Web lists-archives.com

Re: [Samba] NT_STATUS_CONNECTION_REFUSED Joining Domain - Desperately need help - [SOLVED]




Found the solution shortly after I sent this e-mail.  Needed to add "tls enabled = no" to the working server to get the other server to restore functionality.
On 3/8/2018 3:58 PM, Brent Davidson via samba wrote:
I am desperately in need of help. I have a Centos 7.2 server running Samba
  4.6.13 as an active directory domain controller. I am trying to join a new
  Centos 7.4 server running Samba 4.6.13 to the domain. The domain command
  will
  not connect to the other server.

I have firewalld and selinux disabled on both servers, I can ping both ways.
  From the new server I was able to do a kinit -U administrator and get a
  kerberos ticket which shows with a klist, however when I go to join the
  domain,
  I get:

ERROR(ldb): uncaught exception - LDAP client internal error:
  NT_STATUS_CONNECTION_REFUSED
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line
  176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 661,
  in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1455, in
  join_DC
machinepass, use_ntvfs, dns_backend, promote_existing)
File "/usr/lib64/python2.7/site-packages/samba/join.py", line 89, in
  __init__
credentials=ctx.creds, lp=ctx.lp)
File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 57, in
  __init__
options=options)
File "/usr/lib64/python2.7/site-packages/samba/__init__.py", line 114, in
  __init__
self.connect(url, flags, options)
File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 72, in
  connect
options=options)

I have been unable to find any details in the logs on the existing server
  when I run this command.

The join command I'm using is:

samba-tool domain join redacteddomain.redacted.com DC
  -U"REDACTEDDOMAIN\administrator" --dns-backend=SAMBA_DLZ
  --option='idmap_ldb:use rfc2307 = yes' -d
  10

How this problem started:
I originally had two domain controllers, both of which were running Samba
  4.5. I was troubleshooting a time sync issue between Windows 10
  workstations
  and the server that appeared to come from a bug in the older Samba 4.5
  version. I update the secondary domain controller to Samba 4.6.13 and that
  appeared to go fine, so I switched over to the primary domain controller
  and tried
  to upgrade it to 4.6.13. Something went wrong, and users were no longer
  able
  to access the domain. I switched to the backup domain controller and
  promoted it to primary and all was well again, so I took the original
  primary
  off-line and tried to solve the issue. After taking the old primary
  off-line,
  DNS stopped resolving for the network. Things get a bit murky at this part
  because my phone was runing off the hook, but I managed to wipe out the
  /var/lib/samba/private folder from one of the servers. Since my backups
  were of the
  old 4.5 database versions and I was unable to roll back the Samba version,
  I had to c
  opy the /var/lib/samba/private folder from one server to the other, then
  remove the server entries for the non-working server.

After that point I had to go into each machine on the network and re-join
  the domain because the trust relationships were no longer valid. (A domain
  SID
  changed somewhere along the way.) All but 5 machines were able to rejoin
  the network, and then suddenly no more could join.

An additional issue is that if I do a samba_dnsupdate --verbose on the
  "working" server, it completes with no errors. However if I do a
  samba_dnsupdate
  --verbose --all-names I receive a ton of "TKEY Unacceptable" messages. I
  have worked through all the options on the wiki.samba.org "TKEY is
  Unacceptable" page and have not made any progress.



I've got about 60 hours into troubleshooting this problem in the last 4 days
  and I am banging my head against a wall here. I can't seem to find anything
  on google about "join" returning the NT_STATUS_CONNECTION_REFUSED error,
  just smbclient connect attempts, and have exhausted every result returned
  by
  google on the TKEY problem.

Does anyone have any ideas?

Here's the extended debugging from the join command:

