[Samba] Failed to find a writeable DC
Fabrizio Rompani
fabrizio.rompani at yetopen.com
Fri Oct 10 16:04:32 UTC 2025
temporaly stopped firewall ( both )
increased debug .
Same error:
thank's
f
root at grants-dc:/var/lib/samba# samba-tool domain join s4ad.domain.org DC -U administrator --realm=S4AD.domain.ORG --debug=15
INFO: Current debug levels:
all: 15
tdb: 15
printdrivers: 15
lanman: 15
smb: 15
rpc_parse: 15
rpc_srv: 15
rpc_cli: 15
passdb: 15
sam: 15
auth: 15
winbind: 15
vfs: 15
idmap: 15
quota: 15
acls: 15
locking: 15
msdfs: 15
dmapi: 15
registry: 15
scavenger: 15
dns: 15
ldb: 15
tevent: 15
auth_audit: 15
auth_json_audit: 15
kerberos: 15
drs_repl: 15
smb2: 15
smb2_credits: 15
dsdb_audit: 15
dsdb_json_audit: 15
dsdb_password_audit: 15
dsdb_password_json_audit: 15
dsdb_transaction_audit: 15
dsdb_transaction_json_audit: 15
dsdb_group_audit: 15
dsdb_group_json_audit: 15
ldapsrv: 15
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'ncalrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
added interface docker0 ip=172.17.0.1 bcast=172.17.255.255 netmask=255.255.0.0
added interface docker_gwbridge ip=172.18.0.1 bcast=172.18.255.255 netmask=255.255.0.0
added interface br-eaf7db576deb ip=172.30.252.1 bcast=172.30.252.255 netmask=255.255.255.0
added interface br-fdcd9449d660 ip=172.30.253.1 bcast=172.30.253.255 netmask=255.255.255.0
added interface ens18 ip=yy.yy.yy.yy bcast=yy.yy.yy.255 netmask=255.255.255.0
added interface docker0 ip=172.17.0.1 bcast=172.17.255.255 netmask=255.255.0.0
added interface docker_gwbridge ip=172.18.0.1 bcast=172.18.255.255 netmask=255.255.0.0
added interface br-eaf7db576deb ip=172.30.252.1 bcast=172.30.252.255 netmask=255.255.255.0
added interface br-fdcd9449d660 ip=172.30.253.1 bcast=172.30.253.255 netmask=255.255.255.0
added interface ens18 ip=yy.yy.yy.yy bcast=yy.yy.yy.255 netmask=255.255.255.0
added interface docker0 ip=172.17.0.1 bcast=172.17.255.255 netmask=255.255.0.0
added interface docker_gwbridge ip=172.18.0.1 bcast=172.18.255.255 netmask=255.255.0.0
added interface br-eaf7db576deb ip=172.30.252.1 bcast=172.30.252.255 netmask=255.255.255.0
added interface br-fdcd9449d660 ip=172.30.253.1 bcast=172.30.253.255 netmask=255.255.255.0
added interface ens18 ip=yy.yy.yy.yy bcast=yy.yy.yy.255 netmask=255.255.255.0
added interface docker0 ip=172.17.0.1 bcast=172.17.255.255 netmask=255.255.0.0
added interface docker_gwbridge ip=172.18.0.1 bcast=172.18.255.255 netmask=255.255.0.0
added interface br-eaf7db576deb ip=172.30.252.1 bcast=172.30.252.255 netmask=255.255.255.0
added interface br-fdcd9449d660 ip=172.30.253.1 bcast=172.30.253.255 netmask=255.255.255.0
added interface ens18 ip=yy.yy.yy.yy bcast=yy.yy.yy.255 netmask=255.255.255.0
INFO 2025-10-10 17:57:32,177 pid:133803 /usr/lib/python3/dist-packages/samba/join.py #106: Finding a writeable DC for domain 's4ad.domain.org'
added interface docker0 ip=172.17.0.1 bcast=172.17.255.255 netmask=255.255.0.0
added interface docker_gwbridge ip=172.18.0.1 bcast=172.18.255.255 netmask=255.255.0.0
added interface br-eaf7db576deb ip=172.30.252.1 bcast=172.30.252.255 netmask=255.255.255.0
added interface br-fdcd9449d660 ip=172.30.253.1 bcast=172.30.253.255 netmask=255.255.255.0
added interface ens18 ip=yy.yy.yy.yy bcast=yy.yy.yy.255 netmask=255.255.255.0
added interface docker0 ip=172.17.0.1 bcast=172.17.255.255 netmask=255.255.0.0
added interface docker_gwbridge ip=172.18.0.1 bcast=172.18.255.255 netmask=255.255.0.0
added interface br-eaf7db576deb ip=172.30.252.1 bcast=172.30.252.255 netmask=255.255.255.0
added interface br-fdcd9449d660 ip=172.30.253.1 bcast=172.30.253.255 netmask=255.255.255.0
added interface ens18 ip=yy.yy.yy.yy bcast=yy.yy.yy.255 netmask=255.255.255.0
finddcs: searching for a DC by DNS domain s4ad.domain.org
finddcs: looking for SRV records for _ldap._tcp.s4ad.domain.org
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.s4ad.domain.org<0x0>
getlmhostsent: lmhost entry: xx.xx.xx.xx grants
getlmhostsent: lmhost entry: yy.yy.yy.yy grants-dc
dns_lookup_send_next: Sending DNS request #0 to xx.xx.xx.xx
dns_cli_request_send: Asking xx.xx.xx.xx for _ldap._tcp.s4ad.domain.org./1/33 via UDP
[0000] 0D 34 01 00 00 01 00 00 00 00 00 01 05 5F 6C 64 .4...... ....._ld
[0010] 61 70 04 5F 74 63 70 04 73 34 61 64 05 63 65 73 ap._tcp. s4ad.ces
[0020] 76 69 03 6F 72 67 00 00 21 00 01 00 00 29 10 00 vi.org.. !....)..
[0030] 00 00 00 00 00 00 ......
dns_lookup_send_next: cancelling wait_subreq
[0000] 0D 34 85 80 00 01 00 01 00 00 00 01 05 5F 6C 64 .4...... ....._ld
[0010] 61 70 04 5F 74 63 70 04 73 34 61 64 05 63 65 73 ap._tcp. s4ad.ces
[0020] 76 69 03 6F 72 67 00 00 21 00 01 C0 0C 00 21 00 vi.org.. !.....!.
[0030] 01 00 00 03 84 00 1D 00 00 00 64 01 85 06 67 72 ........ ..d...gr
[0040] 61 6E 74 73 04 73 34 61 64 05 63 65 73 76 69 03 ants.s4a d.domain.
[0050] 6F 72 67 00 00 00 29 04 D0 00 00 00 00 00 00 org...). .......
Addrs = xx.xx.xx.xx at 389/grants
finddcs: DNS SRV response 0 at 'xx.xx.xx.xx'
ERROR: Failed to find a writeable DC for domain 's4ad.domain.org': The object was not found.
File "/usr/lib/python3/dist-packages/samba/join.py", line 352, in find_dc
ctx.cldap_ret = ctx.net.finddc(domain=domain, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS | nbt.NBT_SERVER_WRITABLE)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
----- Messaggio originale -----
Da: "Rowland Penny via samba" <samba at lists.samba.org>
A: "samba" <samba at lists.samba.org>
Cc: "Rowland Penny" <rpenny at samba.org>
Inviato: Giovedì, 9 ottobre 2025 18:29:55
Oggetto: Re: [Samba] Failed to find a writeable DC
On Thu, 9 Oct 2025 18:12:00 +0200 (CEST)
Fabrizio Rompani <fabrizio.rompani at yetopen.com> wrote:
>
>
> on both VM is installed firewalld : there's a zone "trusted" with
> target accept .
>
> trusted (active)
> target: ACCEPT
> icmp-block-inversion: no
> interfaces:
> sources: ipset:trust
> services:
> ports:
> protocols:
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
>
> ip yy.yy.yy.yy belongs to ipset "trust" on VM xx.xx.xx.xx and
> viceversa . so , it should be everythings open from yy.yy.yy.yy to
> xx.xx.xx.xx and viceversa.
>
> eg. :
>
> from yy.yy.yy.yy:
>
> telnet xx.xx.xx.xx 389
> Trying xx.xx.xx.xx...
> Connected to xx.xx.xx.xx.
> Escape character is '^]'.
>
> telnet xx.xx.xx.xx 445
> Trying xx.xx.xx.xx...
> Connected to xx.xx.xx.xx.
> Escape character is '^]'.
>
>
>
>
> >
> >
> >
> > What about a different approach :
> > backup the online DC ( samba 4.15 ) and restore into new samba
> > 4.23 . change resolv.conf and Nextcloud ldap to point itself :
> > grants-dc
> >
> > what do you think about ?
>
> Not much.
> Joining a new DC should be effortless, when it doesn't work it is
> usually down to a DNS problem.
>
> so different version shouldn't be a problem , right?
No, the version shouldn't be a problem.
> could you suggest me some DNS check ?
>
The first thing I would do is, turn off the firewalls temporarily.
If the join works, then great, you know where to look, if it doesn't,
then we will go into everything further.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
YetOpen SB
Corso Martiri della Liberazione 114 - 23900 Lecco - ITALY - | 4801 Glenwood Avenue - Suite 200 - Raleigh, NC 27612 - USA -
Tel +39 0341 220 205 - info.it at yetopen.com | Phone +1 919-817-8106 - info.us at yetopen.com
Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary
-------- Riservatezza D.Lgs. 196/2003 e GDPR 679/2016 --------
Questo messaggio e' riservato ai destinatari indicati e contiene informazioni confidenziali, ivi compresi gli allegati.E' vietata la diffusione, copia o utilizzo non autorizzato. Se lo ha ricevuto per errore, La invitiamo a eliminarlo immediatamente e a informarci tempestivamente. Grazie.
-------- Confidentiality Legislative Decree 196/2003 & GDPR 679/2016 --------
This message is intended for the recipient only and may contain confidential information, including attachments. Unauthorized disclosure, copy or use is prohibited. If received in error, please delete immediately and notify us. Thank you.
More information about the samba
mailing list