[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO
James Fowler
fowlerj at adst.org
Mon May 6 11:06:42 UTC 2019
Inline reply.
On Fri, May 3, 2019 at 3:08 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Thu, 2 May 2019 16:51:02 -0400
> James Fowler <fowlerj at adst.org> wrote:
>
> See inline comments
>
> > root at DC2:~# cat /etc/resolv.conf
> > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
> > resolvconf(8)
> > # and managed by Zentyal.
> > #
> > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE
> > OVERWRITTEN #
> > nameserver 192.168.1.254
> > #search domain1.domain
>
I would do two things here, the first is 'apt-get purge resolvconf',
> you do not want anything changing /etc/resolv.conf on a DC.
>
It looks like many packages are set to be dependent on resolvconf that I
need on this system. I ended up unlinking it, making the changes you
recommended and then setting it to immutable (chattr +i). I also did
systemctl disable resolvconf.
The second is, uncomment the 'search' line.
>
> There is also that word 'Zentyal', was/is this computer a Zentyal DC ?
>
Yes.
>
> >
> > /etc/hostname
> > cat /etc/hostname
> > DC2
> >
> > /etc/hosts
> > root at DC2:~cat /etc/hosts
> > 127.0.0.1 localhost.localdomain localhost
> > 127.0.1.1 DC2.DOMAIN1.DOMAIN DC2
> > 192.168.1.19 otherserver.DOMAIN1.DOMAIN otherserver
> > 192.168.1.20 DC2.DOMAIN1.DOMAIN DC2
> > 192.168.1.254 DC1.DOMAIN1.local DC1
> >
>
> You should only have the new DC's info in /etc/hosts, anything else
> should be found by DNS. There is also '127.0.1.1' , is there another
> DNS server running ? (dnsmasq, netplan etc)
>
Only bind9 is running. The 127.0.1.1 entry comes from a failed attempt to
resolve issues. I commented it out. Thank you.
> > root at DC2:/etc/bind# cat named.conf
> > include "/etc/bind/named.conf.options";
> > include "/etc/bind/keys";
>
> You do not need the '/etc/bind/keys' line
>
removed.
>
> >
> > // prime the server with knowledge of the root servers
> > zone "." {
> > type hint;
> > file "/etc/bind/db.root";
> > };
> >
> > // be authoritative for the localhost forward and reverse zones, and
> > for // broadcast zones as per RFC 1912
> >
> > zone "localhost" {
> > type master;
> > file "/etc/bind/db.local";
> > };
> >
> > zone "127.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.127";
> > };
> >
> > zone "0.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.0";
> > };
> >
> > zone "255.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.255";
> > };
>
> Why is the above in /etc/bind/named.conf ?
> There should just be an include line like this:
>
> include "/etc/bind/named.conf.default-zones";
>
When I this added to the end of the named.conf file bind9 wouldn't run and
complained:
named-checkconf
/etc/bind/named.conf.default-zones:2: zone '.': already exists previous
definition: /etc/bind/named.conf:5
/etc/bind/named.conf.default-zones:10: zone 'localhost': already exists
previous definition: /etc/bind/named.conf:13
/etc/bind/named.conf.default-zones:15: zone '127.in-addr.arpa': already
exists previous definition: /etc/bind/named.conf:18
/etc/bind/named.conf.default-zones:20: zone '0.in-addr.arpa': already
exists previous definition: /etc/bind/named.conf:23
/etc/bind/named.conf.default-zones:25: zone '255.in-addr.arpa': already
exists previous definition: /etc/bind/named.conf:28
Is it a problem to not have it calling named.conf.default-zones? It has
the same information repeated in named.conf. Is it better to comment out
those entries there and have it called from named.conf.default-zones?
> > root at DC2:/etc/bind# cat named.conf.local
> > // Generated by Zentyal
>
> Why? they seem to be making a right mess of it ;-)
>
Tell me about it! It is kind of crazy the proliferation of named.conf
files, zones, etc.
