type master;
> file "/etc/bind/db.empty";
> };
> zone "21.172.in-addr.arpa" {
> type master;
> file "/etc/bind/db.empty";
> };
> zone "22.172.in-addr.arpa" {
> type master;
> file "/etc/bind/db.empty";
> };
> zone "23.172.in-addr.arpa" {
> type master;
> file "/etc/bind/db.empty";
> };
> zone "24.172.in-addr.arpa" {
> type master;
> file "/etc/bind/db.empty";
> };
> zone "25.172.in-addr.arpa" {
> type master;
> file "/etc/bind/db.empty";
> };
> zone "26.172.in-addr.arpa" {
> type master;
> file "/etc/bind/db.empty";
> };
> zone "27.172.in-addr.arpa" {
> type master;
> file "/etc/bind/db.empty";
> };
> zone "28.172.in-addr.arpa" {
> type master;
> file "/etc/bind/db.empty";
> };
> zone "29.172.in-addr.arpa" {
> type master;
> file "/etc/bind/db.empty";
> };
> zone "30.172.in-addr.arpa" {
> type master;
> file "/etc/bind/db.empty";
> };
> zone "31.172.in-addr.arpa" {
> type master;
> file "/etc/bind/db.empty";
> };
> zone "168.192.in-addr.arpa" {
> type master;
> file "/etc/bind/db.empty";
> };
> root at DC2:/etc/bind#
>
> root at DC2:/etc/bind# cat named.conf.options
>
> options {
> sortlist {
> { 192.168.1.0/24 ;{ 192.168.1.0/24 ; };};
> };
> directory "/var/cache/bind";
>
> // If there is a firewall between you and nameservers you want
> // to talk to, you might need to uncomment the query-source
> // directive below. Previous versions of BIND always asked
> // questions using port 53, but BIND 8.1 and later use an
> unprivileged
> // port by default.
>
> //query-source address * port 53;
> //transfer-source * port 53;
> //notify-source * port 53;
>
>
>
Here auth-nxdomain yes; # because this server is authorive for the domain in bind9_dlz.
>
> allow-query { any; };
> allow-recursion { trusted; };
> allow-query-cache { trusted; };
> allow-transfer { internal-local-nets; };
> };
>
> logging { category lame-servers { null; }; };
> root at DC2:/etc/bind#
>
>
>
> On Thu, May 2, 2019 at 3:06 PM Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
> > On Thu, 2 May 2019 14:44:18 -0400
> > James Fowler <fowlerj at adst.org> wrote:
> >
> > > I have read that so many times. I started out with the simple,
> > > prompted 'samba-tool domain join' and built up from there.
> > >
> > > Version is:
> > > Samba 4.7.6 from Ubuntu (18.04.2)
> > >
> > > Interesting what happens when I take out --site directive
> (see below).
> > >
> > > root at DC2:~# samba-tool domain join DOMAIN1.DOMAIN DC
> > > --username='DOMAIN1\EnterpriseAdminUser' --realm='DOMAIN1.DOMAIN'
> > > --server='DC1' --dns-backend=BIND9_DLZ --workgroup='DOMAIN1' -d 3
> > > Password for [DOMAIN1\EnterpriseAdminUser]:
> > > workgroup is DOMAIN1
> > > realm is DOMAIN1.DOMAIN
> > > Adding CN=DC2,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN
> > > Adding
> > >
> >
> CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
guration,DC=DOMAIN1,DC=DOMAIN
> > > Join failed - cleaning up
> > > ldb_wrap open of secrets.ldb
> > > Could not find machine account in secrets database:
> Failed to fetch
> > > machine account password for DOMAIN1 from both
> secrets.ldb (Could not
> > > find entry to match filter:
> > > '(&(flatname=DOMAIN1)(objectclass=primaryDomain))' base:
> 'cn=Primary
> > > Domains': No such object: dsdb_search
> > > at ../source4/dsdb/common/util.c:4636) and
> > > from /var/lib/samba/private/secrets.tdb:
> > > NT_STATUS_CANT_ACCESS_DOMAIN_INFO Deleted CN=DC2,OU=Domain
> > > Controllers,DC=DOMAIN1,DC=DOMAIN ERROR(ldb): uncaught exception -
> > > LDAP error 32 LDAP_NO_SUCH_OBJECT -
> > > CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN <0000208D: NameErr:
> > > DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
> > > 'CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN'
> > > > <>
> > > File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> > > line 176, in _run
> > > return self.run(*args, **kwargs)
> > > File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py",
> > > line 661, in run
> > > machinepass=machinepass, use_ntvfs=use_ntvfs,
> > > dns_backend=dns_backend) File
> > > "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in
> > > join_DC ctx.do_join()
> > > File "/usr/lib/python2.7/dist-packages/samba/join.py",
> line 1375, in
> > > do_join
> > > ctx.join_add_objects()
> > > File "/usr/lib/python2.7/dist-packages/samba/join.py",
> line 631, in
> > > join_add_objects
> > > ctx.samdb.add(rec)
> >
> > I wonder if it is a dns problem ?
> >
> > can you post the contents of the following files:
> >
> > /etc/resolv.conf
> > /etc/hostname
> > /etc/hosts
> > /etc/krb5.conf
> >
> > 4.7.6 is EOL as far as Samba is concerned, you can find a
> later version
> > here:
> >
> > http://apt.van-belle.nl/
> >
> > Is bind9 installed, if so can you post the conf files.
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> James Fowler
> Chief Information Officer
> Association for Diplomatic Studies and Training http://adst.org
> Capturing, Preserving, Sharing - Oral Histories of US Diplomacy
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list