[Samba] Newly joined DC - Failed to bind to uuid for ncacn_ip_tcp .. NT_STATUS_INVALID_PARAMETER

Jonathan Hunter jmhunter1 at gmail.com
Sun Feb 16 11:53:58 UTC 2020 

Following up on this post for the benefit of the archives, I don't
want to be another DenverCoder9! [1]

I believe I have fixed this issue now (although I am at a loss to
explain how it occurred in the first place). Hopefully I correctly
figured out what SPNs should be present against each machine - I'm not
an expert in this area, but am describing the process I went through
below in the hope that it will help some future person who might have
the same issue.

If I've mis-understood SPNs then hopefully someone can correct me :)

On Tue, 28 Jan 2020 at 17:52, Jonathan Hunter <jmhunter1 at gmail.com> wrote:
>
> The error I am getting in the logs on other DCs is below (this example
> is from the log file on existing dc2, trying to replicate to newdc)
> Jan 28 14:19:37 dc2 samba[3153]: [2020/01/28 14:19:37.115584,  0]
> ../../source4/librpc/rpc/dcerpc_util.c:737(dcerpc_pipe_auth_recv)
> Jan 28 14:19:37 dc2 samba[3153]:   Failed to bind to uuid
> 11111111-2222-3333-4444-5555555555 for
> ncacn_ip_tcp:192.168.1.6[49153,seal,krb5,target_hostname=66666666-7777-8888-9999-0000000000._msdcs.mydomain.org.uk,target_principal=GC/newdc.mydomain.org.uk/mydomain.org.uk,abstract_syntax=11111111-2222-3333-4444-5555555555/0x00000004,localaddress=192.168.1.3]
> NT_STATUS_INVALID_PARAMETER
>
>
> Previous google searches uncovered some mentions of TLS issues but I
> [...]
> I don't know much about SPNs - is there anything I can check there, perhaps?

The issue, as far as I can see, turned out to be nothing to do with
DNS entries, /etc/hosts files, TLS or anything of that sort.

In the end, and I have no idea why, it seems I had ended up with a
situation where DC2 (which was the existing and running DC) had some
*extra* SPNs stored in AD that belonged to an old instance of DC1 (the
DC I was trying to join).

A 'normal' DC looks like this (in my environment, at least - the
output shown below is from DC1 now that I have successfully joined it
to my domain):
user at dc2:~ $ sudo samba-tool spn list dc1$
dc1$
User CN=DC1,OU=Domain Controllers,DC=mydomain,DC=org,DC=uk has the
following servicePrincipalName:
HOST/DC1
HOST/dc1.mydomain.org.uk
GC/dc1.mydomain.org.uk/mydomain.org.uk
00000000-1111-2222-3333-4444444/55555555-6666-7777-8888-9999999999/mydomain.org.uk
HOST/dc1.mydomain.org.uk/MYDOMAIN
ldap/dc1.mydomain.org.uk/MYDOMAIN
ldap/dc1.mydomain.org.uk
HOST/dc1.mydomain.org.uk/mydomain.org.uk
ldap/dc1.mydomain.org.uk/mydomain.org.uk
ldap/55555555-6666-7777-8888-9999999999._msdcs.mydomain.org.uk
ldap/DC1
RestrictedKrbHost/DC1
RestrictedKrbHost/dc1.mydomain.org.uk
ldap/dc1.mydomain.org.uk/DomainDnsZones.mydomain.org.uk
ldap/dc1.mydomain.org.uk/ForestDnsZones.mydomain.org.uk

However, before I was able to join DC1 successfully (when I was having
the issues described in the original post), I finally spotted that DC2
had the following SPN entries which didn't seem correct:
(I have annoted the output below)
user at dc2:~ $ sudo samba-tool spn list dc2$
dc2$
User CN=DC2,OU=Domain Controllers,DC=mydomain,DC=org,DC=uk has the
following servicePrincipalName:
---> the below is all correct as it relates to DC2 <---
HOST/DC2
HOST/dc2.mydomain.org.uk
GC/dc2.mydomain.org.uk/mydomain.org.uk
00000000-1111-2222-3333-4444444/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeee/mydomain.org.uk
HOST/dc2.mydomain.org.uk/MYDOMAIN
ldap/dc2.mydomain.org.uk/MYDOMAIN
ldap/dc2.mydomain.org.uk
HOST/dc2.mydomain.org.uk/mydomain.org.uk
ldap/dc2.mydomain.org.uk/mydomain.org.uk
ldap/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeee._msdcs.mydomain.org.uk
ldap/DC2
RestrictedKrbHost/DC2
RestrictedKrbHost/dc2.mydomain.org.uk
ldap/dc2.mydomain.org.uk/DomainDnsZones.mydomain.org.uk
ldap/dc2.mydomain.org.uk/ForestDnsZones.mydomain.org.uk
---> everything below this line is not correct as it relates to DC1,
not DC2 <---
HOST/dc1.mydomain.org.uk
HOST/dc1.mydomain.org.uk/MYDOMAIN
ldap/dc1.mydomain.org.uk/MYDOMAIN
GC/dc1.mydomain.org.uk/mydomain.org.uk
ldap/dc1.mydomain.org.uk
HOST/dc1.mydomain.org.uk/mydomain.org.uk
ldap/dc1.mydomain.org.uk/mydomain.org.uk
00000000-1111-2222-3333-4444444/ffffffff-gggg-hhhh-iiii-jjjjjjjjjj/mydomain.org.uk
ldap/ffffffff-gggg-hhhh-iiii-jjjjjjjjjj._msdcs.mydomain.org.uk
RestrictedKrbHost/dc1.mydomain.org.uk
ldap/dc1.mydomain.org.uk/DomainDnsZones.mydomain.org.uk
ldap/dc1.mydomain.org.uk/ForestDnsZones.mydomain.org.uk

I ran 'sudo samba-tool spn delete' for each of the entries that I felt
shouldn't have been there, e.g.
$ sudo samba-tool spn delete HOST/dc1.mydomain.org.uk DC2$
$ sudo samba-tool spn delete HOST/dc1.mydomain.org.uk/MYDOMAIN DC2$
etc.

After that point, I was able to join DC1 to the domain without any issue.

Jonathan


[1] https://xkcd.com/979/

-- 
"If we knew what it was we were doing, it would not be called
research, would it?"
      - Albert Einstein

More information about the samba mailing list