Cannot join as secondary DC - samba 4.2.2 - <bug?>

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Cannot join as secondary DC - samba 4.2.2 - <bug?>

bogdan_bartos
I am trying to joing an existing samba 4 DC and it's giving me an error:

[root@backupdc bin]# host -t A FILESERVER.specified.ca
FILESERVER.specified.ca has address 192.168.100.253

[root@backupdc bin]# cat /etc/krb5.conf
[libdefaults]
    dns_lookup_realm = true
    dns_lookup_kdc = true
    default_realm = FILESERVER.SPECIFIED.CA

[root@backupdc bin]# kinit
Password for administrator@FILESERVER.SPECIFIED.CA:
Warning: Your password will expire in 41 days on Sat 18 Jul 2015 01:58:01 PM MDT

[root@backupdc bin]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@FILESERVER.SPECIFIED.CA

Valid starting     Expires            Service principal
06/06/15 15:42:02  07/06/15 01:42:02  krbtgt/FILESERVER.SPECIFIED.CA@FILESERVER.SPECIFIED.CA
        renew until 07/06/15 15:41:59

[root@backupdc bin]# ./samba-tool domain join fileserver.specified.ca DC -Uadministrator --realm=fileserver.specified.ca
Finding a writeable DC for domain 'fileserver.specified.ca'
ERROR(exception): uncaught exception - Failed to find a writeable DC for domain 'fileserver.specified.ca'
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 613, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line 1161, in join_DC
    machinepass, use_ntvfs, dns_backend, promote_existing)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line 79, in __init__
    ctx.server = ctx.find_dc(domain)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line 267, in find_dc
    raise Exception("Failed to find a writeable DC for domain '%s'" % domain)

[root@backupdc bin]# ./samba-tool dns query fileserver fileserver.specified.ca f                                                                                       ileserver.specified.ca ALL
  Name=, Records=3, Children=0
    SOA: serial=22, refresh=900, retry=600, expire=86400, minttl=0, ns=fileserve                                                                                       r.fileserver.specified.ca., email=hostmaster.fileserver.specified.ca. (flags=600                                                                                       000f0, serial=22, ttl=3600)
    NS: fileserver.fileserver.specified.ca. (flags=600000f0, serial=110, ttl=900                                                                                       )
    A: 192.168.100.253 (flags=600000f0, serial=110, ttl=900)
  Name=_msdcs, Records=0, Children=0
  Name=_sites, Records=0, Children=1
  Name=_tcp, Records=0, Children=4
  Name=_udp, Records=0, Children=2

This happens on samba 4.22. What do you sugest? I have extended acls on the xfs filesystem.

[root@backupdc ~]# cat /etc/fstab

#
# /etc/fstab
# Created by anaconda on Sun May 31 09:34:12 2015
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/fedora-root /                       xfs    user_xattr,acl,barrier=1          1 1
UUID=75d1dec5-5499-4985-835b-3cd66e22f944 /boot                   ext4    defaults        1 2
/dev/mapper/fedora-swap swap                    swap    defaults        0 0

Reply | Threaded
Open this post in threaded view
|

Re: Cannot join as secondary DC - samba 4.2.2 - <bug?>

Rowland Penny-4
On 07/06/15 02:53, bogdan_bartos wrote:
> I am trying to joing an existing samba 4 DC and it's giving me an error:
>
> [root@backupdc bin]# host -t A FILESERVER.specified.ca
> FILESERVER.specified.ca has address 192.168.100.253
>
> [root@backupdc bin]# cat /etc/krb5.conf
> [libdefaults]
>      dns_lookup_realm = true

This should be:         dns_lookup_realm = false

>      dns_lookup_kdc = true
>      default_realm = FILESERVER.SPECIFIED.CA
>
> [root@backupdc bin]# kinit
> Password for [hidden email]:
> Warning: Your password will expire in 41 days on Sat 18 Jul 2015 01:58:01 PM
> MDT
>
> [root@backupdc bin]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: [hidden email]
>
> Valid starting     Expires            Service principal
> 06/06/15 15:42:02  07/06/15 01:42:02
> krbtgt/[hidden email]
>          renew until 07/06/15 15:41:59
>
> [root@backupdc bin]# ./samba-tool domain join fileserver.specified.ca DC
> -Uadministrator --realm=fileserver.specified.ca

You should be giving the realm name in UPPERCASE

If you run : 'samba-tool domain join --help'
You will find :  --realm=REALM       set the realm name

Try the two small changes and see how you go on.

