Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - dashwell

Pages: [1]
1
Directory and Authentication / Zentyal won't add as an additional DC
« on: January 03, 2023, 02:37:38 pm »
Good Day,
I've been trying with Zentyal 7.0 for a number of days now. I've made every modification I can find. However, when I try and add this Zentyal box to an exisitng Domain environment, it seems to fail.
I'm sure the username and password are correct as I get other errors if they are incorrect. The current environment is Windows 2008 SBE, and Windows 2012 R2 both acting as DC's to the current server.

We want to remove out the Win 2008 SBE completely but this is only an option once I can get the Zentyal to act as an additional DC.

I managed for a time with Zentyal 6.0 a while back and then it suddenly stopped authenticating, so once I've got 7.0 to complete authentication, I might upgrade 6.0 to version 7.0 or just debug it's faults.

Anyway if someone can assist me. The routine recommended by SAMBA setting the DNS_BACKEND to NONE I don't see any way to implement that in Zentyal with the current scripts.

Here is the error I'm getting
2023/01/03 12:23:13 INFO> Base.pm:231 EBox::Module::Base::save - Restarting service for module: samba
2023/01/03 12:23:14 INFO> Provision.pm:810 EBox::Samba::Provision::checkAddress - Resolving server1.js.local to an IP address
2023/01/03 12:23:14 INFO> Provision.pm:830 EBox::Samba::Provision::checkAddress - The DC server1.js.local has been resolved to 192.168.0.247
2023/01/03 12:23:14 INFO> Provision.pm:833 EBox::Samba::Provision::checkAddress - Checking reverse DNS resolution of '192.168.0.247'...
2023/01/03 12:23:14 INFO> Provision.pm:857 EBox::Samba::Provision::checkAddress - The IP address 192.168.0.247 does not have associated PTR record
2023/01/03 12:23:14 INFO> Provision.pm:756 EBox::Samba::Provision::checkServerReachable - Checking if AD server '192.168.0.247' is online...
2023/01/03 12:23:14 INFO> Provision.pm:866 EBox::Samba::Provision::checkFunctionalLevels - Checking forest and domain functional levels...
2023/01/03 12:23:14 INFO> Provision.pm:898 EBox::Samba::Provision::checkRfc2307 - Checking RFC2307 compliant schema...
2023/01/03 12:23:14 INFO> Provision.pm:775 EBox::Samba::Provision::checkLocalRealmAndDomain - Checking local domain and realm...
2023/01/03 12:23:14 INFO> Provision.pm:972 EBox::Samba::Provision::checkClockSkew - Checking clock skew with AD server...
2023/01/03 12:23:14 INFO> Provision.pm:993 EBox::Samba::Provision::checkClockSkew - Clock skew below two minutes, should be enough.
2023/01/03 12:23:14 INFO> Provision.pm:675 EBox::Samba::Provision::checkDnsZonesInMainPartition - Checking for old DNS zones stored in main domain partition...
2023/01/03 12:23:14 INFO> Provision.pm:722 EBox::Samba::Provision::checkForestDomains - Checking number of domains inside forest...
2023/01/03 12:23:14 INFO> Provision.pm:932 EBox::Samba::Provision::checkTrustDomainObjects - Checking for domain trust relationships...
2023/01/03 12:23:14 INFO> Provision.pm:1034 EBox::Samba::Provision::checkADServerSite - Checking the site where the specified server is located
2023/01/03 12:23:14 INFO> Provision.pm:1042 EBox::Samba::Provision::checkADServerSite - The specified server has been located at site named Default-First-Site-Name
2023/01/03 12:23:14 INFO> Provision.pm:1059 EBox::Samba::Provision::checkADNebiosName - Checking domain netbios name...
2023/01/03 12:23:14 INFO> Provision.pm:1286 EBox::Samba::Provision::provisionADC - Joining to domain 'js.local' as DC
2023/01/03 12:23:15 INFO> Provision.pm:1299 EBox::Samba::Provision::provisionADC - Trying to get a kerberos ticket for principal 'bluetek@JS.LOCAL'
2023/01/03 12:23:17 INFO> Provision.pm:1308 EBox::Samba::Provision::provisionADC - Executing domain join
2023/01/03 12:23:18 ERROR> Sudo.pm:240 EBox::Sudo::_rootError - root command samba-tool domain join js.local DC  --username='bluetek'  --workgroup='js'  --password=`cat                                                                      /var/lib/zentyal/tmp/mFSvyc`  --server='192.168.0.247'  --dns-backend=BIND9_DLZ  --realm='JS.LOCAL'  --site='Default-First-Site-Name'  failed.
Error output: GENSEC backend 'gssapi_spnego' registered
 GENSEC backend 'gssapi_krb5' registered
 GENSEC backend 'gssapi_krb5_sasl' registered
 GENSEC backend 'spnego' registered
 GENSEC backend 'schannel' registered
 GENSEC backend 'naclrpc_as_system' registered
 GENSEC backend 'sasl-EXTERNAL' registered
 GENSEC backend 'ntlmssp' registered
 GENSEC backend 'ntlmssp_resume_ccache' registered
 GENSEC backend 'http_basic' registered
 GENSEC backend 'http_ntlm' registered
 GENSEC backend 'http_negotiate' registered
 GENSEC backend 'krb5' registered
 GENSEC backend 'fake_gssapi_krb5' registered
 Cannot do GSSAPI to an IP address
 Got challenge flags:
 Got NTLMSSP neg_flags=0x62898235
 NTLMSSP: Set final flags:
 Got NTLMSSP neg_flags=0x62088235
 NTLMSSP Sign/Seal - Initialising with flags:
 Got NTLMSSP neg_flags=0x62088235
 NTLMSSP Sign/Seal - Initialising with flags:
 Got NTLMSSP neg_flags=0x62088235
 INFO 2023-01-03 12:23:17,992 pid:40208 /usr/lib/python3/dist-packages/samba/join.py #1543: workgroup is JS
 INFO 2023-01-03 12:23:17,992 pid:40208 /usr/lib/python3/dist-packages/samba/join.py #1546: realm is js.local
 Using binding ncacn_ip_tcp:192.168.0.247[,seal]
 Cannot do GSSAPI to an IP address
 Got challenge flags:
 Got NTLMSSP neg_flags=0x62898235
 NTLMSSP: Set final flags:
 Got NTLMSSP neg_flags=0x62088235
 NTLMSSP Sign/Seal - Initialising with flags:
 Got NTLMSSP neg_flags=0x62088235
 NTLMSSP Sign/Seal - Initialising with flags:
 Got NTLMSSP neg_flags=0x62088235
 tdb(/var/lib/samba/private/secrets.tdb): tdb_open_ex: could not open file /var/lib/samba/private/secrets.tdb: No such file or directory
 Could not open tdb: No such file or directory
 ldb: ltdb: tdb(/var/lib/samba/private/secrets.ldb): tdb_open_ex: could not open file /var/lib/samba/private/secrets.ldb: No such file or directory

