[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO
James Fowler
fowlerj at adst.org
Mon May 6 11:24:24 UTC 2019
Hello Louis,
I removed the section you suggested and I tried joining with or without the
auth-nxdomain line in named.conf.options with no change in result.
I still get:
Could not find machine account in secrets database: Failed to fetch machine
account password for DOMAIN1 from both secrets.ldb (Could not find entry to
match filter: '(&(flatname=DOMAIN1)(objectclass=primaryDomain))' base:
'cn=Primary Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4636) and from
/var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
and
ERROR(runtime): uncaught exception - (8453, 'WERR_DS_DRA_ACCESS_DENIED')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
176, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661,
in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in
join_DC
ctx.do_join()
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1377, in
do_join
ctx.join_replicate()
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 961, in
join_replicate
exop=drsuapi.DRSUAPI_EXOP_FSMO_RID_ALLOC)
File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 291, in
replicate
(level, ctr) = self.drs.DsGetNCChanges(self.drs_handle, req_level, req)
Thanks,
James
On Fri, May 3, 2019 at 2:38 AM L.P.H. van Belle via samba <
samba at lists.samba.org> wrote:
> Hai James,
>
> An other question, is exchange installed in the windows environment?
> If not thats only good.
>
> Ok you need some rewriting some parts i see several things you need to
> fix.
>
> I'll comment below.
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > James Fowler via samba
> > Verzonden: donderdag 2 mei 2019 22:51
> > Aan: Rowland Penny
> > CC: samba at lists.samba.org
> > Onderwerp: Re: [Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or
> > NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> >
> > root at DC2:~# cat /etc/resolv.conf
> > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
> > resolvconf(8)
> > # and managed by Zentyal.
> > #
> > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE
> > OVERWRITTEN
> > #
> > nameserver 192.168.1.254
> > #search domain1.domain
>
>
> Remove # and set that search to the the primary dnsdomain, should be ok.
>
> >
> > /etc/hostname
> > cat /etc/hostname
> > DC2
> >
>
> I changed hosts ..
> > /etc/hosts
> > root at DC2:~cat /etc/hosts
>
> Correct this part.
> 127.0.0.1 localhost localhost.localdomain
> 192.168.1.19 otherserver.DOMAIN1.DOMAIN otherserver
> 192.168.1.20 DC2.DOMAIN1.DOMAIN DC2
> 192.168.1.254 DC1.DOMAIN1.local DC1
>
>
> >
> > # The following lines are desirable for IPv6 capable hosts
> > ::1 localhost ip6-localhost ip6-loopback
> > ff02::1 ip6-allnodes
> > ff02::2 ip6-allrouters
> >
> > /etc/krb5.conf (and an earlier version)
> > root at DC2:~# cat /etc/krb5.conf
> > [libdefaults]
> > default_realm = DOMAIN1.DOMAIN
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> > root at DC2:~# cat /etc/krb5.conf.bak
> > [libdefaults]
> > default_realm = DOMAIN1.DOMAIN
> > dns_lookup_kdc = true
> > dns_lookup_realm = false
> > rdns = no
> >
> > BIND9 (really long files here - only /etc/bind/named.conf
> > +named.conf.*)
> >
> > root at DC2:/etc/bind# cat named.conf
> > include "/etc/bind/named.conf.options";
> > include "/etc/bind/keys";
> >
> > // prime the server with knowledge of the root servers
> > zone "." {
> > type hint;
> > file "/etc/bind/db.root";
> > };
> >
> > // be authoritative for the localhost forward and reverse
> > zones, and for
> > // broadcast zones as per RFC 1912
> >
> > zone "localhost" {
> > type master;
> > file "/etc/bind/db.local";
> > };
> >
> > zone "127.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.127";
> > };
> >
> > zone "0.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.0";
> > };
> >
> > zone "255.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.255";
> > };
> >
> > include "/etc/bind/named.conf.local";
> > root at DC2:/etc/bind#
> >
> > root at DC2:/etc/bind# cat named.conf.default-zones
> > // prime the server with knowledge of the root servers
> > zone "." {
> > type hint;
> > file "/etc/bind/db.root";
> > };
> >
> > // be authoritative for the localhost forward and reverse
> > zones, and for
> > // broadcast zones as per RFC 1912
> >
> > zone "localhost" {
> > type master;
> > file "/etc/bind/db.local";
> > };
> >
> > zone "127.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.127";
> > };
> >
> > zone "0.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.0";
> > };
> >
> > zone "255.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.255";
> > };
> >
> >
> > root at DC2:/etc/bind#
> >
> > root at DC2:/etc/bind# cat named.conf.local
> > // Generated by Zentyal
> >
> > acl "trusted" {
> > localhost;
> > localnets;
> > };
> >
> > acl "internal-local-nets" {
> > 192.168.1.0/24;
> > };
> >
> >
>
> Remove this part below thats your main problem.
>
> > zone "domain1.domain." IN {
> > type master;
> > file "/etc/bind/db.domain1.domain";
> > };
> >
> >
> > zone "1.168.192.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.1.168.192";
> > update-policy {
> > // The only allowed dynamic updates are PTR records
> > grant domain1.domain. subdomain
> > 1.168.192.in-addr.arpa. PTR TXT;
> > // Grant from localhost
> > grant local-ddns zonesub any;
> > };
> > };
> >
> ^^^^
> Upto here..
>
> Samba and bind9 flat files are not supported.