Rowland

> Finding a writeable DC for domain 'fileserver.specified.ca'
> ERROR(exception): uncaught exception - Failed to find a writeable DC for
> domain 'fileserver.specified.ca'
>    File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>      return self.run(*args, **kwargs)
>    File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py",
> line 613, in run
>      machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
>    File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
> 1161, in join_DC
>      machinepass, use_ntvfs, dns_backend, promote_existing)
>    File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
> 79, in __init__
>      ctx.server = ctx.find_dc(domain)
>    File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
> 267, in find_dc
>      raise Exception("Failed to find a writeable DC for domain '%s'" %
> domain)
>
> [root@backupdc bin]# ./samba-tool dns query fileserver
> fileserver.specified.ca f
> ileserver.specified.ca ALL
>    Name=, Records=3, Children=0
>      SOA: serial=22, refresh=900, retry=600, expire=86400, minttl=0,
> ns=fileserve
> r.fileserver.specified.ca., email=hostmaster.fileserver.specified.ca.
> (flags=600
> 000f0, serial=22, ttl=3600)
>      NS: fileserver.fileserver.specified.ca. (flags=600000f0, serial=110,
> ttl=900
> )
>      A: 192.168.100.253 (flags=600000f0, serial=110, ttl=900)
>    Name=_msdcs, Records=0, Children=0
>    Name=_sites, Records=0, Children=1
>    Name=_tcp, Records=0, Children=4
>    Name=_udp, Records=0, Children=2
>
> This happens on samba 4.22. What do you sugest? I have extended acls on the
> xfs filesystem.
>
> [root@backupdc ~]# cat /etc/fstab
>
> #
> # /etc/fstab
> # Created by anaconda on Sun May 31 09:34:12 2015
> #
> # Accessible filesystems, by reference, are maintained under '/dev/disk'
> # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
> #
> /dev/mapper/fedora-root /                       xfs
> user_xattr,acl,barrier=1          1 1
> UUID=75d1dec5-5499-4985-835b-3cd66e22f944 /boot                   ext4
> defaults        1 2
> /dev/mapper/fedora-swap swap                    swap    defaults        0 0
>
>
>
>
>
> --
> View this message in context: http://samba.2283325.n4.nabble.com/Cannot-join-as-secondary-DC-samba-4-2-2-bug-tp4686826.html
> Sent from the Samba - samba-technical mailing list archive at Nabble.com.

Reply | Threaded
Open this post in threaded view
|

Re: Cannot join as secondary DC - samba 4.2.2 - <bug?>

bogdan_bartos
I am getting the same and I did modify as per your advice:

[root@backupdc bin]# cat /etc/krb5.conf
[libdefaults]
    dns_lookup_realm = false
    dns_lookup_kdc = true
    default_realm = FILESERVER.SPECIFIED.CA

[root@backupdc bin]# kinit administrator
Password for administrator@FILESERVER.SPECIFIED.CA:
Warning: Your password will expire in 41 days on Sat 18 Jul 2015 01:58:01 PM MDT

[root@backupdc bin]# ./samba-tool domain join fileserver.specified.ca DC -Uadministrator --realm=FILESERVER.SPECIFIED.CA
Finding a writeable DC for domain 'fileserver.specified.ca'
ERROR(exception): uncaught exception - Failed to find a writeable DC for domain 'fileserver.specified.ca'
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 613, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line 1161, in join_DC
    machinepass, use_ntvfs, dns_backend, promote_existing)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line 79, in __init__
    ctx.server = ctx.find_dc(domain)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line 267, in find_dc
    raise Exception("Failed to find a writeable DC for domain '%s'" % domain)
Reply | Threaded
Open this post in threaded view
|

Re: Cannot join as secondary DC - samba 4.2.2 - <bug?>

Rowland Penny-4
On 07/06/15 13:31, bogdan_bartos wrote:

> I am getting the same and I did modify as per your advice:
>
> [root@backupdc bin]# cat /etc/krb5.conf
> [libdefaults]
>      dns_lookup_realm = false
>      dns_lookup_kdc = true
>      default_realm = FILESERVER.SPECIFIED.CA
>
> [root@backupdc bin]# kinit administrator
> Password for [hidden email]:
> Warning: Your password will expire in 41 days on Sat 18 Jul 2015 01:58:01 PM
> MDT
>
> [root@backupdc bin]# ./samba-tool domain join fileserver.specified.ca DC
> -Uadministrator --realm=FILESERVER.SPECIFIED.CA
> Finding a writeable DC for domain 'fileserver.specified.ca'
> ERROR(exception): uncaught exception - Failed to find a writeable DC for
> domain 'fileserver.specified.ca'
>    File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>      return self.run(*args, **kwargs)
>    File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py",
> line 613, in run
>      machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
>    File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
> 1161, in join_DC
>      machinepass, use_ntvfs, dns_backend, promote_existing)
>    File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
> 79, in __init__
>      ctx.server = ctx.find_dc(domain)
>    File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
> 267, in find_dc
>      raise Exception("Failed to find a writeable DC for domain '%s'" %
> domain)
>
>
>
>
> --
> View this message in context: http://samba.2283325.n4.nabble.com/Cannot-join-as-secondary-DC-samba-4-2-2-bug-tp4686826p4686854.html
> Sent from the Samba - samba-technical mailing list archive at Nabble.com.


OK, this sounds like a dns problem.

Does the machine you are trying to join as a DC have a fixed IP ?
What is in /etc/resolv.conf ?
What is in /etc/hosts ?

What OS are you using ?

Rowland
Reply | Threaded
Open this post in threaded view
|

Re: Cannot join as secondary DC - samba 4.2.2 - <bug?>

bogdan_bartos
This is from the secondary DC I am trying to join:

[root@backupdc ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search fileserver.specified.ca
nameserver 192.168.100.253

[root@backupdc ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
192.168.100.253 FILESERVER.fileserver.specified.ca      FILESERVER
192.168.100.242 BACKUPDC.fileserver.specified.ca        BACKUPDC
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

This is from the primary DC:

[root@fileserver etc]# cat /etc/resolv.conf
# Generated by NetworkManager
search fileserver.specified.ca
nameserver 192.168.100.253
nameserver 192.168.100.242
nameserver 192.168.100.1

[root@fileserver etc]# cat /etc/hosts
127.0.0.1               localhost.localdomain localhost
192.168.100.242 BACKUPDC.fileserver.specified.ca   BACKUPDC
::1             localhost6.localdomain6 localhost6

The primary DC is 192.168.100.253 and the secondary DC is 192.168.100.242 - they both have static IPs. I do have a 3rd DNS that is 192.168.100.1 that is not samba based. It is the gateway DNS. Both systems are running Fedora 22 x64.
Reply | Threaded
Open this post in threaded view
|

Re: Cannot join as secondary DC - samba 4.2.2 - <bug?>

Rowland Penny-4
On 07/06/15 14:03, bogdan_bartos wrote:

> This is from the secondary DC I am trying to join:
>
> [root@backupdc ~]# cat /etc/resolv.conf
> # Generated by NetworkManager
> search fileserver.specified.ca
> nameserver 192.168.100.253
>
> [root@backupdc ~]# cat /etc/hosts
> 127.0.0.1   localhost localhost.localdomain localhost4
> localhost4.localdomain4
> 192.168.100.253 FILESERVER.fileserver.specified.ca      FILESERVER
> 192.168.100.242 BACKUPDC.fileserver.specified.ca        BACKUPDC
> ::1         localhost localhost.localdomain localhost6
> localhost6.localdomain6
>
> This is from the primary DC:
>
> [root@fileserver etc]# cat /etc/resolv.conf
> # Generated by NetworkManager
> search fileserver.specified.ca
> nameserver 192.168.100.253
> nameserver 192.168.100.242
> nameserver 192.168.100.1
>
> [root@fileserver etc]# cat /etc/hosts
> 127.0.0.1               localhost.localdomain localhost
> 192.168.100.242 BACKUPDC.fileserver.specified.ca   BACKUPDC
> ::1             localhost6.localdomain6 localhost6
>
> The primary DC is 192.168.100.253 and the secondary DC is 192.168.100.242 -
> they both have static IPs. I do have a 3rd DNS that is 192.168.100.1 that is
> not samba based. It is the gateway DNS. Both systems are running Fedora 22
> x64.
>
>
>
> --
> View this message in context: http://samba.2283325.n4.nabble.com/Cannot-join-as-secondary-DC-samba-4-2-2-bug-tp4686826p4686859.html
> Sent from the Samba - samba-technical mailing list archive at Nabble.com.

