[Samba] Unable to manage dns (ERR_DNS_ERROR_DS_UNAVAILABLE)

[Peter Beck]

Hi guys,

when trying to do anything dns related on a samba4 dc (additional dc
which should replace an 2003 server) I always got an
"WERR_DNS_ERROR_DS_UNAVAILABLE" error. The zones seem to be replicated
to the samba server as i can dig whatever record I want and it gets
resolved, I am just unable to manage anything on the samba server. It's
also not possible to add the samba server to the windows dns mmc.

I've already tried to switch (and reprovision) from internal dns to
bind-dlz (Bind 9.9.5), but it's the same error.

The system is Debian Jessie 8.0.1 with Samba 4.1.17, no firewall active
on both (windows and debian) systems.

[root@unxads001 ~]# samba-tool dns serverinfo unxads001 -Uadministrator%password
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:unxads001[,sign]
Mapped to DCERPC endpoint 135
added interface eth1 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=10.1.1.22 bcast=10.1.1.255 netmask=255.255.255.0
added interface eth1 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=10.1.1.22 bcast=10.1.1.255 netmask=255.255.255.0
Mapped to DCERPC endpoint 1024
added interface eth1 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=10.1.1.22 bcast=10.1.1.255 netmask=255.255.255.0
added interface eth1 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=10.1.1.22 bcast=10.1.1.255 netmask=255.255.255.0
ERROR(runtime): uncaught exception - (9717, 'WERR_DNS_ERROR_DS_UNAVAILABLE')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 711, in run
None, 'ServerInfo')

Replication seems to work just fine (on both sides, the windows dc and
the samba dc). I have added the dns partition replicas manually with
ntdsutil according to the wiki-pages [1]

[root@unxads001 ~]# samba-tool drs showrepl

Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:unxads001.domain.local,seal]
Mapped to DCERPC endpoint 135
added interface eth1 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=10.1.1.22 bcast=10.1.1.255 netmask=255.255.255.0
added interface eth1 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=10.1.1.22 bcast=10.1.1.255 netmask=255.255.255.0
Mapped to DCERPC endpoint 1024
added interface eth1 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=10.1.1.22 bcast=10.1.1.255 netmask=255.255.255.0
added interface eth1 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=10.1.1.22 bcast=10.1.1.255 netmask=255.255.255.0
added interface eth1 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=10.1.1.22 bcast=10.1.1.255 netmask=255.255.255.0
added interface eth1 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=10.1.1.22 bcast=10.1.1.255 netmask=255.255.255.0

Default-First-Site\UNXADS001
DSA Options: 0x00000001
DSA object GUID: 9f8694eb-ad7a-4304-9d25-96a3ad88cd8a
DSA invocationId: 756659bd-aca4-4cbb-97b0-d8b0e929632b

==== INBOUND NEIGHBORS ====

CN=Schema,CN=Configuration,DC=domain,DC=local
Default-First-Site\WINADS001 via RPC
DSA object GUID: 40d36407-6187-49c4-89a9-827492be6963
Last attempt @ Sun Jun 14 12:19:56 2015 CEST was successful
0 consecutive failure(s).
Last success @ Sun Jun 14 12:19:56 2015 CEST

CN=Configuration,DC=domain,DC=local
Default-First-Site\WINADS001 via RPC
DSA object GUID: 40d36407-6187-49c4-89a9-827492be6963
Last attempt @ Sun Jun 14 12:19:56 2015 CEST was successful
0 consecutive failure(s).
Last success @ Sun Jun 14 12:19:56 2015 CEST

DC=DomainDnsZones,DC=domain,DC=local
Default-First-Site\WINADS001 via RPC
DSA object GUID: 40d36407-6187-49c4-89a9-827492be6963
Last attempt @ Sun Jun 14 12:19:56 2015 CEST was successful
0 consecutive failure(s).
Last success @ Sun Jun 14 12:19:56 2015 CEST

DC=ForestDnsZones,DC=domain,DC=local
Default-First-Site\WINADS001 via RPC
DSA object GUID: 40d36407-6187-49c4-89a9-827492be6963
Last attempt @ Sun Jun 14 12:19:56 2015 CEST was successful
0 consecutive failure(s).
Last success @ Sun Jun 14 12:19:56 2015 CEST

DC=domain,DC=local
Default-First-Site\WINADS001 via RPC
DSA object GUID: 40d36407-6187-49c4-89a9-827492be6963
Last attempt @ Sun Jun 14 12:19:56 2015 CEST was successful
0 consecutive failure(s).
Last success @ Sun Jun 14 12:19:56 2015 CEST

==== OUTBOUND NEIGHBORS ====

CN=Schema,CN=Configuration,DC=domain,DC=local
Default-First-Site\WINADS001 via RPC
DSA object GUID: 40d36407-6187-49c4-89a9-827492be6963
Last attempt @ Sun Jun 14 12:14:46 2015 CEST was successful
0 consecutive failure(s).
Last success @ Sun Jun 14 12:14:46 2015 CEST

CN=Configuration,DC=domain,DC=local
Default-First-Site\WINADS001 via RPC
DSA object GUID: 40d36407-6187-49c4-89a9-827492be6963
Last attempt @ Sun Jun 14 12:14:46 2015 CEST was successful
0 consecutive failure(s).
Last success @ Sun Jun 14 12:14:46 2015 CEST

DC=DomainDnsZones,DC=domain,DC=local
Default-First-Site\WINADS001 via RPC
DSA object GUID: 40d36407-6187-49c4-89a9-827492be6963
Last attempt @ Sun Jun 14 12:14:46 2015 CEST was successful
0 consecutive failure(s).
Last success @ Sun Jun 14 12:14:46 2015 CEST

DC=ForestDnsZones,DC=domain,DC=local
Default-First-Site\WINADS001 via RPC
DSA object GUID: 40d36407-6187-49c4-89a9-827492be6963
Last attempt @ Sun Jun 14 12:14:46 2015 CEST was successful
0 consecutive failure(s).
Last success @ Sun Jun 14 12:14:46 2015 CEST

DC=domain,DC=local
Default-First-Site\WINADS001 via RPC
DSA object GUID: 40d36407-6187-49c4-89a9-827492be6963
Last attempt @ Sun Jun 14 12:14:46 2015 CEST was successful
0 consecutive failure(s).
Last success @ Sun Jun 14 12:14:46 2015 CEST

==== KCC CONNECTION OBJECTS ====

Connection --
Connection name: 7069717d-4dea-46e9-8be8-243c8e5b9474
Enabled : TRUE
Server DNS name : winads001.domain.local
Server DN name : CN=NTDS Settings,CN=WINADS001,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=domain,DC=local
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!


And the function level is set to 2003

Domain and forest function level for domain 'DC=domain,DC=local'

Forest function level: (Windows) 2003
Domain function level: (Windows) 2003
Lowest function level of a DC: (Windows) 2003


In my resolv.conf there is the correct domain and both servers listed -
does not matter which one I choose as the first - the result is the same.

domain domain.local
search domain.local
nameserver 192.168.0.5 (the windows dc)
nameserver 192.168.0.22 (the samba dc)


samba_dnsupdate --verbose is telling me, that there are no DNS updates
needed

My smb.conf is having the line "nsupdate command = nsupdate" included.

Any clues to get the dns management working on the samba side ? Couldn't
find something on my own researching this issue...only others having
similar issues....

I once had similar issues two years ago [2]

Thanks
Peter

[1] https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting#DNS_Replication_from_Windows_AD_DC_fails

[2] https://lists.samba.org/archive/samba/2013-February/171749.html



--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Peter Beck]

what I've also recognized:

on a pure Samba4 domain (2 domain controllers) there is the directory
/var/lib/private/samba/dns with a "sam.ldb" file and a subdirectory
"sam.ldb.d" containing all zones as ldb files:

[root@unxads002 ~]# ls -lh /var/lib/samba/private/dns/sam.ldb.d/
-rw-r----- 1 root root 7.4M Aug 4 2014 CN=CONFIGURATION,DC=DOMAIN,DC=LOCAL.ldb
-rw-r----- 1 root root 7.8M Aug 4 2014 CN=SCHEMA,CN=CONFIGURATION,DC=DOMAIN,DC=LOCAL.ldb
-rw-r----- 1 root root 676K Aug 4 2014 DC=DOMAINDNSZONES,DC=DOMAIN,DC=LOCAL.ldb
-rw-r----- 1 root root 3.0M Aug 4 2014 DC=FORESTDNSZONES,DC=DOMAIN,DC=LOCAL.ldb
-rw-r----- 1 root root 52K Aug 4 2014 DC=DOMAIN,DC=LOCAL.ldb
-rw-rw---- 2 root bind 412K Jun 14 20:06 metadata.tdb


The sam.ldb file contains one single record:

# editing 1 records
# record 1
dn: DC=domain,DC=local
instanceType: 5
objectClass: top
objectClass: domaindns
objectGUID: ffc42d7d-2d34-486d-ab9b-0741871ca1d9
objectSid: S-1-5-21-2026243258-1306757702-3697109298
distinguishedName: DC=domain,DC=local


This directory is completely missing on the Samba dc which was added to
the Server 2003 domain.

How can I get this files ? Can I manually force the creation ? Sounds to
me like this could be the problem ?

Regards
Peter

[buhorojo]

On 15/06/15 00:28, Peter Beck wrote:
> what I've also recognized:
>
> on a pure Samba4 domain (2 domain controllers) there is the directory
> /var/lib/private/samba/dns with a "sam.ldb" file and a subdirectory
> "sam.ldb.d" containing all zones as ldb files:
>
> [root@unxads002 ~]# ls -lh /var/lib/samba/private/dns/sam.ldb.d/
> -rw-r----- 1 root root 7.4M Aug 4 2014 CN=CONFIGURATION,DC=DOMAIN,DC=LOCAL.ldb
> -rw-r----- 1 root root 7.8M Aug 4 2014 CN=SCHEMA,CN=CONFIGURATION,DC=DOMAIN,DC=LOCAL.ldb

bind needs w here too:

> -rw-r----- 1 root root 676K Aug 4 2014 DC=DOMAINDNSZONES,DC=DOMAIN,DC=LOCAL.ldb
> -rw-r----- 1 root root 3.0M Aug 4 2014 DC=FORESTDNSZONES,DC=DOMAIN,DC=LOCAL.ldb

> -rw-r----- 1 root root 52K Aug 4 2014 DC=DOMAIN,DC=LOCAL.ldb
> -rw-rw---- 2 root bind 412K Jun 14 20:06 metadata.tdb
>
>
> The sam.ldb file contains one single record:
>
> # editing 1 records
> # record 1
> dn: DC=domain,DC=local
> instanceType: 5
> objectClass: top
> objectClass: domaindns
> objectGUID: ffc42d7d-2d34-486d-ab9b-0741871ca1d9
> objectSid: S-1-5-21-2026243258-1306757702-3697109298
> distinguishedName: DC=domain,DC=local
>
>
> This directory is completely missing on the Samba dc which was added to
> the Server 2003 domain.
>
> How can I get this files ? Can I manually force the creation ? Sounds to
> me like this could be the problem ?
>
> Regards
> Peter

Is bind installed?

[Rowland Penny]

Are you sure anything is missing ?

try: ldbedit -e nano -H /var/lib/samba/private/sam.ldb --cross-ncs

the sam.ldb file does contain everything, but you cannot see everything
normally, what ever you do, *do not* edit the files in the sam.ldb.d
directory.

Rowland

[Peter Beck]

On 06/15/2015 08:48 PM, Rowland Penny wrote:
> Are you sure anything is missing ?

Hi Rowland,

no, absolutely not sure ;-)

>
> the sam.ldb file does contain everything, but you cannot see
> everything normally, what ever you do, *do not* edit the files in the
> sam.ldb.d directory.
>

I did not intend to change anything inside these files, was just
wondering, if they shouldn't be created.

Now I moved a little bit further and set up an Server 2008R2 domain
controller for testing and then added a Samba 4 machine as dc to that
domain. This server is running on 2008R2 level and everything -
including dns replication - seems to work just fine from scratch.
The files under .../sam.ldb.d are not created here btw, but dns seems to
work fine.

As far as I could read from another thread [1] are the dns partitions
under 2008 different stored than in earlier versions. Maybe that is the
reason I always had so much trouble to completely ....

quote from that thread:

>The older versions of window server (2003 and older) created the DNS
>containers under CN=System in the domain partition, whereas the newer
>windows server (2008+) creates separate application partitions for
>DNS. DNS RPC server uses DNS partitions to store the DNS zone
>information

it's a bit too early for me to tell if it's finally working with
2008R2... but if that would work there was finally a workaround to
completely remove windows domain controllers (by upgrading first to a
2008 dc, remove the 2003 dc and then finally replace the 2008 dc with
Samba). Replacing a Windows environment completely with Samba is
something that never really worked for me. Usually I've setup the
complete directory from scratch with Samba 4 which is perfectly working
for multiple customers.

But now, if I try do demote the Windows server there is a message
complaining about the DomainDnsZones partition: "The specified domain
either does not exist or could not be contacted". But maybe it just
needs some time for replication, I'll try do demote the 2008 server
tomorrow again..

@buhorojo:
I already switched back to internal dns on that environment for further
testing, but thanks for the hint!

Thanks and Regards
Peter


[1]
http://samba.2283325.n4.nabble.com/Querying-DNS-info-samba4-tp4562214p4586794.html

[L.P.H. van Belle]

just saw this ....

>> [root@unxads002 ~]# ls -lh /var/lib/samba/private/dns/sam.ldb.d/
>> -rw-r----- 1 root root 7.4M Aug 4 2014
>CN=CONFIGURATION,DC=DOMAIN,DC=LOCAL.ldb
>> -rw-r----- 1 root root 7.8M Aug 4 2014
>CN=SCHEMA,CN=CONFIGURATION,DC=DOMAIN,DC=LOCAL.ldb
>bind needs w here too:
>> -rw-r----- 1 root root 676K Aug 4 2014
>DC=DOMAINDNSZONES,DC=DOMAIN,DC=LOCAL.ldb
>> -rw-r----- 1 root root 3.0M Aug 4 2014

Alle incorrect rights, and thats your problem.
Bind cant write.


Your folder
/var/lib/samba/private/dns/sam.ldb.d/
has 750 set, should be 770
and root:root, should be root:bind.

please check, from this point, below is what you want.
/var/lib/samba/private/dns
drwxrwx--- 3 root bind 4096 Jun 1 09:41 dns

so do a chgrp bind on all files and folders..
and make sure you have 660 set on the files.
and that should fix it.

Greetz,

Louis






>-----Oorspronkelijk bericht-----
>Van: buhoro...@gmail.com
>[mailto:samba-...@lists.samba.org] Namens buhorojo
>Verzonden: maandag 15 juni 2015 19:12
>Aan: sa...@lists.samba.org
>Onderwerp: Re: [Samba] Unable to manage dns
>(ERR_DNS_ERROR_DS_UNAVAILABLE)

[sandy....@eccmg.cupet.cu]

Samba4 recently updated to version 4.2.2, but I have noticed that since a policy which is to put a wallpaper on each machine is not being implemented in windows 7 after upgrade ... somebody can helpme.

[Denis Cardon]

Hola Sandy,

(mail rethreaded, please don't hijack threads)

> Samba4 recently updated to version 4.2.2, but I have noticed that
> since a policy which is to put a wallpaper on each machine is not
> being implemented in windows 7 after upgrade ... somebody can helpme.

Could you check the ACLs on the Sysvol share?

samba-tool ntacl sysvolcheck
samba-tool ntacl sysvolreset

Cheers,

Denis

--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr

[sandy....@eccmg.cupet.cu]

./samba-tool ntacl sysvolcheck
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"

Processing section "[netlogon]"
Processing section "[sysvol]"

ldb_wrap open of idmap.ldb
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL
on GPO directory
/usr/local/samba/var/locks/sysvol/eccmg.cupet.cu/Policies/{54201EFC-CE19-4ED7-AEFF-57123BABE0CF}
O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001
01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match
expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f0
ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
return self.run(*args, **kwargs)
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line 249, in run
lp)
File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1730, in
checksysvolacl
direct_db_access)
File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1681, in
check_gpos_acl
domainsid, direct_db_access)
File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1628, in
check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO
object' % (acl_type(direct_db_access), path, fsacl_sddl, acl))


./samba-tool ntacl sysvolreset

ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
return self.run(*args, **kwargs)
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line 218, in run
lp, use_ntvfs=use_ntvfs)
File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1616, in setsysvolacl
set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1521, in set_gpos_acl
passdb=passdb)
File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1484, in set_dir_acl
setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service)
File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line 154, in setntacl
smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
root@samba:/usr/local/samba/bin#

[sandy....@eccmg.cupet.cu]

the strange thing is that only happens when putting the policy related to the wallpaper, it is not going to like any other, for example when I put deny access to Control Panel it works perfect.