>
>
> > zone "10.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.empty";
> > };
> > zone "16.172.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.empty";
> > };
> > zone "17.172.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.empty";
> > };
> > zone "18.172.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.empty";
> > };
> > zone "19.172.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.empty";
> > };
> > zone "20.172.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.empty";
> > };
> > zone "21.172.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.empty";
> > };
> > zone "22.172.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.empty";
> > };
> > zone "23.172.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.empty";
> > };
> > zone "24.172.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.empty";
> > };
> > zone "25.172.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.empty";
> > };
> > zone "26.172.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.empty";
> > };
> > zone "27.172.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.empty";
> > };
> > zone "28.172.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.empty";
> > };
> > zone "29.172.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.empty";
> > };
> > zone "30.172.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.empty";
> > };
> > zone "31.172.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.empty";
> > };
> > zone "168.192.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.empty";
> > };
> > root at DC2:/etc/bind#
> >
> > root at DC2:/etc/bind# cat named.conf.options
> >
> > options {
> > sortlist {
> > { 192.168.1.0/24 ;{ 192.168.1.0/24 ; };};
> > };
> > directory "/var/cache/bind";
> >
> > // If there is a firewall between you and nameservers you want
> > // to talk to, you might need to uncomment the query-source
> > // directive below. Previous versions of BIND always asked
> > // questions using port 53, but BIND 8.1 and later use an
> > unprivileged
> > // port by default.
> >
> > //query-source address * port 53;
> > //transfer-source * port 53;
> > //notify-source * port 53;
> >
> >
> >
> Here auth-nxdomain yes; # because this server is authorive for the
> domain in bind9_dlz.
> >
> > allow-query { any; };
> > allow-recursion { trusted; };
> > allow-query-cache { trusted; };
> > allow-transfer { internal-local-nets; };
> > };
> >
> > logging { category lame-servers { null; }; };
> > root at DC2:/etc/bind#
> >
> >
> >
> > On Thu, May 2, 2019 at 3:06 PM Rowland Penny via samba <
> > samba at lists.samba.org> wrote:
> >
> > > On Thu, 2 May 2019 14:44:18 -0400
> > > James Fowler <fowlerj at adst.org> wrote:
> > >
> > > > I have read that so many times. I started out with the simple,
> > > > prompted 'samba-tool domain join' and built up from there.
> > > >
> > > > Version is:
> > > > Samba 4.7.6 from Ubuntu (18.04.2)
> > > >
> > > > Interesting what happens when I take out --site directive
> > (see below).
> > > >
> > > > root at DC2:~# samba-tool domain join DOMAIN1.DOMAIN DC
> > > > --username='DOMAIN1\EnterpriseAdminUser' --realm='DOMAIN1.DOMAIN'
> > > > --server='DC1' --dns-backend=BIND9_DLZ --workgroup='DOMAIN1' -d 3
> > > > Password for [DOMAIN1\EnterpriseAdminUser]:
> > > > workgroup is DOMAIN1
> > > > realm is DOMAIN1.DOMAIN
> > > > Adding CN=DC2,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN
> > > > Adding
> > > >
> > >
> > CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
> guration,DC=DOMAIN1,DC=DOMAIN
> > > > Join failed - cleaning up
> > > > ldb_wrap open of secrets.ldb
> > > > Could not find machine account in secrets database:
> > Failed to fetch
> > > > machine account password for DOMAIN1 from both
> > secrets.ldb (Could not
> > > > find entry to match filter:
> > > > '(&(flatname=DOMAIN1)(objectclass=primaryDomain))' base:
> > 'cn=Primary
> > > > Domains': No such object: dsdb_search
> > > > at ../source4/dsdb/common/util.c:4636) and
> > > > from /var/lib/samba/private/secrets.tdb:
> > > > NT_STATUS_CANT_ACCESS_DOMAIN_INFO Deleted CN=DC2,OU=Domain
> > > > Controllers,DC=DOMAIN1,DC=DOMAIN ERROR(ldb): uncaught exception -
> > > > LDAP error 32 LDAP_NO_SUCH_OBJECT -
> > > > CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN <0000208D: NameErr:
> > > > DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
> > > > 'CN=Sites,CN=Configuration,DC=DOMAIN1,DC=DOMAIN'
> > > > > <>
> > > > File
> > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> > > > line 176, in _run
> > > > return self.run(*args, **kwargs)
> > > > File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py",
> > > > line 661, in run
> > > > machinepass=machinepass, use_ntvfs=use_ntvfs,
> > > > dns_backend=dns_backend) File
> > > > "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in
> > > > join_DC ctx.do_join()
> > > > File "/usr/lib/python2.7/dist-packages/samba/join.py",
> > line 1375, in
> > > > do_join
> > > > ctx.join_add_objects()
> > > > File "/usr/lib/python2.7/dist-packages/samba/join.py",
> > line 631, in
> > > > join_add_objects
> > > > ctx.samdb.add(rec)
> > >
> > > I wonder if it is a dns problem ?
> > >
> > > can you post the contents of the following files:
> > >
> > > /etc/resolv.conf
> > > /etc/hostname
> > > /etc/hosts
> > > /etc/krb5.conf
> > >
> > > 4.7.6 is EOL as far as Samba is concerned, you can find a
> > later version
> > > here:
> > >
> > > http://apt.van-belle.nl/
> > >
> > > Is bind9 installed, if so can you post the conf files.
> > >
> > > Rowland
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions: https://lists.samba.org/mailman/options/samba
> > >
> >
> >
> > --
> > James Fowler
> > Chief Information Officer
> > Association for Diplomatic Studies and Training http://adst.org
> > Capturing, Preserving, Sharing - Oral Histories of US Diplomacy
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
James Fowler
Chief Information Officer
Association for Diplomatic Studies and Training http://adst.org
Capturing, Preserving, Sharing - Oral Histories of US Diplomacy
More information about the samba
mailing list