[Samba] RODC in remote Site

cn at brain-biotech.de cn at brain-biotech.de
Mon Feb 15 15:20:43 UTC 2021 

Am 15.02.21 um 16:06 schrieb Rowland penny via samba:
> On 15/02/2021 14:48, cn--- via samba wrote:
>> Hello All,
>> sorry for the long post...
>> I have deployed a RODC in a remote site. The Site and the subnet were 
>> already created but had no DC. I have set up the RODC as I would a 
>> normal DC. This is on Contos 8 with Sernet packages. And did a join 
>> like this:
>>
>> samba-tool domain join HQ.DOMAIN.DE RODC --site=DMZ 
>> --dns-backend=BIND9_DLZ -U"DOMAIN-02\Administrator"
>>
>> This completed successfully. The RODC was created in the Sites and 
>> Services app. The replication with one DC is also listed there.
> 
> 
> Do you have 'dns.keytab' in /var/lib/samba/bind-dns/ ?

Yes I copied this before I first started samba-ad service just to make sure.

> 
> If you don't (I am willing to bet you don't), run 'samba_upgradedns' and 
> downgrade to the internal dns server, then run it again, but add 
> '--dns-backend=BIND9_DLZ'. This will upgrade you to the Bind9 dns server 
> again, but this time with the 'dns.keytab' in the correct location.

I ran this already but tried it again:

[root at rodc ~]# samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/bind-dns/dns/HQ.DOMAIN.DE.zone
DNS records will be automatically created
DNS partitions already exist
DSDB Transaction [rollback] at [Mon, 15 Feb 2021 16:16:02.417149 CET] 
duration [3056]
Traceback (most recent call last):
   File "/usr/sbin/samba_upgradedns", line 439, in <module>
     ldbs.sam.modify(m)
_ldb.LdbError: (1, 'Invalid LDB reply type 1')

But Bind starts and runs OK. Again trying to update DNS:


Feb 15 16:16:44 dc2.hq.domain.de named[944332]: samba_dlz: added 
rdataset 87.1.168.192.in-addr.arpa '87.1.168.192.in-addr.arpa. 
1200        IN        PTR        BR-FH9Y503.hq.domain.de.'
Feb 15 16:16:44 dc2.hq.domain.de named[944332]: samba_dlz: committed 
transaction on zone 1.168.192.in-addr.arpa
Feb 15 16:17:52 dc2.hq.domain.de named[944332]: samba_dlz: starting 
transaction on zone hq.domain.de
Feb 15 16:17:52 dc2.hq.domain.de named[944332]: samba_dlz: disallowing 
update of signer=RODC\$\@HQ.domain.DE name=rodc.hq.domain.de type=A 
error=insufficient access rights
Feb 15 16:17:52 dc2.hq.domain.de named[944332]: client @0x7f39b801cc40 
10.1.0.77#49117/key RODC\$\@HQ.domain.DE: updating zone 
'hq.domain.de/NONE': update failed: rejected by secure update (REFUSED)
Feb 15 16:17:52 dc2.hq.domain.de named[944332]: samba_dlz: cancelling 
transaction on zone hq.domain.de
Feb 15 16:17:52 dc2.hq.domain.de smbd[1123481]: [2021/02/15 
16:17:52.578833,  1] 
../../source3/smbd/service.c:355(create_connection_session_info)
Feb 15 16:17:52 dc2.hq.domain.de smbd[1123481]: 
create_connection_session_info: guest user (from session setup) not 
permitted to access this share (IPC$)
Feb 15 16:17:52 dc2.hq.domain.de smbd[1123481]: [2021/02/15 
16:17:52.578922,  1] ../../source3/smbd/service.c:544(make_connection_snum)
Feb 15 16:17:52 dc2.hq.domain.de smbd[1123481]: 
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
Feb 15 16:17:52 dc2.hq.domain.de smbd[1123482]: [2021/02/15 
16:17:52.618969,  1] 
../../source3/smbd/service.c:355(create_connection_session_info)
Feb 15 16:17:52 dc2.hq.domain.de smbd[1123482]: 
create_connection_session_info: guest user (from session setup) not 
permitted to access this share (IPC$)
Feb 15 16:17:52 dc2.hq.domain.de smbd[1123482]: [2021/02/15 
16:17:52.619059,  1] ../../source3/smbd/service.c:544(make_connection_snum)
Feb 15 16:17:52 dc2.hq.domain.de smbd[1123482]: 
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED



And on the remote DC I get this:

Feb 15 16:17:52 dc2.hq.domain.de named[944332]: samba_dlz: starting 
transaction on zone hq.domain.de
Feb 15 16:17:52 dc2.hq.domain.de named[944332]: samba_dlz: disallowing 
update of signer=RODC\$\@HQ.domain.DE name=rodc.hq.domain.de type=A 
error=insufficient access rights
Feb 15 16:17:52 dc2.hq.domain.de named[944332]: client @0x7f39b801cc40 
10.1.0.77#49117/key RODC\$\@HQ.domain.DE: updating zone 
'hq.domain.de/NONE': update failed: rejected by secure update (REFUSED)
Feb 15 16:17:52 dc2.hq.domain.de named[944332]: samba_dlz: cancelling 
transaction on zone hq.domain.de
Feb 15 16:17:52 dc2.hq.domain.de smbd[1123481]: [2021/02/15 
16:17:52.578833,  1] 
../../source3/smbd/service.c:355(create_connection_session_info)
Feb 15 16:17:52 dc2.hq.domain.de smbd[1123481]: 
create_connection_session_info: guest user (from session setup) not 
permitted to access this share (IPC$)
Feb 15 16:17:52 dc2.hq.domain.de smbd[1123481]: [2021/02/15 
16:17:52.578922,  1] ../../source3/smbd/service.c:544(make_connection_snum)
Feb 15 16:17:52 dc2.hq.domain.de smbd[1123481]: 
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
Feb 15 16:17:52 dc2.hq.domain.de smbd[1123482]: [2021/02/15 
16:17:52.618969,  1] 
../../source3/smbd/service.c:355(create_connection_session_info)
Feb 15 16:17:52 dc2.hq.domain.de smbd[1123482]: 
create_connection_session_info: guest user (from session setup) not 
permitted to access this share (IPC$)
Feb 15 16:17:52 dc2.hq.domain.de smbd[1123482]: [2021/02/15 
16:17:52.619059,  1] ../../source3/smbd/service.c:544(make_connection_snum)
Feb 15 16:17:52 dc2.hq.domain.de smbd[1123482]: 
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED


Regards

Christian

-- 
Dr. Christian Naumer
Vice President
Unit Head Bioprocess Development

B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
phone +49-6251-9331-30 / fax +49-6251-9331-11

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Adriaan Moelker (Vorstandsvorsitzender), 
Lukas Linnig
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen

More information about the samba mailing list