[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO

James Fowler fowlerj at adst.org
Mon May 6 13:32:45 UTC 2019 

Inline reply.

On Mon, May 6, 2019 at 7:25 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Mon, 6 May 2019 07:06:42 -0400
> James Fowler <fowlerj at adst.org> wrote:
>
> > Inline reply.
> >
> > On Fri, May 3, 2019 at 3:08 AM Rowland Penny via samba <
> > samba at lists.samba.org> wrote:
> >
> > > On Thu, 2 May 2019 16:51:02 -0400
> > > James Fowler <fowlerj at adst.org> wrote:
> > >
> > > See inline comments
> > >
> > > > root at DC2:~# cat /etc/resolv.conf
> > > > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
> > > > resolvconf(8)
> > > > # and managed by Zentyal.
> > > > #
> > > > #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE
> > > > OVERWRITTEN #
> > > > nameserver 192.168.1.254
> > > > #search domain1.domain
> > >
> > I would do two things here, the first is 'apt-get purge resolvconf',
> > > you do not want anything changing /etc/resolv.conf on a DC.
> > >
> >
> >  It looks like many packages are set to be dependent on resolvconf
> > that I need on this system.  I ended up unlinking it, making the
> > changes you recommended and then setting it to immutable (chattr
> > +i).  I also did systemctl disable resolvconf.
> >
> > The second is, uncomment the 'search' line.
> > >
> > > There is also that word 'Zentyal', was/is this computer a Zentyal
> > > DC ?
> >  Yes.
>
> Which, is it a DC, or was it a DC
>
It has never been a DC.  I even wiped the machine (again) at one point just
to eliminate possible contamination

>
> If the former then you cannot join it to another DC, if it was a DC,
> then you need to remove all traces of the old DC.
>
It has never been a DC.  I've been trying to get it to become a DC

>
> >
> > >
> > > >
> > > > /etc/hostname
> > > > cat /etc/hostname
> > > > DC2
> > > >
> > > > /etc/hosts
> > > > root at DC2:~cat /etc/hosts
> > > > 127.0.0.1       localhost.localdomain localhost
> > > > 127.0.1.1       DC2.DOMAIN1.DOMAIN DC2
> > > > 192.168.1.19    otherserver.DOMAIN1.DOMAIN otherserver
> > > > 192.168.1.20    DC2.DOMAIN1.DOMAIN DC2
> > > > 192.168.1.254   DC1.DOMAIN1.local DC1
> > > >
> > >
> > > You should only have the new DC's info in /etc/hosts, anything else
> > > should be found by DNS. There is also '127.0.1.1' , is there another
> > > DNS server running ? (dnsmasq, netplan etc)
> > >
> > Only bind9 is running.  The 127.0.1.1 entry comes from a failed
> > attempt to resolve issues.  I commented it out.  Thank you.
> >
> >
> > > > root at DC2:/etc/bind# cat named.conf
> > > > include "/etc/bind/named.conf.options";
> > > > include "/etc/bind/keys";
> > >
> > > You do not need the '/etc/bind/keys' line
> > >
> > removed.
> >
> > >
> > > >
> > > > // prime the server with knowledge of the root servers
> > > > zone "." {
> > > >         type hint;
> > > >         file "/etc/bind/db.root";
> > > > };
> > > >
> > > > // be authoritative for the localhost forward and reverse zones,
> > > > and for // broadcast zones as per RFC 1912
> > > >
> > > > zone "localhost" {
> > > >         type master;
> > > >         file "/etc/bind/db.local";
> > > > };
> > > >
> > > > zone "127.in-addr.arpa" {
> > > >         type master;
> > > >         file "/etc/bind/db.127";
> > > > };
> > > >
> > > > zone "0.in-addr.arpa" {
> > > >         type master;
> > > >         file "/etc/bind/db.0";
> > > > };
> > > >
> > > > zone "255.in-addr.arpa" {
> > > >         type master;
> > > >         file "/etc/bind/db.255";
> > > > };
> > >
> > > Why is the above in /etc/bind/named.conf ?
> > > There should just be an include line like this:
> > >
> > > include "/etc/bind/named.conf.default-zones";
> > >
> > When I this added to the end of the named.conf file bind9 wouldn't
> > run and complained:
> > named-checkconf
> > /etc/bind/named.conf.default-zones:2: zone '.': already exists
> > previous definition: /etc/bind/named.conf:5
> > /etc/bind/named.conf.default-zones:10: zone 'localhost': already
> > exists previous definition: /etc/bind/named.conf:13
> > /etc/bind/named.conf.default-zones:15: zone '127.in-addr.arpa':
> > already exists previous definition: /etc/bind/named.conf:18
> > /etc/bind/named.conf.default-zones:20: zone '0.in-addr.arpa': already
> > exists previous definition: /etc/bind/named.conf:23
> > /etc/bind/named.conf.default-zones:25: zone '255.in-addr.arpa':
> > already exists previous definition: /etc/bind/named.conf:28
> >
> > Is it a problem to not have it calling named.conf.default-zones?  It
> > has the same information repeated in named.conf.  Is it better to
> > comment out those entries there and have it called from
> > named.conf.default-zones?
>
> That is what I meant, remove the data from where it shouldn't be and
> include it with the suggested line. Your way may work, but I know my
> way works.
>
I made the change to exactly reflect your recommended settings.

>
> >
> >
> > > > root at DC2:/etc/bind# cat named.conf.local
> > > > // Generated by Zentyal
> > >
> > > Why? they seem to be making a right mess of it ;-)
> > >
> > Tell me about it!   It is kind of crazy the proliferation of
> > named.conf files, zones, etc.
> >
> > >
> > > Mine is just:
> > >
> > > include "/var/lib/samba/bind-dns/named.conf";
> > >
> >
> > Presently, I have nothing in the /var/lib/samba/bind-dns/named.conf
>
> Ah you wouldn't have, the path changed, yours would be:
>
> /var/lib/samba/private/named.conf
>
I don't have anything like that in that path:
 ll /var/lib/samba/private/
total 10896
drwxr-x--- 5 root bind    4096 May  6 07:41 ./
drwxr-xr-x 8 root root    4096 May  2 09:03 ../
-rw-r--r-- 1 root root    3663 May  6 07:41 dns_update_list
-rw------- 1 root root 1286144 May  6 07:41 hklm.ldb
-rw------- 1 root root 1286144 May  6 07:41 idmap.ldb
-rw-r--r-- 1 root root      94 May  6 07:41 krb5.conf
drwx------ 2 root root    4096 May  2 11:36 msg.sock/
-rw------- 1 root root    8888 May  2 09:03 netlogon_creds_cli.tdb
-rw------- 1 root root 1286144 May  6 07:41 privilege.ldb
-rw------- 1 root root 4247552 May  6 07:41 sam.ldb
drwx------ 2 root root    4096 May  6 07:41 sam.ldb.d/
-rw------- 1 root root 1286144 May  6 07:41 secrets.ldb
-rw-rwx--- 1 root bind  430080 May  2 09:03 secrets.tdb*
-rw------- 1 root root 1286144 Apr 30 08:19 share.ldb
-rw-r--r-- 1 root root     955 May  6 07:41 spn_update_list
drwx------ 2 root root    4096 Apr 30 08:19 tls/



> > I replaced my named.conf.options with yours (and made the changes
> > above), restarted bind9 and then tried to join again, but still get
> > the same error:
> >
>
>
> I am beginning to think you are trying to join an existing DC to
> another existing DC, if so, this isn't allowed.
>
Really, I'm not.  Is there an additional purge command, etc. that will
ensure this is not happening?   Really, I'm trying to create this samba
server and add it to an existing AD/domain as a new DC.

>
> Rowland
>

Thanks,

James

>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
James Fowler
Chief Information Officer
Association for Diplomatic Studies and Training http://adst.org
Capturing, Preserving, Sharing - Oral Histories of US Diplomacy

More information about the samba mailing list