>
> Mine is just:
>
> include "/var/lib/samba/bind-dns/named.conf";
>
Presently, I have nothing in the /var/lib/samba/bind-dns/named.conf path:
root at dc2:/etc# ll /var/lib/samba/
total 1412
drwxr-xr-x 8 root root 4096 May 2 09:03 ./
drwxr-xr-x 60 root root 4096 Apr 29 20:17 ../
-rw------- 1 root root 421888 Apr 25 11:42 account_policy.tdb
-rw------- 1 root root 696 Apr 25 11:42 group_mapping.tdb
drwxr-x--- 2 root ntp 4096 Apr 30 00:14 ntp_signd/
drwxr-xr-x 10 root root 4096 Apr 25 11:39 printers/
drwxr-x--- 5 root bind 4096 May 2 12:50 private/
-rw------- 1 root root 528384 Apr 25 11:42 registry.tdb
-rw------- 1 root root 421888 Apr 25 11:42 share_info.tdb
drwxrwx---+ 3 root adm 4096 Apr 30 08:19 sysvol/
drwxrwx--T 2 root sambashare 4096 Apr 25 11:42 usershares/
-rw------- 1 root root 32768 May 2 09:03 winbindd_cache.tdb
drwxr-x--- 2 root winbindd_priv 4096 Apr 30 00:14 winbindd_privileged/
root at dc2:/etc# ll /var/lib/samba/private/
total 10896
drwxr-x--- 5 root bind 4096 May 2 12:50 ./
drwxr-xr-x 8 root root 4096 May 2 09:03 ../
-rw-r--r-- 1 root root 3663 May 2 12:50 dns_update_list
-rw------- 1 root root 1286144 May 2 12:50 hklm.ldb
-rw------- 1 root root 1286144 May 2 12:50 idmap.ldb
-rw-r--r-- 1 root root 94 May 2 12:50 krb5.conf
drwx------ 2 root root 4096 May 2 11:36 msg.sock/
-rw------- 1 root root 8888 May 2 09:03 netlogon_creds_cli.tdb
-rw------- 1 root root 1286144 May 2 12:50 privilege.ldb
-rw------- 1 root root 4247552 May 2 12:50 sam.ldb
drwx------ 2 root root 4096 May 2 12:50 sam.ldb.d/
-rw------- 1 root root 1286144 May 2 12:50 secrets.ldb
-rw-rwx--- 1 root bind 430080 May 2 09:03 secrets.tdb*
-rw------- 1 root root 1286144 Apr 30 08:19 share.ldb
-rw-r--r-- 1 root root 955 May 2 12:50 spn_update_list
drwx------ 2 root root 4096 Apr 30 08:19 tls/
> >
> > root at DC2:/etc/bind# cat named.conf.options
> >
> > options {
> > sortlist {
> > { 192.168.1.0/24 ;{ 192.168.1.0/24 ; };};
> > };
> > directory "/var/cache/bind";
> > auth-nxdomain no; # conform to RFC1035
> >
> > allow-query { any; };
> > allow-recursion { trusted; };
> > allow-query-cache { trusted; };
> > allow-transfer { internal-local-nets; };
> > };
> >
> > logging { category lame-servers { null; }; };
>
> If that again is managed by Zentyal, well they got some things right,
> but missed a major thing, this is mine:
>
> options {
> directory "/var/cache/bind";
> version "0.0.7";
> notify no;
> empty-zones-enable no;
> allow-query { 127.0.0.1; 192.168.0.0/24; };
> allow-recursion { 192.168.0.0/24; 127.0.0.1/32; };
> forwarders { 8.8.8.8; 8.8.4.4; };
> allow-transfer { none; };
> dnssec-validation no;
> dnssec-enable no;
> dnssec-lookaside no;
> listen-on-v6 { none; };
> listen-on port 53 { 192.168.0.6; 127.0.0.1; };
>
> tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
> };
>
> From all this, it is clear your DNS is not working as a Samba AD DC
> would expect.
>
> Rowland
>
Thank you Rowland!
I replaced my named.conf.options with yours (and made the changes above),
restarted bind9 and then tried to join again, but still get the same error:
Join failed - cleaning up
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch machine
account password for DOMAIN1 from both secrets.ldb (Could not find entry to
match filter: '(&(flatname=DOMAIN1)(objectclass=primaryDomain))' base:
'cn=Primary Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4636) and from
/var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Deleted CN=DC2,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN
Deleted CN=dns-DC2,CN=Users,DC=DOMAIN1,DC=DOMAIN
Deleted CN=NTDS
Settings,CN=DC2,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN
Deleted
CN=DC2,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN
ERROR(runtime): uncaught exception - (8453, 'WERR_DS_DRA_ACCESS_DENIED')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
176, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661,
in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in
join_DC
ctx.do_join()
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1377, in
do_join
ctx.join_replicate()
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 961, in
join_replicate
exop=drsuapi.DRSUAPI_EXOP_FSMO_RID_ALLOC)
File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 291, in
replicate
(level, ctr) = self.drs.DsGetNCChanges(self.drs_handle, req_level, req)
Thanks,
James
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
James Fowler
Association for Diplomatic Studies and Training http://adst.org
Capturing, Preserving, Sharing - Oral Histories of US Diplomacy
More information about the samba
mailing list