 ldb: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file or directory
 ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with backend 'tdb': Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file or directory
 Could not find machine account in secrets database: Failed to fetch machine account password from secrets.ldb: Could not open secrets.ldb and failed to open /var/lib/s                                                                     amba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
 ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL -  <0000202B: RefErr: DSID-030A0B8E, data 0, 1 access points
        ref 1: '06b2d19c-ffe4-45e3-be6f-183540b1c68b._msdcs.js.local'
 > <ldap://06b2d19c-ffe4-45e3-be6f-183540b1c68b._msdcs.js.local>
   File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 186, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line 661, in run
     join_DC(logger=logger, server=server, creds=creds, lp=lp, domain=domain,
   File "/usr/lib/python3/dist-packages/samba/join.py", line 1559, in join_DC
     ctx.do_join()
   File "/usr/lib/python3/dist-packages/samba/join.py", line 1447, in do_join
     ctx.join_add_objects()
   File "/usr/lib/python3/dist-packages/samba/join.py", line 712, in join_add_objects
     ctx.samdb.modify(m)

Command output: Adding CN=JSPZENAD1,OU=Domain Controllers,DC=js,DC=local
 Adding CN=JSPZENAD1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=js,DC=local
 Adding CN=NTDS Settings,CN=JSPZENAD1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=js,DC=local
 Join failed - cleaning up
 Deleted CN=JSPZENAD1,OU=Domain Controllers,DC=js,DC=local
 Deleted CN=NTDS Settings,CN=JSPZENAD1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=js,DC=local
 Deleted CN=JSPZENAD1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=js,DC=local
.
Exit value: 255 at root command samba-tool domain join js.local DC  --username='bluetek'  --workgroup='js'  --password=`cat /var/lib/zentyal/tmp/mFSvyc`  --server='192.                                                                168.0.247'  --dns-backend=BIND9_DLZ  --realm='JS.LOCAL'  --site='Default-First-Site-Name'  failed.


Many thanks

2
Directory and Authentication / zentyal no longer seeing KDC servers
« on: October 03, 2022, 09:47:43 pm »
My Zentyal box is no longer seeing the other servers for replication. If I go through samba-tools drs show-repl it reports it can't see the KDC servers on the domain controller.
Please can someone help me


ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:hangarserver.dummy.local[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name hangarserver.dummy.local<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name hangarserver.dummy.local<0x20>
Cannot reach a KDC we require to contact (null) : kinit for HANGARSERVER$@dummy.local failed (Cannot contact any KDC for requested realm)

SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/HANGARSERVER.dummy.local failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
resolve_lmhosts: Attempting lmhosts lookup for name hangarserver.dummy.local<0x20>
Cannot reach a KDC we require to contact (null) : kinit for HANGARSERVER$@dummy.local failed (Cannot contact any KDC for requested realm)

SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/hangarserver.dummy.local failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
Default-First-Site-Name\HANGARSERVER
DSA Options: 0x00000001
DSA object GUID: a14123e4-7784-4b37-bcc3-21a705a98a31
DSA invocationId: 86acb60f-bc0d-48ff-8686-a4929a99662c

==== INBOUND NEIGHBORS ====

CN=Configuration,DC=dummy,DC=local
        Default-First-Site-Name\SERVER via RPC
                DSA object GUID: 06b2d19c-ffe4-45e3-be6f-183540b1c68b
                Last attempt @ Mon Oct  3 18:00:53 2022 SAST failed, result 1311 (WERR_NO_LOGON_SERVERS)
                13313 consecutive failure(s).
                Last success @ Fri Dec 17 15:02:32 2021 SAST

DC=dummy,DC=local
        Default-First-Site-Name\SERVER via RPC
                DSA object GUID: 06b2d19c-ffe4-45e3-be6f-183540b1c68b
                Last attempt @ Mon Oct  3 18:02:39 2022 SAST failed, result 1311 (WERR_NO_LOGON_SERVERS)
                15187 consecutive failure(s).
                Last success @ Fri Dec 17 15:02:32 2021 SAST

CN=Schema,CN=Configuration,DC=dummy,DC=local
        Default-First-Site-Name\SERVER via RPC
                DSA object GUID: 06b2d19c-ffe4-45e3-be6f-183540b1c68b
                Last attempt @ Mon Oct  3 18:04:24 2022 SAST failed, result 1311 (WERR_NO_LOGON_SERVERS)
                101163 consecutive failure(s).
                Last success @ Fri Dec 17 15:02:32 2021 SAST

DC=DomainDnsZones,DC=dummy,DC=local
        Default-First-Site-Name\SERVER via RPC
                DSA object GUID: 06b2d19c-ffe4-45e3-be6f-183540b1c68b
                Last attempt @ Mon Oct  3 18:06:09 2022 SAST failed, result 1311 (WERR_NO_LOGON_SERVERS)
                13452 consecutive failure(s).
                Last success @ Fri Dec 17 15:02:31 2021 SAST

DC=ForestDnsZones,DC=dummy,DC=local
        Default-First-Site-Name\SERVER via RPC
                DSA object GUID: 06b2d19c-ffe4-45e3-be6f-183540b1c68b
                Last attempt @ Mon Oct  3 17:59:08 2022 SAST failed, result 1311 (WERR_NO_LOGON_SERVERS)
                13314 consecutive failure(s).
                Last success @ Fri Dec 17 15:02:32 2021 SAST

==== OUTBOUND NEIGHBORS ====

CN=Configuration,DC=dummy,DC=local
        Default-First-Site-Name\SERVER via RPC
                DSA object GUID: 06b2d19c-ffe4-45e3-be6f-183540b1c68b
                Last attempt @ Mon Oct  3 21:24:29 2022 SAST failed, result 1311 (WERR_NO_LOGON_SERVERS)
                448611 consecutive failure(s).
                Last success @ Wed Jan 12 11:33:36 2022 SAST

DC=dummy,DC=local
        Default-First-Site-Name\SERVER via RPC
                DSA object GUID: 06b2d19c-ffe4-45e3-be6f-183540b1c68b
                Last attempt @ Mon Oct  3 21:25:09 2022 SAST failed, result 1311 (WERR_NO_LOGON_SERVERS)
                828531 consecutive failure(s).
                Last success @ Wed Jan 12 12:21:00 2022 SAST

CN=Schema,CN=Configuration,DC=dummy,DC=local
        Default-First-Site-Name\SERVER via RPC
                DSA object GUID: 06b2d19c-ffe4-45e3-be6f-183540b1c68b
                Last attempt @ Mon Oct  3 21:25:49 2022 SAST failed, result 1311 (WERR_NO_LOGON_SERVERS)
                43778 consecutive failure(s).
                Last success @ Mon Feb 28 05:53:29 2022 SAST

DC=DomainDnsZones,DC=dummy,DC=local
        Default-First-Site-Name\SERVER via RPC
                DSA object GUID: 06b2d19c-ffe4-45e3-be6f-183540b1c68b
                Last attempt @ Mon Oct  3 21:23:08 2022 SAST failed, result 1311 (WERR_NO_LOGON_SERVERS)
                829934 consecutive failure(s).
                Last success @ Wed Jan 12 11:33:35 2022 SAST

DC=ForestDnsZones,DC=dummy,DC=local
        Default-First-Site-Name\SERVER via RPC
                DSA object GUID: 06b2d19c-ffe4-45e3-be6f-183540b1c68b
                Last attempt @ Mon Oct  3 21:23:48 2022 SAST failed, result 1311 (WERR_NO_LOGON_SERVERS)
                816051 consecutive failure(s).
                Last success @ Wed Jan 12 11:33:36 2022 SAST

==== KCC CONNECTION OBJECTS ====

Connection --
        Connection name: 8d40d461-5748-416f-ba56-453127e5f850
        Enabled        : TRUE
        Server DNS name : SERVER.dummy.local
        Server DN name  : CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dummy,DC=local
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!

Pages: [1]