So it looks like I did something wrong at some point while setting up a domain and Samba4 is now broken for me.
Of course this had to happen after I spent time migrating my local account to the domain account. (No, it did not go as smoothly as the sources might lead you to believe.)
So I am understandably reluctant to reprovision the machine and go through that process again, breaking who-knows-what-else by breaking the NTFS ACLs formed since.
So yeah, I’ll use this post as an outlet for complaints about this breakage:
Mar 1 00:42:17 commander samba[12250]: [2015/03/01 00:42:17.752020, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
Mar 1 00:42:17 commander samba[12250]: /usr/sbin/samba_dnsupdate: Traceback (most recent call last):
Mar 1 00:42:17 commander samba[12250]: [2015/03/01 00:42:17.753033, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
Mar 1 00:42:17 commander samba[12250]: /usr/sbin/samba_dnsupdate: File "/usr/sbin/samba_dnsupdate", line 612, in <module>
Mar 1 00:42:17 commander samba[12250]: [2015/03/01 00:42:17.753757, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
Mar 1 00:42:17 commander samba[12250]: /usr/sbin/samba_dnsupdate: get_credentials(lp)
Mar 1 00:42:17 commander samba[12250]: [2015/03/01 00:42:17.754374, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
Mar 1 00:42:17 commander samba[12250]: /usr/sbin/samba_dnsupdate: File "/usr/sbin/samba_dnsupdate", line 118, in get_credentials
Mar 1 00:42:17 commander samba[12250]: [2015/03/01 00:42:17.755084, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
Mar 1 00:42:17 commander samba[12250]: /usr/sbin/samba_dnsupdate: creds.set_machine_account(lp)
Mar 1 00:42:17 commander samba[12250]: [2015/03/01 00:42:17.755797, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
Mar 1 00:42:17 commander samba[12250]: /usr/sbin/samba_dnsupdate: RuntimeError: (-1073741275, 'NT_STATUS_NOT_FOUND')
…uh, so the machine account is missing? What? How did that happen? Is it really missing?
# samba-tool user create COMMANDER$
New Password: #DUMMYPASSWORDHERE#
Retype Password: #DUMMYPASSWORDHERE#
ERROR(ldb): Failed to add user 'COMMANDER$': - samldb: Account name (sAMAccountName) 'COMMANDER$' already in use!
Let’s try this, found on Samba’s wiki:
samba-tool dbcheck --fix --reset-well-known-acls
Hurray, an error has been fixed! But everything is still horribly broken.
Oh look! There’s a DC diagnostics tool shipping in Windows:
C:\Users\ivucica>dcdiag /s:ds.badc0de.net /v
Directory Server Diagnosis
Performing initial setup:
* Connecting to directory service on server ds.badc0de.net.
Ldap search capability attribute search failed on server ds.badc0de.net,
return value = 52
Thanks, Microsoft, that’s helpful.
So I fiddled a bit and ended up with this:
C:\Users\ivucica>dcdiag /s:commander
Directory Server Diagnosis
Performing initial setup:
Ldap search capability attribute search failed on server commander, return
value = 81
C:\Users\ivucica>dcdiag /s:commander.ds.MYDOMAIN
Directory Server Diagnosis
Performing initial setup:
Ldap search capability attribute search failed on server
commander.ds.MYDOMAIN, return value = 81
No, passing /v
did not help identifying either error 52 nor 81. But that 81 is mildly googlable. Wait, it’s mentioning LDAP… Is it even running?
Oh wait, Microsoft has another diagnostics tool (of course it does)
C:\Users\ivucica>nltest /dsgetdc:ds.MYDOMAIN force /gc
Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
Of course there is no such domain, why would there be, am I right? tcpdump
revealed that UDP packets on 389 were being rejected (and nothing is listening there). And connections to localhost were failing. So let’s look at help for samba-tool dbcheck
. Huh. Let’s try this:
samba-tool dbcheck --fix --reindex --scope=base
And breakage begone!
C:\Users\ivucica>nltest /dsgetdc:ds.MYDOMAIN /force /gc
DC: \\commander.ds.MYDOMAIN
Address: \\10.0.99.150
Dom Guid: b066b58f-6fa9-42d6-a45a-ABCDEFABCDEF
Dom Name: ds.MYDOMAIN
Forest Name: ds.MYDOMAIN
Dc Site Name: DO-AMS1
Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN
DNS_FOREST
The command completed successfully
Or not?
C:\Users\ivucica>dcdiag /s:ds.badc0de.net /v
Directory Server Diagnosis
Performing initial setup:
* Connecting to directory service on server ds.badc0de.net.
Ldap search capability attribute search failed on server ds.badc0de.net,
return value = 52
Back to 52. And samba_dnsupdate
is still broken, and the workstation cannot administrate the DC. Because, “The server is not operational.” Thanks, Samba, and thanks, Windows, for your immensely useful error messages.
Very, very discouraging and even a bit disturbing.