[root@new-dc ~]#samba-tool domain join redacteddomain.redacted.com DC
  -U"REDACTEDDOMAIN\administrator" --dns-backend=SAMBA_INTERNAL
  --option='idmap_ldb:use rfc2307 = yes' -d 10 INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
tevent: 10
auth_audit: 10
auth_json_audit: 10
kerberos: 10
drs_repl: 10
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255
  netmask=255.255.252.0
added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255
  netmask=255.255.252.0
added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255
  netmask=255.255.252.0
added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255
  netmask=255.255.252.0
Finding a writeable DC for domain 'redacteddomain.redacted.com'
added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255
  netmask=255.255.252.0
added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255
  netmask=255.255.252.0
finddcs: searching for a DC by DNS domain redacteddomain.redacted.com
finddcs: looking for SRV records for _ldap._tcp.redacteddomain.redacted.com
resolve_lmhosts: Attempting lmhosts lookup for name
  _ldap._tcp.redacteddomain.redacted.com<0x0>
getlmhostsent: lmhost entry: 127.0.0.1 localhost
getlmhostsent: lmhost entry: 10.10.11.4 old-dc.redacteddomain.redacted.com
ads_dns_lookup_srv: 2 records returned in the answer section.
ads_dns_parse_rr_srv: Parsed old-dc.redacteddomain.redacted.com [100, 389,
  0]
ads_dns_parse_rr_srv: Parsed old-dc.redacteddomain.redacted.com [0, 100,
  389]
finddcs: DNS SRV response 0 at '10.10.11.4'
finddcs: DNS SRV response 1 at '10.10.11.4'
finddcs: performing CLDAP query on 10.10.11.4
&response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
command : LOGON_SAM_LOGON_RESPONSE_EX (23)
sbz : 0x0000 (0)
server_type : 0x000013fd (5117)
1: NBT_SERVER_PDC
1: NBT_SERVER_GC
1: NBT_SERVER_LDAP
1: NBT_SERVER_DS
1: NBT_SERVER_KDC
1: NBT_SERVER_TIMESERV
1: NBT_SERVER_CLOSEST
1: NBT_SERVER_WRITABLE
1: NBT_SERVER_GOOD_TIMESERV
0: NBT_SERVER_NDNC
0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
1: NBT_SERVER_FULL_SECRET_DOMAIN_6
0: NBT_SERVER_ADS_WEB_SERVICE
0: NBT_SERVER_DS_8
0: NBT_SERVER_HAS_DNS_NAME
0: NBT_SERVER_IS_DEFAULT_NC
0: NBT_SERVER_FOREST_ROOT
domain_uuid : 5b3dff07-e3e8-4ef7-956d-e076f01f31b7
forest : 'redacteddomain.redacted.com'
dns_domain : 'redacteddomain.redacted.com'
pdc_dns_name : 'old-dc.redacteddomain.redacted.com'
domain_name : 'REDACTEDDOMAIN'
pdc_name : 'OLD-DC'
user_name : ''
server_site : 'Default-First-Site-Name'
client_site : 'Default-First-Site-Name'
sockaddr_size : 0x00 (0)
sockaddr: struct nbt_sockaddr
sockaddr_family : 0x00000000 (0)
pdc_ip : (null)
remaining : DATA_BLOB length=0
next_closest_site : NULL
nt_version : 0x00000005 (5)
1: NETLOGON_NT_VERSION_1
0: NETLOGON_NT_VERSION_5
1: NETLOGON_NT_VERSION_5EX
0: NETLOGON_NT_VERSION_5EX_WITH_IP
0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
0: NETLOGON_NT_VERSION_PDC
0: NETLOGON_NT_VERSION_IP
0: NETLOGON_NT_VERSION_LOCAL
0: NETLOGON_NT_VERSION_GC
lmnt_token : 0xffff (65535)
lm20_token : 0xffff (65535)
finddcs: Found matching DC 10.10.11.4 with server_type=0x000013fd
Found DC old-dc.redacteddomain.redacted.com
Security token SIDs (1):
SID[ 0]: S-1-5-18
Privileges (0xFFFFFFFFFFFFFFFF):
Privilege[ 0]: SeMachineAccountPrivilege
Privilege[ 1]: SeTakeOwnershipPrivilege
Privilege[ 2]: SeBackupPrivilege
Privilege[ 3]: SeRestorePrivilege
Privilege[ 4]: SeRemoteShutdownPrivilege
Privilege[ 5]: SePrintOperatorPrivilege
Privilege[ 6]: SeAddUsersPrivilege
Privilege[ 7]: SeDiskOperatorPrivilege
Privilege[ 8]: SeSecurityPrivilege
Privilege[ 9]: SeSystemtimePrivilege
Privilege[ 10]: SeShutdownPrivilege
Privilege[ 11]: SeDebugPrivilege
Privilege[ 12]: SeSystemEnvironmentPrivilege
Privilege[ 13]: SeSystemProfilePrivilege
Privilege[ 14]: SeProfileSingleProcessPrivilege
Privilege[ 15]: SeIncreaseBasePriorityPrivilege
Privilege[ 16]: SeLoadDriverPrivilege
Privilege[ 17]: SeCreatePagefilePrivilege
Privilege[ 18]: SeIncreaseQuotaPrivilege
Privilege[ 19]: SeChangeNotifyPrivilege
Privilege[ 20]: SeUndockPrivilege
Privilege[ 21]: SeManageVolumePrivilege
Privilege[ 22]: SeImpersonatePrivilege
Privilege[ 23]: SeCreateGlobalPrivilege
Privilege[ 24]: SeEnableDelegationPrivilege
Rights (0x 0):
lpcfg_servicenumber: couldn't find ldb
added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255
  netmask=255.255.252.0
added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255
  netmask=255.255.252.0
resolve_lmhosts: Attempting lmhosts lookup for name
  old-dc.redacteddomain.redacted.com<0x20>
getlmhostsent: lmhost entry: 127.0.0.1 localhost
getlmhostsent: lmhost entry: 10.10.11.4 old-dc.redacteddomain.redacted.com
Failed to connect to ldap URL 'ldap://old-dc.redacteddomain.redacted.com' -
  LDAP client internal error: NT_STATUS_CONNECTION_REFUSED
Failed to connect to 'ldap://old-dc.redacteddomain.redacted.com' with
  backend 'ldap': LDAP client internal error: NT_STATUS_CONNECTION_REFUSED
ERROR(ldb): uncaught exception - LDAP client internal error:
  NT_STATUS_CONNECTION_REFUSED
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line
  176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 661,
  in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1455, in
  join_DC
machinepass, use_ntvfs, dns_backend, promote_existing)
File "/usr/lib64/python2.7/site-packages/samba/join.py", line 89, in
  __init__
credentials=ctx.creds, lp=ctx.lp)
File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 57, in
  __init__
options=options)
File "/usr/lib64/python2.7/site-packages/samba/__init__.py", line 114, in
  __init__
self.connect(url, flags, options)
File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 72, in
  connect
options=options)

WARNING-FRAUDULENT FUNDING INSTRUCTIONS



Email hacking and fraud are on the rise to fraudulently misdirect funds.
  Please call your escrow officer immediately using contract information
  found
  from an independent source, such as the sales contract or internet, to
  verify
  any funding instructions received. We are not responsible for any wires
  sent
  by you to an incorrect bank account.


WARNING-FRAUDULENT FUNDING INSTRUCTIONS

Email hacking and fraud are on the rise to fraudulently misdirect funds. Please call your escrow officer immediately using contract information found from an independent source, such as the sales contract or internet, to verify any funding instructions received. We are not responsible for any wires sent by you to an incorrect bank account.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba