Web lists-archives.com

Re: [Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or NT_STATUS_CANT_ACCESS_DOMAIN_INFO




On Mon, May 6, 2019 at 8:11 AM L.P.H. van Belle via samba <
samba@xxxxxxxxxxxxxxx> wrote:

> Hai,
>
> In addition to Rowlands last mail.
>
> I see wrong rights in /var/lib/samba/private
> You want : drwxr-xr-x   7 root root                      4096 May  6 13:06
> private
>
doing rm -rf /var/lib/samba/*

>
> Missing bind (named.conf.option)
> In options {
>         empty-zones-enable no;
>         auth-nxdomain yes;    # This server IS authorive for the AD-DC
> zones.
>         // to use new samba backup onnline tool, you also need
> auth-nxdomain yes; //
>
>         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; // BEFORE
> Samba 4.9
>         //tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; //
> AFTER Samba 4.9.x
>         // Note, its observice that dns.keytab is not moved during the
> upgrade
>         // move it manualy.
>
 I'm using Rowland's named.conf.option file now.  I've added the
"auth-nxdomain yes;" and adjusted the tkey line for the pre-Samba-4.9
setting.

>
> Add in named.conf.local
> // adding the dlopen ( Bind DLZ ) module for samba
> include "/var/lib/samba/private/dns/named.conf"; // BEFORE Samba 4.9
> //include "/var/lib/samba/bind-dns/named.conf"; // AFTER Samba 4.9.x
>
done.

>
>
> Make sure your resolv.conf has.
> nameserver 192.168.1.254
> search domain1.domain
>
done.
 # to make changes to this file be sure to chattr -i /etc/resolv.conf
# don't forget to reset it afterwards chattr +i /etc/resolv.conf
nameserver 192.168.1.254
search adst1.adstdom



> How, what i would do here, start clean or stop the needed services and
> manualy cleanup.
>
> Cleanup /var/lib/samba/*
> Cleanup /var/cache/samba/*
>
no Cleanup or cleanup here so I'm just using rm.

>
> Check if bind9 is running.
>
Not anymore.  It fails because it can't
load /var/lib/samba/private/dns/named.conf

>
> Clean up in the AD, computer name, alias links etc.
> Clean up in AD-DNS, A PTR records.
> Dont forget _msdc zone to check.
>
No records for the IP/server name exist any longer.

>
> Then then thats done, now try to join again.
>
I attempted the join (same error), then attempted to reload bind9 (since it
fails missing /var/lib/samba/private/dns/named.conf), then to join again.
/var/lib/samba/private/dns/named.conf wasn't generated (so bind9 won't run
until I take care of that).  Which I just did:
mkdir /var/lib/samba/private/dns
touch /var/lib/samba/private/dns/named.conf

So bind9 is running now.
I re-attempt the join, but it ends with the same error.


Thanks Louis.

This one has really got me stumped.


>
>
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
> > James Fowler via samba
> > Verzonden: maandag 6 mei 2019 13:07
> > Aan: Rowland Penny
> > CC: samba@xxxxxxxxxxxxxxx
> > Onderwerp: Re: [Samba] Possibly WERR_DS_DRA_ACCESS_DENIED or
> > NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> >
> > Inline reply.
> >
> > On Fri, May 3, 2019 at 3:08 AM Rowland Penny via samba <
> > samba@xxxxxxxxxxxxxxx> wrote:
> >
> > > On Thu, 2 May 2019 16:51:02 -0400
> > > James Fowler <fowlerj@xxxxxxxx> wrote:
> > >
> > > See inline comments
> > >
> > > > root@DC2:~# cat /etc/resolv.conf
> > > > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
> > > > resolvconf(8)
> > > > # and managed by Zentyal.
> > > > #
> > > > #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE
> > > > OVERWRITTEN #
> > > > nameserver 192.168.1.254
> > > > #search domain1.domain
> > >
> > I would do two things here, the first is 'apt-get purge resolvconf',
> > > you do not want anything changing /etc/resolv.conf on a DC.
> > >
> >
> >  It looks like many packages are set to be dependent on
> > resolvconf that I
> > need on this system.  I ended up unlinking it, making the changes you
> > recommended and then setting it to immutable (chattr +i).  I also did
> > systemctl disable resolvconf.
> >
> > The second is, uncomment the 'search' line.
> > >
> > > There is also that word 'Zentyal', was/is this computer a
> > Zentyal DC ?
> > >
> >  Yes.
> >
> > >
> > > >
> > > > /etc/hostname
> > > > cat /etc/hostname
> > > > DC2
> > > >
> > > > /etc/hosts
> > > > root@DC2:~cat /etc/hosts
> > > > 127.0.0.1       localhost.localdomain localhost
> > > > 127.0.1.1       DC2.DOMAIN1.DOMAIN DC2
> > > > 192.168.1.19    otherserver.DOMAIN1.DOMAIN otherserver
> > > > 192.168.1.20    DC2.DOMAIN1.DOMAIN DC2
> > > > 192.168.1.254   DC1.DOMAIN1.local DC1
> > > >
> > >
> > > You should only have the new DC's info in /etc/hosts, anything else
> > > should be found by DNS. There is also '127.0.1.1' , is there another
> > > DNS server running ? (dnsmasq, netplan etc)
> > >
> > Only bind9 is running.  The 127.0.1.1 entry comes from a
> > failed attempt to
> > resolve issues.  I commented it out.  Thank you.
> >
> >
> > > > root@DC2:/etc/bind# cat named.conf
> > > > include "/etc/bind/named.conf.options";
> > > > include "/etc/bind/keys";
> > >
> > > You do not need the '/etc/bind/keys' line
> > >
> > removed.
> >
> > >
> > > >
> > > > // prime the server with knowledge of the root servers
> > > > zone "." {
> > > >         type hint;
> > > >         file "/etc/bind/db.root";
> > > > };
> > > >
> > > > // be authoritative for the localhost forward and reverse
> > zones, and
> > > > for // broadcast zones as per RFC 1912
> > > >
> > > > zone "localhost" {
> > > >         type master;
> > > >         file "/etc/bind/db.local";
> > > > };
> > > >
> > > > zone "127.in-addr.arpa" {
> > > >         type master;
> > > >         file "/etc/bind/db.127";
> > > > };
> > > >
> > > > zone "0.in-addr.arpa" {
> > > >         type master;
> > > >         file "/etc/bind/db.0";
> > > > };
> > > >
> > > > zone "255.in-addr.arpa" {
> > > >         type master;
> > > >         file "/etc/bind/db.255";
> > > > };
> > >
> > > Why is the above in /etc/bind/named.conf ?
> > > There should just be an include line like this:
> > >
> > > include "/etc/bind/named.conf.default-zones";
> > >
> > When I this added to the end of the named.conf file bind9
> > wouldn't run and
> > complained:
> > named-checkconf
> > /etc/bind/named.conf.default-zones:2: zone '.': already
> > exists previous
> > definition: /etc/bind/named.conf:5
> > /etc/bind/named.conf.default-zones:10: zone 'localhost':
> > already exists
> > previous definition: /etc/bind/named.conf:13
> > /etc/bind/named.conf.default-zones:15: zone
> > '127.in-addr.arpa': already
> > exists previous definition: /etc/bind/named.conf:18
> > /etc/bind/named.conf.default-zones:20: zone '0.in-addr.arpa': already
> > exists previous definition: /etc/bind/named.conf:23
> > /etc/bind/named.conf.default-zones:25: zone
> > '255.in-addr.arpa': already
> > exists previous definition: /etc/bind/named.conf:28
> >
> > Is it a problem to not have it calling
> > named.conf.default-zones?  It has
> > the same information repeated in named.conf.  Is it better to
> > comment out
> > those entries there and have it called from named.conf.default-zones?
> >
> >
> > > > root@DC2:/etc/bind# cat named.conf.local
> > > > // Generated by Zentyal
> > >
> > > Why? they seem to be making a right mess of it ;-)
> > >
> > Tell me about it!   It is kind of crazy the proliferation of
> > named.conf
> > files, zones, etc.
> >
> > >
> > > Mine is just:
> > >
> > > include "/var/lib/samba/bind-dns/named.conf";
> > >
> >
> > Presently, I have nothing in the
> > /var/lib/samba/bind-dns/named.conf path:
> > root@dc2:/etc# ll /var/lib/samba/
> > total 1412
> > drwxr-xr-x   8 root root            4096 May  2 09:03 ./
> > drwxr-xr-x  60 root root            4096 Apr 29 20:17 ../
> > -rw-------   1 root root          421888 Apr 25 11:42
> > account_policy.tdb
> > -rw-------   1 root root             696 Apr 25 11:42
> > group_mapping.tdb
> > drwxr-x---   2 root ntp             4096 Apr 30 00:14 ntp_signd/
> > drwxr-xr-x  10 root root            4096 Apr 25 11:39 printers/
> > drwxr-x---   5 root bind            4096 May  2 12:50 private/
> > -rw-------   1 root root          528384 Apr 25 11:42 registry.tdb
> > -rw-------   1 root root          421888 Apr 25 11:42 share_info.tdb
> > drwxrwx---+  3 root adm             4096 Apr 30 08:19 sysvol/
> > drwxrwx--T   2 root sambashare      4096 Apr 25 11:42 usershares/
> > -rw-------   1 root root           32768 May  2 09:03
> > winbindd_cache.tdb
> > drwxr-x---   2 root winbindd_priv   4096 Apr 30 00:14
> > winbindd_privileged/
> >
> > root@dc2:/etc# ll /var/lib/samba/private/
> > total 10896
> > drwxr-x--- 5 root bind    4096 May  2 12:50 ./
> > drwxr-xr-x 8 root root    4096 May  2 09:03 ../
> > -rw-r--r-- 1 root root    3663 May  2 12:50 dns_update_list
> > -rw------- 1 root root 1286144 May  2 12:50 hklm.ldb
> > -rw------- 1 root root 1286144 May  2 12:50 idmap.ldb
> > -rw-r--r-- 1 root root      94 May  2 12:50 krb5.conf
> > drwx------ 2 root root    4096 May  2 11:36 msg.sock/
> > -rw------- 1 root root    8888 May  2 09:03 netlogon_creds_cli.tdb
> > -rw------- 1 root root 1286144 May  2 12:50 privilege.ldb
> > -rw------- 1 root root 4247552 May  2 12:50 sam.ldb
> > drwx------ 2 root root    4096 May  2 12:50 sam.ldb.d/
> > -rw------- 1 root root 1286144 May  2 12:50 secrets.ldb
> > -rw-rwx--- 1 root bind  430080 May  2 09:03 secrets.tdb*
> > -rw------- 1 root root 1286144 Apr 30 08:19 share.ldb
> > -rw-r--r-- 1 root root     955 May  2 12:50 spn_update_list
> > drwx------ 2 root root    4096 Apr 30 08:19 tls/
> >
> >
> > > >
> > > > root@DC2:/etc/bind# cat named.conf.options
> > > >
> > > > options {
> > > >      sortlist {
> > > >             { 192.168.1.0/24 ;{ 192.168.1.0/24 ; };};
> > > >     };
> > > >     directory "/var/cache/bind";
> > > >     auth-nxdomain no;    # conform to RFC1035
> > > >
> > > >     allow-query { any; };
> > > >     allow-recursion { trusted; };
> > > >     allow-query-cache { trusted; };
> > > >     allow-transfer { internal-local-nets; };
> > > > };
> > > >
> > > > logging { category lame-servers { null; }; };
> > >
> > > If that again is managed by Zentyal, well they got some
> > things right,
> > > but missed a major thing, this is mine:
> > >
> > > options {
> > >     directory "/var/cache/bind";
> > >     version "0.0.7";
> > >     notify no;
> > >     empty-zones-enable no;
> > >     allow-query { 127.0.0.1; 192.168.0.0/24; };
> > >     allow-recursion {  192.168.0.0/24; 127.0.0.1/32; };
> > >     forwarders { 8.8.8.8; 8.8.4.4; };
> > >     allow-transfer { none; };
> > >     dnssec-validation no;
> > >     dnssec-enable no;
> > >     dnssec-lookaside no;
> > >     listen-on-v6 { none; };
> > >     listen-on port 53 { 192.168.0.6; 127.0.0.1; };
> > >
> > >     tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
> > > };
> > >
> > > From all this, it is clear your DNS is not working as a Samba  AD DC
> > > would expect.
> > >
> > > Rowland
> > >
> > Thank you Rowland!
> >
> > I replaced my named.conf.options with yours (and made the
> > changes above),
> > restarted bind9 and then tried to join again, but still get
> > the same error:
> >
> > Join failed - cleaning up
> > ldb_wrap open of secrets.ldb
> > Could not find machine account in secrets database: Failed to
> > fetch machine
> > account password for DOMAIN1 from both secrets.ldb (Could not
> > find entry to
> > match filter: '(&(flatname=DOMAIN1)(objectclass=primaryDomain))' base:
> > 'cn=Primary Domains': No such object: dsdb_search at
> > ../source4/dsdb/common/util.c:4636) and from
> > /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> > Deleted CN=DC2,OU=Domain Controllers,DC=DOMAIN1,DC=DOMAIN
> > Deleted CN=dns-DC2,CN=Users,DC=DOMAIN1,DC=DOMAIN
> > Deleted CN=NTDS
> > Settings,CN=DC2,CN=Servers,CN=Default-First-Site,CN=Sites,CN=C
> > onfiguration,DC=DOMAIN1,DC=DOMAIN
> > Deleted
> > CN=DC2,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configurat
> > ion,DC=DOMAIN1,DC=DOMAIN
> > ERROR(runtime): uncaught exception - (8453,
> > 'WERR_DS_DRA_ACCESS_DENIED')
> >   File
> > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> > 176, in _run
> >     return self.run(*args, **kwargs)
> >   File
> > "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661,
> > in run
> >     machinepass=machinepass, use_ntvfs=use_ntvfs,
> > dns_backend=dns_backend)
> >   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in
> > join_DC
> >     ctx.do_join()
> >   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1377, in
> > do_join
> >     ctx.join_replicate()
> >   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 961, in
> > join_replicate
> >     exop=drsuapi.DRSUAPI_EXOP_FSMO_RID_ALLOC)
> >   File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py",
> > line 291, in
> > replicate
> >     (level, ctr) = self.drs.DsGetNCChanges(self.drs_handle,
> > req_level, req)
> >
> >  Thanks,
> >
> > James
> >
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
> >
> >
> > --
> > James Fowler
> > Association for Diplomatic Studies and Training http://adst.org
> > Capturing, Preserving, Sharing - Oral Histories of US Diplomacy
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
James Fowler
Chief Information Officer
Association for Diplomatic Studies and Training http://adst.org
Capturing, Preserving, Sharing - Oral Histories of US Diplomacy
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba