Web lists-archives.com

[Samba] Setup a Samba AD DC as an additional DC




>What is the running AD DC its os version/build, it was an MS server? 
2 AD DCs Windows 2012, 1 is 2008, but the DC for the join is a 2012 windows DC

Then question after this.
ERROR(runtime): uncaught exception - (9601, 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST') 

This DC your adding, are you useing bind9_DLZ or internal DNS from samba itself? 
I suspect resolving problems. 

From the collected info. ( commented inbetween the lines ) 

> -----------
> Checking file: /etc/hosts 
> 127.0.0.1	localhost
> ::1		localhost6

>IP_HERE sambadc1.mydomain.tld sambadc1   # for this DC ( optional you can add the other DC also, but wait dont add it now. )

I added this already but it did not change the result.

>> # The following lines are desirable for IPv6 capable hosts
>> ::1     localhost ip6-localhost ip6-loopback
>> fe00::0 ip6-localnet
>> ff02::1 ip6-allnodes
>> ff02::2 ip6-allrouters
>> ff02::3 ip6-allhosts

>> Checking file: /etc/resolv.conf
>> search daram.com
>> nameserver ##.##.##.20

>Here the ip shown above, where is this one resolving to, i hope the ADDC server. 

Yes to the ADDC Server

>If you dont use systemd-resolved, thats fine, but make sure you removed it correctly. 
>Thats a choice, the howto shown, works fine with it enabled. 
>But here are the steps to remove it, if you want to remove it. 
># but PLEASE, keep this for the last, if we change to much not im not able to find you problem.
># i do suspect resolving problem, yes. 
># systemctl disable systemd-resolved
># systemctl stop systemd-resolved
># systemctl mask systemd-resolved
># rm /etc/resolv.conf and create a new one ( you already did this ) # if exists, edit /etc/NetworkManager/NetworkManager.conf
># in the main section, add : dns=none
># reboot. 
>
>but again, i want to know all outcomes first before you change this all. 

I did not do the "mask" but did the other and I purged the resolved... per Roland's instructions...


>nslookup hostname
>nslookup hostname.domain.tld

:~$ nslookup sambaDC.domain.com
Server:         131.192.176.20
Address:        131.192.176.20#53

Name:   sambaDC.domain.com
Address: 131.192.176.40

>What do you see if you run: 
>host IP_OF_OTHERDC

20.176.192.131.in-addr.arpa domain name pointer WindowsADDC.domain.com.

>host IP_OF_THIS_DC

Host 40.176.192.131.in-addr.arpa  domain name pointer sambaDC.domain.com.

>And
>dig a $(hostname -s)

; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> a ThisDC-SambaDC-we-want-to-join
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 20641
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 852b24514a370e2a (echoed)
;; QUESTION SECTION:
; sambaDC.                    IN      A

;; Query time: 0 msec
;; SERVER: 131.192.176.20#53(131.192.176.20)                <<<Windows ADDC>>>
;; WHEN: Wed Nov 28 02:57:50 CST 2018
;; MSG SIZE  rcvd: 51

>dig a $(hostname -f)

; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> a sambaDC.domain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 1568
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 6f82a8d3d3d97f1d (echoed)
;; QUESTION SECTION:
; sambaDC.domain.com.          IN      A

;; Query time: 0 msec
;; SERVER: 131.192.176.20#53(131.192.176.20)                                   <<<Windows ADDC>>>
;; WHEN: Wed Nov 28 03:05:39 CST 2018
;; MSG SIZE  rcvd: 61

>Repeat but now with @ip_of_OTHER-DC at the end. dig 
>
>dig -x ip_of_this_DC

dig -x 131.192.176.40  (sambaDC)
; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> -x 131.192.176.40
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 44930
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 53854d1f16d34420 (echoed)
;; QUESTION SECTION:
;40.176.192.131.in-addr.arpa.   IN      PTR

;; Query time: 1 msec
;; SERVER: 131.192.176.20#53(131.192.176.20)
;; WHEN: Wed Nov 28 13:19:14 CST 2018
;; MSG SIZE  rcvd: 68

>dig -x ip_of_OTHER-DC
>Repeat but now with @ip_of_OTHER-DC at the end.

dig -x 131.192.176.20  (WinADDC)
; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> -x 131.192.176.20
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 25161
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 9aee9cb762be5fc3 (echoed)
;; QUESTION SECTION:
;20.176.192.131.in-addr.arpa.   IN      PTR

;; Query time: 0 msec
;; SERVER: 131.192.176.20#53(131.192.176.20)
;; WHEN: Wed Nov 28 13:21:20 CST 2018
;; MSG SIZE  rcvd: 68

