[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO

Mon May 6 11:25:19 UTC 2019

On Mon, 6 May 2019 07:06:42 -0400
James Fowler <fowlerj at adst.org> wrote:

> Inline reply.
> 
> On Fri, May 3, 2019 at 3:08 AM Rowland Penny via samba <
> samba at lists.samba.org> wrote:  
> 
> > On Thu, 2 May 2019 16:51:02 -0400
> > James Fowler <fowlerj at adst.org> wrote:
> >
> > See inline comments
> >  
> > > root at DC2:~# cat /etc/resolv.conf
> > > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
> > > resolvconf(8)
> > > # and managed by Zentyal.
> > > #
> > > #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE
> > > OVERWRITTEN #
> > > nameserver 192.168.1.254
> > > #search domain1.domain  
> >  
> I would do two things here, the first is 'apt-get purge resolvconf',
> > you do not want anything changing /etc/resolv.conf on a DC.
> >  
> 
>  It looks like many packages are set to be dependent on resolvconf
> that I need on this system.  I ended up unlinking it, making the
> changes you recommended and then setting it to immutable (chattr
> +i).  I also did systemctl disable resolvconf.
> 
> The second is, uncomment the 'search' line.
> >
> > There is also that word 'Zentyal', was/is this computer a Zentyal
> > DC ? 
>  Yes.

Which, is it a DC, or was it a DC

If the former then you cannot join it to another DC, if it was a DC,
then you need to remove all traces of the old DC.

> 
> >  
> > >
> > > /etc/hostname
> > > cat /etc/hostname
> > > DC2
> > >
> > > /etc/hosts
> > > root at DC2:~cat /etc/hosts
> > > 127.0.0.1       localhost.localdomain localhost
> > > 127.0.1.1       DC2.DOMAIN1.DOMAIN DC2
> > > 192.168.1.19    otherserver.DOMAIN1.DOMAIN otherserver
> > > 192.168.1.20    DC2.DOMAIN1.DOMAIN DC2
> > > 192.168.1.254   DC1.DOMAIN1.local DC1
> > >  
> >
> > You should only have the new DC's info in /etc/hosts, anything else
> > should be found by DNS. There is also '127.0.1.1' , is there another
> > DNS server running ? (dnsmasq, netplan etc)
> >  
> Only bind9 is running.  The 127.0.1.1 entry comes from a failed
> attempt to resolve issues.  I commented it out.  Thank you.
> 
> 
> > > root at DC2:/etc/bind# cat named.conf
> > > include "/etc/bind/named.conf.options";
> > > include "/etc/bind/keys";  
> >
> > You do not need the '/etc/bind/keys' line
> >  
> removed.
> 
> >  
> > >
> > > // prime the server with knowledge of the root servers
> > > zone "." {
> > >         type hint;
> > >         file "/etc/bind/db.root";
> > > };
> > >
> > > // be authoritative for the localhost forward and reverse zones,
> > > and for // broadcast zones as per RFC 1912
> > >
> > > zone "localhost" {
> > >         type master;
> > >         file "/etc/bind/db.local";
> > > };
> > >
> > > zone "127.in-addr.arpa" {
> > >         type master;
> > >         file "/etc/bind/db.127";
> > > };
> > >
> > > zone "0.in-addr.arpa" {
> > >         type master;
> > >         file "/etc/bind/db.0";
> > > };
> > >
> > > zone "255.in-addr.arpa" {
> > >         type master;
> > >         file "/etc/bind/db.255";
> > > };  
> >
> > Why is the above in /etc/bind/named.conf ?
> > There should just be an include line like this:
> >
> > include "/etc/bind/named.conf.default-zones";
> >  
> When I this added to the end of the named.conf file bind9 wouldn't
> run and complained:
> named-checkconf
> /etc/bind/named.conf.default-zones:2: zone '.': already exists
> previous definition: /etc/bind/named.conf:5
> /etc/bind/named.conf.default-zones:10: zone 'localhost': already
> exists previous definition: /etc/bind/named.conf:13
> /etc/bind/named.conf.default-zones:15: zone '127.in-addr.arpa':
> already exists previous definition: /etc/bind/named.conf:18
> /etc/bind/named.conf.default-zones:20: zone '0.in-addr.arpa': already
> exists previous definition: /etc/bind/named.conf:23
> /etc/bind/named.conf.default-zones:25: zone '255.in-addr.arpa':
> already exists previous definition: /etc/bind/named.conf:28
> 
> Is it a problem to not have it calling named.conf.default-zones?  It
> has the same information repeated in named.conf.  Is it better to
> comment out those entries there and have it called from
> named.conf.default-zones?

That is what I meant, remove the data from where it shouldn't be and
include it with the suggested line. Your way may work, but I know my
way works.

> 
> 
> > > root at DC2:/etc/bind# cat named.conf.local
> > > // Generated by Zentyal  
> >
> > Why? they seem to be making a right mess of it ;-)
> >  
> Tell me about it!   It is kind of crazy the proliferation of
> named.conf files, zones, etc.
> 
> >
> > Mine is just:
> >
> > include "/var/lib/samba/bind-dns/named.conf";
> >  
> 
> Presently, I have nothing in the /var/lib/samba/bind-dns/named.conf

Ah you wouldn't have, the path changed, yours would be:

/var/lib/samba/private/named.conf

> I replaced my named.conf.options with yours (and made the changes
> above), restarted bind9 and then tried to join again, but still get
> the same error:
> 

I am beginning to think you are trying to join an existing DC to
another existing DC, if so, this isn't allowed.

Rowland