OK, lets see if I have got this correct:

Your first DC has the ipaddress 192.168.0.253 and the FQDN
fileserver.fileserver.specified.ca
The computer you want to be the second DC has the ipaddress
192.168.100.242 and the FQDN backupdc.fileserver.specified.ca

This is what I would set before the join:

On the first DC, set /etc/resolv.conf to:

search fileserver.specified.ca
nameserver 192.168.100.253

Set /etc/hosts to:

127.0.0.1       localhost.localdomain localhost
192.168.100.253 fileserver.fileserver.specified.ca      fileserver
::1             localhost6.localdomain6 localhost6

On the second DC, set /etc/resolv.conf to:

search fileserver.specified.ca
nameserver 192.168.100.253

Note this is what you already have.

Set /etc/hosts to:

127.0.0.1       localhost.localdomain localhost
192.168.100.242 backupdc.fileserver.specified.ca      backupdc
::1             localhost6.localdomain6 localhost6

You should also have a line in smb.conf on the first DC : dns forwarder
= 192.168.100.1
This is provided that 192.168.100.1 is is a router or similar that knows
nothing about your samba AD domain and you are using the internal AD dns
server. If you are using bind9 on the DCs then the forwarder needs to be
set in the named conf files, if you are using anything else, well don't.

Once you do manage to join the second DC, you will need to change the
/etc/resolv.conf files on both DCs, they need to point at each other and
then themselves:

first DC:

search fileserver.specified.ca
nameserver 192.168.100.242
nameserver 192.168.100.253

second DC:

search fileserver.specified.ca
nameserver 192.168.100.253
nameserver 192.168.100.242

Rowland
Reply | Threaded
Open this post in threaded view
|

Re: Cannot join as secondary DC - samba 4.2.2 - <bug?>

bogdan_bartos
On the primary DC:

[root@fileserver sbin]# cat /etc/resolv.conf
# Generated by NetworkManager
domain fileserver.specified.ca
nameserver 192.168.100.253

[root@fileserver sbin]# cat /etc/hosts
127.0.0.1               localhost.localdomain localhost
192.168.100.253 fileserver.fileserver.specified.ca   fileserver
::1             localhost6.localdomain6 localhost6

On the secondary DC:

[root@backupdc bin]# cat /etc/resolv.conf
# Generated by NetworkManager
192.168.100.242 backupdc.fileserver.specified.ca      backupdc
nameserver 192.168.100.253

[root@backupdc bin]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
192.168.100.242 backupdc.fileserver.specified.ca        backupdc
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

And...I get the same error (I did restart samba on the pDC after the changes):

[root@backupdc bin]# kinit administrator
Password for administrator@FILESERVER.SPECIFIED.CA:
Warning: Your password will expire in 41 days on Sat 18 Jul 2015 01:58:01 PM MDT

[root@backupdc bin]# ./samba-tool domain join fileserver.specified.ca DC -Uadministrator --realm=FILESERVER.SPECIFIED.CA
Finding a writeable DC for domain 'fileserver.specified.ca'
ERROR(exception): uncaught exception - Failed to find a writeable DC for domain 'fileserver.specified.ca'
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 613, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line 1161, in join_DC
    machinepass, use_ntvfs, dns_backend, promote_existing)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line 79, in __init__
    ctx.server = ctx.find_dc(domain)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line 267, in find_dc
    raise Exception("Failed to find a writeable DC for domain '%s'" % domain)
Reply | Threaded
Open this post in threaded view
|

Re: Cannot join as secondary DC - samba 4.2.2 - <bug?>

bogdan_bartos
I did a mistake - on the secondary DC:

[root@backupdc bin]# cat /etc/resolv.conf
# Generated by NetworkManager
search fileserver.specified.ca
nameserver 192.168.100.253

But the results are still the same:

[root@backupdc bin]# ./samba-tool domain join fileserver.specified.ca DC -Uadministrator --realm=FILESERVER.SPECIFIED.CA
Finding a writeable DC for domain 'fileserver.specified.ca'
ERROR(exception): uncaught exception - Failed to find a writeable DC for domain 'fileserver.specified.ca'
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 613, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line 1161, in join_DC
    machinepass, use_ntvfs, dns_backend, promote_existing)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line 79, in __init__
    ctx.server = ctx.find_dc(domain)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line 267, in find_dc
    raise Exception("Failed to find a writeable DC for domain '%s'" % domain)
Reply | Threaded
Open this post in threaded view
|

Re: Cannot join as secondary DC - samba 4.2.2 - <bug?>

Rowland Penny-4
On 07/06/15 14:49, bogdan_bartos wrote:

> I did a mistake - on the secondary DC:
>
> [root@backupdc bin]# cat /etc/resolv.conf
> # Generated by NetworkManager
> search fileserver.specified.ca
> nameserver 192.168.100.253
>
> But the results are still the same:
>
> [root@backupdc bin]# ./samba-tool domain join fileserver.specified.ca DC
> -Uadministrator --realm=FILESERVER.SPECIFIED.CA
> Finding a writeable DC for domain 'fileserver.specified.ca'
> ERROR(exception): uncaught exception - Failed to find a writeable DC for
> domain 'fileserver.specified.ca'
>    File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>      return self.run(*args, **kwargs)
>    File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py",
> line 613, in run
>      machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
>    File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
> 1161, in join_DC
>      machinepass, use_ntvfs, dns_backend, promote_existing)
>    File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
> 79, in __init__
>      ctx.server = ctx.find_dc(domain)
>    File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
> 267, in find_dc
>      raise Exception("Failed to find a writeable DC for domain '%s'" %
> domain)
>
>
>
>
> --
> View this message in context: http://samba.2283325.n4.nabble.com/Cannot-join-as-secondary-DC-samba-4-2-2-bug-tp4686826p4686864.html
> Sent from the Samba - samba-technical mailing list archive at Nabble.com.

This is very strange, do you have a firewall running on either of the
two machines ?
Is selinux running ?

Have a look here:
https://wiki.samba.org/index.php/Join_a_domain_as_a_DC#Kerberos

It may provide a pointer.

Finally, if all else fails:

Can you try adding '--server=fileserver.fileserver.specified.ca' to the
join line, by my reading of join.py this should stop the search for the DC.

Rowland
Reply | Threaded
Open this post in threaded view
|

Re: Cannot join as secondary DC - samba 4.2.2 - <bug?>

bogdan_bartos
The --server=fileserver.fileserver.specified.ca did the trick. I have the firewall open on both boxes for the samba services. It's firewalld:

[root@fileserver sbin]# cat /etc/firewalld/services/samba.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Samba</short>
  <description>This option allows you to access and participate in Windows file and printer sharing networks. You need the samba package installed for this option to be useful.</description>
  <port protocol="tcp" port="53"/>
  <port protocol="udp" port="53"/>
  <port protocol="tcp" port="88"/>
  <port protocol="udp" port="88"/>
  <port protocol="tcp" port="135"/>
  <port protocol="udp" port="137"/>
  <port protocol="udp" port="138"/>
  <port protocol="tcp" port="139"/>
  <port protocol="tcp" port="389"/>
  <port protocol="tcp" port="445"/>
  <port protocol="tcp" port="464"/>
  <port protocol="udp" port="464"/>
  <port protocol="tcp" port="636"/>
  <port protocol="tcp" port="1024"/>
  <port protocol="tcp" port="5353"/>
  <port protocol="udp" port="5353"/>
  <module name="nf_conntrack_netbios_ns"/>
</service>

[root@fileserver sbin]# firewall-cmd --get-services
amanda-client amanda-k5-client bacula bacula-client cockpit dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql privoxy proxy-dhcp puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp squid ssh synergy telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server

Samba is in the list... I have no idea why this happened - I have a similar environment where provisioning and adding a secondary DC just worked like a charm.
Reply | Threaded
Open this post in threaded view
|

Re: Cannot join as secondary DC - samba 4.2.2 - <bug?>

Rowland Penny-4
On 07/06/15 15:32, bogdan_bartos wrote:

> The --server=fileserver.fileserver.specified.ca did the trick. I have the
> firewall open on both boxes for the samba services. It's firewalld:
>
> [root@fileserver sbin]# cat /etc/firewalld/services/samba.xml
> <?xml version="1.0" encoding="utf-8"?>
> <service>
>    <short>Samba</short>
>    <description>This option allows you to access and participate in Windows
> file and printer sharing networks. You need the samba package installed for
> this option to be useful.</description>
>    <port protocol="tcp" port="53"/>
>    <port protocol="udp" port="53"/>
>    <port protocol="tcp" port="88"/>
>    <port protocol="udp" port="88"/>
>    <port protocol="tcp" port="135"/>
>    <port protocol="udp" port="137"/>
>    <port protocol="udp" port="138"/>
>    <port protocol="tcp" port="139"/>
>    <port protocol="tcp" port="389"/>
>    <port protocol="tcp" port="445"/>
>    <port protocol="tcp" port="464"/>
>    <port protocol="udp" port="464"/>
>    <port protocol="tcp" port="636"/>
>    <port protocol="tcp" port="1024"/>
>    <port protocol="tcp" port="5353"/>
>    <port protocol="udp" port="5353"/>
>    <module name="nf_conntrack_netbios_ns"/>
> </service>
>
> [root@fileserver sbin]# firewall-cmd --get-services
> amanda-client amanda-k5-client bacula bacula-client cockpit dhcp dhcpv6
> dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp
> high-availability http https imaps ipp ipp-client ipsec iscsi-target kadmin
> kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt
> mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql
> privoxy proxy-dhcp puppetmaster radius rpc-bind rsyncd samba samba-client
> sane smtp squid ssh synergy telnet tftp tftp-client tinc tor-socks
> transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client
> xmpp-local xmpp-server
>
> Samba is in the list... I have no idea why this happened - I have a similar
> environment where provisioning and adding a secondary DC just worked like a
> charm.
>
>
>
> --
> View this message in context: http://samba.2283325.n4.nabble.com/Cannot-join-as-secondary-DC-samba-4-2-2-bug-tp4686826p4686868.html
> Sent from the Samba - samba-technical mailing list archive at Nabble.com.

Should have known, first thing I do when setting up a DC is turn off any
firewall, you can restart it later and if there are problems, you know
it is the firewall. The problem may be because you cannot run a samba 4
AD DC on Fedora with the standard packages yet, the firewalld samba xml
file may not have all the ports required, port 3268 is missing for instance.

Rowland

Reply | Threaded
Open this post in threaded view
|

Re: Cannot join as secondary DC - samba 4.2.2 - <bug?>

Alexander Bokovoy
In reply to this post by bogdan_bartos
On Sun, Jun 07, 2015 at 07:32:11AM -0700, bogdan_bartos wrote:

> The --server=fileserver.fileserver.specified.ca did the trick. I have the
> firewall open on both boxes for the samba services. It's firewalld:
>
> [root@fileserver sbin]# cat /etc/firewalld/services/samba.xml
> <?xml version="1.0" encoding="utf-8"?>
> <service>
>   <short>Samba</short>
>   <description>This option allows you to access and participate in Windows
> file and printer sharing networks. You need the samba package installed for
> this option to be useful.</description>
>   <port protocol="tcp" port="53"/>
>   <port protocol="udp" port="53"/>
>   <port protocol="tcp" port="88"/>
>   <port protocol="udp" port="88"/>
>   <port protocol="tcp" port="135"/>
>   <port protocol="udp" port="137"/>
>   <port protocol="udp" port="138"/>
>   <port protocol="tcp" port="139"/>
>   <port protocol="tcp" port="389"/>
You need to open 389/UDP too as this is the CLDAP ping which is used for
discovering domain controller capabilities in Active Directory.

--
/ Alexander Bokovoy