> 
> 
> -----------
> Checking file: /etc/krb5.conf
> [libdefaults]
> 	default_realm = MYDOMAIN.COM

#Here add : 
; for Windows 2008 with AES this make sure its matches better with the windows.
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

> 
> # The following krb5.conf variables are only for MIT Kerberos.
> 	kdc_timesync = 1
> 	ccache_type = 4
> 	forwardable = true
> 	proxiable = true
> 
> # The following encryption type specification will be used by MIT 
> Kerberos .... Removed a bit to shorten the e-mail.
> 
> 
> -----------
> Checking file: /etc/nsswitch.conf
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, 
> try:
> # `info libc "Name Service Switch"' for information about this file.
> 
> passwd:         compat systemd
> group:          compat systemd
> shadow:         compat
> gshadow:        files
> 
> hosts:          files dns
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup:       nis
> 
> -----------
> Warning,  does not exist

>I was expecting output here for the command.
>Check_file_exists "${SMBCONF}"

I have been deleting smb.conf before I run the samba-tool.  It creates a new one even though the join fails.

>Can you run these 2 commands : 
samba -b | grep 'CONFIGFILE' | awk '{print $NF}'

/etc/samba/smb.conf  (because I made an attempt to join the domain with samba-tool)

smbd -b | grep 'CONFIGFILE' | awk '{print $NF}'

/etc/samba/smb.conf

>> -----------
>> No username map detected.
>Fine for a AD DC.

>> 
>> -----------
>> 
>> Installed packages, running: dpkg -l | egrep  
>>"samba|winbind|krb5|smb|acl|xattr"
>> ii  acl                                   2.2.52-3build1      
>>               amd64        Access control list utilities
>>.......... Removed part to shorten mail.
>> SMB/CIFS clients for Unix
>> ii  winbind                               
>> 2:4.9.3+nmu-1~ubuntu1804          amd64        service to 
>> resolve user and group information from Windows NT servers
>> -----------
>
>This looks ok to me. 

>Last, i'll add this script into the other script in some time.

>Get and run this one on the DC. 
>https://raw.githubusercontent.com/thctlo/samba4/master/samba-info.sh 
The Windows DC..?  Well with bash it doesn't work... so I assume you mean the DC we're trying to setup.

1:~$ sudo /tmp/samba-info.sh
Could not find machine account in secrets database: Failed to fetch machine account password for DARAM from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DARAM)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4705) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
ERROR(ldb): uncaught exception - LDAP error 1 LDAP_OPERATIONS_ERROR -  <000004DC: LdapErr: DSID-0C09079A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v23f0> <>
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 469, in run
    master = get_fsmo_roleowner(samdb, dn, short_name)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 42, in get_fsmo_roleowner
    scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
Could not find machine account in secrets database: Failed to fetch machine account password for DARAM from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DARAM)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4705) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
ERROR(ldb): uncaught exception - LDAP error 1 LDAP_OPERATIONS_ERROR -  <000004DC: LdapErr: DSID-0C09079A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v23f0> <>
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 469, in run
    master = get_fsmo_roleowner(samdb, dn, short_name)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 42, in get_fsmo_roleowner
    scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
Could not find machine account in secrets database: Failed to fetch machine account password for DARAM from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DARAM)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4705) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
ERROR(ldb): uncaught exception - LDAP error 1 LDAP_OPERATIONS_ERROR -  <000004DC: LdapErr: DSID-0C09073B, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1772> <>
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 469, in run
    master = get_fsmo_roleowner(samdb, dn, short_name)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 42, in get_fsmo_roleowner
    scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
This script was tested with Debian Jessie and Stretch
Server info:                    detected           (command and where to look)
This server hostname          = sambaDC            (hostname -s and /etc/hosts and DNS server)
This server FQDN (hostname)   = sambaDC.domain.com  (hostname -f and /etc/hosts and DNS server)
This server primary dnsdomain = domain.com      (hostname -d and /etc/resolv.conf and DNS server)
This server IP address(ses)   = 131.192.176.40  (hostname -i (-I) and /etc/networking/interfaces and DNS server
The DC with FSMO roles        =         (samba-tool fsmo show)
The DC (with FSMO) Site name  =         (samba-tool fsmo show)
The Default Naming Context    =         (samba-tool fsmo show)
The Kerberos REALM name used  = DOMAIN.COM       (kinit and /etc/krb5.conf and resolving)
The Ipadres of DC win2012DC-Site2.domain.com        = 131.192.180.22
The Ipadres of DC win2012DC-Site1.domain.com        = 131.192.176.20
131.192.176.18


--Barry Adkins

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba