[Samba] Newly joined DC - Failed to bind to uuid for ncacn_ip_tcp .. NT_STATUS_INVALID_PARAMETER

Rowland penny rpenny at samba.org
Tue Jan 28 18:36:38 UTC 2020


On 28/01/2020 17:52, Jonathan Hunter via samba wrote:
> Hi,
>
> I managed to find some time to rebuild one of my DCs that had failed
> due to hardware issues some time back (and was removed from the domain
> at the time). Thanks to Rowland for helping out with samba-tool for
> this.
>
> However, despite following my normal build guide that I have used for
> all my other DCs, this one straight away shows some replication errors
> in the logs of some other DCs in the domain - and I'm not sure why.
>
> I have probably missed something obvious / basic but I have been
> staring at this for a while now and figured I would post here in case
> someone can point me in the right direction! Hopefully-useful
> information is below.
>
> I first of all tried using samba 4.11.4 as that was the latest at the
> time, but when that didn't work I tried 4.10.13 (since my other DCs
> are all 4.10.x and I thought that this might fix the problem) - that
> hasn't helped and the errors still appear.
>
> The error I am getting in the logs on other DCs is below (this example
> is from the log file on existing dc2, trying to replicate to newdc)
> Jan 28 14:19:37 dc2 samba[3153]: [2020/01/28 14:19:37.115584,  0]
> ../../source4/librpc/rpc/dcerpc_util.c:737(dcerpc_pipe_auth_recv)
> Jan 28 14:19:37 dc2 samba[3153]:   Failed to bind to uuid
> 11111111-2222-3333-4444-5555555555 for
> ncacn_ip_tcp:192.168.1.6[49153,seal,krb5,target_hostname=66666666-7777-8888-9999-0000000000._msdcs.mydomain.org.uk,target_principal=GC/newdc.mydomain.org.uk/mydomain.org.uk,abstract_syntax=11111111-2222-3333-4444-5555555555/0x00000004,localaddress=192.168.1.3]
> NT_STATUS_INVALID_PARAMETER
>
>
> Previous google searches uncovered some mentions of TLS issues but I
> do have a current cert in /usr/local/samba/private/tls that matches
> the certs on my other DCs (I use an internal CA) - i.e.
> newdc.mydomain.org.uk. I think the issue must lie elsewhere but I'm
> not a kerberos expert and am not sure how to debug this,
> unfortunately.
>
> I did find a post from a poor chap called Jonathan Hunter :) who had a
> similar issue in 2016:
> https://lists.samba.org/archive/samba/2016-September/202777.html
> However this wasn't the issue this time - I checked that the
> "127.0.1.1" line was not present in /etc/hosts, but I'm still getting
> these 'failed to bind to uuid' errors :(
>
> I've checked the clocks and they are successfully synchronised via NTP.
>
> As suggested in another thread, I have checked with KCC but as
> expected it fails:
> dc2$ sudo samba-tool drs kcc newdc.mydomain.org.uk
> Failed to bind to uuid 11111111-2222-3333-4444-5555555555 for
> ncacn_ip_tcp:192.168.1.6[49153,seal,target_hostname=newdc.mydomain.org.uk,abstract_syntax=11111111-2222-3333-4444-5555555555/0x00000004,localaddress=192.168.1.3]
> NT_STATUS_UNSUCCESSFUL
> ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to
> newdc.mydomain.org.uk failed - drsException: DRS connection to
> newdc.mydomain.org.uk failed: (3221225473, '{Operation Failed} The
> requested operation was unsuccessful.')
>    File "/usr/local/samba/lib/python3.4/site-packages/samba/netcmd/drs.py",
> line 54, in drsuapi_connect
>      (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) =
> drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
>    File "/usr/local/samba/lib/python3.4/site-packages/samba/drs_utils.py",
> line 63, in drsuapi_connect
>      raise drsException("DRS connection to %s failed: %s" % (server, e))
>
>
> Installation steps I followed (ostensibly the same as my other DCs,
> but perhaps I missed something):
>    - set static IP of machine
>    - add local LAN IP to /etc/hosts
>    - install pre-requisite .deb packages
>    - set up NTP
>    - compile & install samba
>    - join domain
>    - copy krb5.conf to /etc
>    - place signed key & cert in /usr/local/samba/private/tls/
>    - run samba_dnsupdate
>    - start samba
>
>
> My smb.conf is the same as on my other DCs and is as follows
>
> # Global parameters
> [global]
>          netbios name = NEWDC
>          realm = NEWDC.MYDOMAIN.ORG.UK
>          server role = active directory domain controller
>          workgroup = MYDOMAIN
>          dns forwarder = 192.168.2.10 192.168.3.11
>          idmap_ldb:use rfc2307 = yes
>          # Need NTLM Auth for radius
>          ntlm auth = yes
>
>
> [sysvol]
>          path = /usr/local/samba/var/locks/sysvol
>          read only = No
>
> [netlogon]
>          path = /usr/local/samba/var/locks/sysvol/mydomain.org.uk/scripts
>          read only = No
>
> [dfs]   # this doesn't actually work but hey, I was trying some time back..
>          path = /usr/local/samba/dfsroot
>          msdfs root = yes
>
>
>
>
> Checking from dc2, DNS seems to be correct:
>
> dc2$ host newdc.mydomain.org.uk 127.0.0.1
> Using domain server:
> Name: 127.0.0.1
> Address: 127.0.0.1#53
> Aliases:
>
> newdc.mydomain.org.uk has address 192.168.1.6
>
> and
>
> dc2$ host 66666666-7777-8888-9999-0000000000._msdcs.mydomain.org.uk 127.0.0.1
> Using domain server:
> Name: 127.0.0.1
> Address: 127.0.0.1#53
> Aliases:
>
> 66666666-7777-8888-9999-0000000000._msdcs.mydomain.org.uk is an alias
> for newdc.mydomain.org.uk.
> newdc.mydomain.org.uk has address 192.168.1.6
>
>
> newdc does have port 445 open:
> dc2$ nc -v 192.168.1.6 445
> Connection to 192.168.1.6 445 port [tcp/microsoft-ds] succeeded!
> ^C
>
> and seems to be listening on the correct other ports, also
> newdc$ netstat -an -A inet | grep LISTEN
> tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN
> tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
> tcp        0      0 0.0.0.0:88              0.0.0.0:*               LISTEN
> tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN
> tcp        0      0 0.0.0.0:636             0.0.0.0:*               LISTEN
> tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN
> tcp        0      0 127.0.0.1:8125          0.0.0.0:*               LISTEN
> tcp        0      0 0.0.0.0:19999           0.0.0.0:*               LISTEN
> tcp        0      0 0.0.0.0:49152           0.0.0.0:*               LISTEN
> tcp        0      0 0.0.0.0:49153           0.0.0.0:*               LISTEN
> tcp        0      0 0.0.0.0:49154           0.0.0.0:*               LISTEN
> tcp        0      0 0.0.0.0:3268            0.0.0.0:*               LISTEN
> tcp        0      0 0.0.0.0:3269            0.0.0.0:*               LISTEN
> tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN
> tcp        0      0 0.0.0.0:135             0.0.0.0:*               LISTEN
> tcp        0      0 0.0.0.0:873             0.0.0.0:*               LISTEN
> tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN
> tcp        0      0 0.0.0.0:464             0.0.0.0:*               LISTEN
>
> I'm not sure what to check next. Other than enabling level 10 logging
> globally, is there something more I could check on the new DC?
>
>
> The domain join seemed to go fine - stdout output is below (I have
> stderr too, if needed)
> Adding CN=NEWDC,OU=Domain Controllers,DC=mydomain,DC=org,DC=uk
> Adding CN=NEWDC,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=mydomain,DC=org,DC=uk
> Adding CN=NTDS Settings,CN=NEWDC,CN=Servers,CN=Mysite,CN=Sites,CN=Configuration,mydomain,DC=org,DC=uk
> Adding SPNs to CN=NEWDC,OU=Domain Controllers,DC=mydomain,DC=org,DC=uk
> Setting account password for NEWDC$
> Enabling account
> Calling bare provision
> Provision OK for domain DN DC=mydomain,DC=org,DC=uk
> Starting replication
> Missing target object - retrying with DRS_GET_TGT
> Replicating critical objects from the base DN of the domain
> Done with always replicated NC (base, config, schema)
> Replicating DC=DomainDnsZones,DC=mydomain,DC=org,DC=uk
> Replicating DC=ForestDnsZones,DC=mydomain,DC=org,DC=uk
> Committing SAM database
>
>
> I don't know much about SPNs - is there anything I can check there, perhaps?
>
> Many thanks :)
>
> Jonathan
>
Your DC doesn't seem to be listing on its IP or 127.0.0.1 on port 53, yours:

tcp        0      0 0.0.0.0:53 0.0.0.0:*               LISTEN

Mine:

tcp        0      0 192.168.0.6:53 0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:53 0.0.0.0:*               LISTEN

Using: netstat -aplnt

Gives a bit more info:

tcp        0      0 192.168.0.6:53 0.0.0.0:*               LISTEN      
30254/named
tcp        0      0 127.0.0.1:53 0.0.0.0:*               LISTEN      
30254/named

Okay, I use Bind9, but I would expect, in your case, that 'named' would 
be replaced with samba.

What is in:

/etc/hostname

/etc/hosts

/etc/resolv.conf

Rowland





More information about the samba mailing list