[Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO

James Fowler fowlerj at adst.org
Mon May 6 14:39:05 UTC 2019 

Inline.

On Mon, May 6, 2019 at 9:58 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Mon, 6 May 2019 09:32:45 -0400
> James Fowler <fowlerj at adst.org> wrote:
>
> > Inline reply.
> >
> > > > > There is also that word 'Zentyal', was/is this computer a
> > > > > Zentyal DC ?
> > > >  Yes.
> > >
> > > Which, is it a DC, or was it a DC
> > >
> > It has never been a DC.  I even wiped the machine (again) at one
> > point just to eliminate possible contamination
>
> I asked about 'Zentyal' and was/if this was a DC, you answered 'Yes'.
> I asked which, now you say it has never been a DC, so were did
> 'Zentyal' come from ?
>
Yes, this is Zentyal (https://zentyal.com/community/) which is the present
incarnation of Ebox, built on Ubuntu (in this case 18.04).  It aims to more
or less make a turn-key appliance that includes the possibility of
including various services (mail, firewall, Samba, etc.).  That's where it
comes from.  Sorry for the confusion.  I didn't want to obscure that fact
that Zentyal was generating configurations for various services.

>
> >
> > >
> > > If the former then you cannot join it to another DC, if it was a DC,
> > > then you need to remove all traces of the old DC.
> > >
> > It has never been a DC.  I've been trying to get it to become a DC
>
> I believe you.
>
Thank you. :)

>
>
>
> > >
> > I made the change to exactly reflect your recommended settings.
> >
> > >
> > > >
> > > >
> > > > > > root at DC2:/etc/bind# cat named.conf.local
> > > > > > // Generated by Zentyal
> > > > >
> > > > > Why? they seem to be making a right mess of it ;-)
> > > > >
> > > > Tell me about it!   It is kind of crazy the proliferation of
> > > > named.conf files, zones, etc.
>
> There is that word 'Zentyal' again, where is it coming from ?
>
See above or https://zentyal.com/community/

>
> > > >
> > > > >
> > > > > Mine is just:
> > > > >
> > > > > include "/var/lib/samba/bind-dns/named.conf";
> > > > >
> > > >
> > > > Presently, I have nothing in
> > > > the /var/lib/samba/bind-dns/named.conf
> > >
> > > Ah you wouldn't have, the path changed, yours would be:
> > >
> > > /var/lib/samba/private/named.conf
> > >
> > I don't have anything like that in that path:
>
> Mine is in /var/lib/samba/bind-dns , but I am using 4.9.6 and the path
> changed recently, but it should be in /var/lib/samba/??? , so try
> looking for it. If it isn't there, bind9 wasn't installed when you
> provisioned and/or you didn't provision with
> '--dns-backend=BIND9_DLZ' , or you need to run 'samba_upgradedns'
>
It could be that Zentyal moved it.  If so, they don't reference it or call
it in any of the other bind9 config files.

The provisioning command (originally taken from the one generated by
Zentyal) is:
 samba-tool domain join domain1.domain DC  --username='EnterpriseAdminUser'
--realm='DOMAIN1.DOMAIN'  --site='Default-First-Site'
--server='existingdc1' --dns-backend=BIND9_DLZ --workgroup='domain1' -d 3


After attempting to join the following are created (that I know of - except
for /var/lib/samba/private/dns):
/var/lib/samba/:
total 16
drwxr-xr-x  4 root root 4096 May  6 10:03 ./
drwxr-xr-x 60 root root 4096 Apr 29 20:17 ../
drwxr-xr-x  5 root root 4096 May  6 10:07 private/
drwxr-xr-x  3 root root 4096 May  6 10:03 sysvol/

/var/lib/samba/private/:
total 10468
drwxr-xr-x 5 root root    4096 May  6 10:07 ./
drwxr-xr-x 4 root root    4096 May  6 10:03 ../
drwxr-xr-x 2 root root    4096 May  6 10:06 dns/
-rw-r--r-- 1 root root    3663 May  6 10:07 dns_update_list
-rw------- 1 root root 1286144 May  6 10:07 hklm.ldb
-rw------- 1 root root 1286144 May  6 10:07 idmap.ldb
-rw-r--r-- 1 root root      94 May  6 10:07 krb5.conf
-rw------- 1 root root 1286144 May  6 10:07 privilege.ldb
-rw------- 1 root root 4247552 May  6 10:07 sam.ldb
drwx------ 2 root root    4096 May  6 10:07 sam.ldb.d/
-rw------- 1 root root 1286144 May  6 10:07 secrets.ldb
-rw------- 1 root root     696 May  6 10:03 secrets.tdb
-rw------- 1 root root 1286144 May  6 10:03 share.ldb
-rw-r--r-- 1 root root     955 May  6 10:07 spn_update_list
drwx------ 2 root root    4096 May  6 10:03 tls/


Thanks,

James


> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
James Fowler
Association for Diplomatic Studies and Training http://adst.org
Capturing, Preserving, Sharing - Oral Histories of US Diplomacy

More information about the samba mailing list