Web lists-archives.com

Re: [Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO




On Thu, 2 May 2019 16:51:02 -0400
James Fowler <fowlerj@xxxxxxxx> wrote:

See inline comments

> root@DC2:~# cat /etc/resolv.conf
> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
> resolvconf(8)
> # and managed by Zentyal.
> #
> #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE
> OVERWRITTEN #
> nameserver 192.168.1.254
> #search domain1.domain

I would do two things here, the first is 'apt-get purge resolvconf',
you do not want anything changing /etc/resolv.conf on a DC.
The second is, uncomment the 'search' line.

There is also that word 'Zentyal', was/is this computer a Zentyal DC ?

> 
> /etc/hostname
> cat /etc/hostname
> DC2
> 
> /etc/hosts
> root@DC2:~cat /etc/hosts
> 127.0.0.1       localhost.localdomain localhost
> 127.0.1.1       DC2.DOMAIN1.DOMAIN DC2
> 192.168.1.19    otherserver.DOMAIN1.DOMAIN otherserver
> 192.168.1.20    DC2.DOMAIN1.DOMAIN DC2
> 192.168.1.254   DC1.DOMAIN1.local DC1
> 

You should only have the new DC's info in /etc/hosts, anything else
should be found by DNS. There is also '127.0.1.1' , is there another
DNS server running ? (dnsmasq, netplan etc)

> root@DC2:/etc/bind# cat named.conf
> include "/etc/bind/named.conf.options";
> include "/etc/bind/keys";

You do not need the '/etc/bind/keys' line

> 
> // prime the server with knowledge of the root servers
> zone "." {
>         type hint;
>         file "/etc/bind/db.root";
> };
> 
> // be authoritative for the localhost forward and reverse zones, and
> for // broadcast zones as per RFC 1912
> 
> zone "localhost" {
>         type master;
>         file "/etc/bind/db.local";
> };
> 
> zone "127.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.127";
> };
> 
> zone "0.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.0";
> };
> 
> zone "255.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.255";
> };

Why is the above in /etc/bind/named.conf ?
There should just be an include line like this:

include "/etc/bind/named.conf.default-zones";

> root@DC2:/etc/bind# cat named.conf.local
> // Generated by Zentyal

Why? they seem to be making a right mess of it ;-)

Mine is just:

include "/var/lib/samba/bind-dns/named.conf";

> 
> root@DC2:/etc/bind# cat named.conf.options
> 
> options {
>      sortlist {
>             { 192.168.1.0/24 ;{ 192.168.1.0/24 ; };};
>     };
>     directory "/var/cache/bind";
>     auth-nxdomain no;    # conform to RFC1035
> 
>     allow-query { any; };
>     allow-recursion { trusted; };
>     allow-query-cache { trusted; };
>     allow-transfer { internal-local-nets; };
> };
> 
> logging { category lame-servers { null; }; };
 
If that again is managed by Zentyal, well they got some things right,
but missed a major thing, this is mine:

options {
    directory "/var/cache/bind";
    version "0.0.7";
    notify no;
    empty-zones-enable no;
    allow-query { 127.0.0.1; 192.168.0.0/24; };
    allow-recursion {  192.168.0.0/24; 127.0.0.1/32; };
    forwarders { 8.8.8.8; 8.8.4.4; };
    allow-transfer { none; };
    dnssec-validation no;
    dnssec-enable no;
    dnssec-lookaside no;
    listen-on-v6 { none; };
    listen-on port 53 { 192.168.0.6; 127.0.0.1; };

    tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
};

>From all this, it is clear your DNS is not working as a Samba  AD DC
would expect.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba