[Samba] Member join to Active Directory -> DNS-Update fails

Rowland Penny rpenny at samba.org
Fri Oct 27 16:45:00 UTC 2023 

On Fri, 27 Oct 2023 16:22:54 +0200
Bestattungen Vitt - Thomas Reitelbach via samba <samba at lists.samba.org>
wrote:

> Hello Luis,
> 
> answering between the comments...
> 
> >> And this is the debug log on the machine where the DNS-Update is
> >> tried upon:
> >> Oct 27 14:58:21 vmads.vitt.site samba[16373]: [2023/10/27
> >> 14:58:21.679662, 0]
> >> ../source4/dns_server/dns_update.c:407(handle_one_update)
> >> Oct 27 14:58:21 vmads.vitt.site samba[16373]: Can't handle updates
> >> of type 255 yet
> >> 
> > I assume your record does not exist already.
> 
> Correct, it does not exist already. Neither the A nor the PTR record
> do exist at this moment.

But there is nothing stopping you creating them.

> 
> >> I guess this is because this specific machine has an old samba
> >> version (4.6.4) which lacks the necessary functions.
> >> 
> >> What are my options now?
> >> a) update Samba on the old machine to a current version? (not 
> >> preferred)
> > Excelent idea. Try:
> 
> Unfortunately this is complicated. Current samba configure scripts
> need python3 which is unavailable for this old server. I would have
> to compile python and all its dependencies as well. I'll try not to
> do this ;-)
> Well, I COULD do this, but this is my last choice...

I wouldn't bother, just transfer any FSMO roles to another DC, then
demote this old DC and then, if required, create a new one.

> 
> >> b) let the joining Fileserver choose a different AD-Server
> >> preferred for
> >> DNS-Updates? (how would I do that?? the other AD servers are
> >> running on
> >> debian 11 with samba 4.17.9) All FSMO-Roles are at the other AD 
> >> servers.

I suggest you upgrade Bullseye to Bookworm and then use Samba from
backports.

> > I don’t think you can do that unless you stop samba in the old
> > server. Worth trying .
> 
> I'll test when the old server is unused. At the working hours this is 
> not possible.
> 
> >> c) create the necessary DNS-Entry manually (tried that already
> >> with the
> >> Windows DNS Client, this works)
> 
> Do I have to expect any problems when I join the new Fileserver and 
> create the DNS entries manually? If I do so, the DNS-Records are 
> immediately beeing synced between the three samba-internal dns
> servers as expected. Is there anything more to take care of?

No.

> 
> >> The server with the old samba version is my old File server and AD
> >> server in one machine
> > You probably refer to a DC server, not an AD server.
> 
> The old server has always been used as Active Directory Domain 
> Controller (this is what I called an AD server), first installed
> samba version was 4.0.5, self-compiled, one of the first versions
> with support for it. It is NOT an old NT-style PDC, if you mean this.
> 
> > Review your member server config, just in case your missing
> > something:
> 
> The config at time of the Join is very basic:
> [global]
> ### Grundkonfiguration ###
>       security = ADS
>       workgroup = ADVITT
>       realm = ADVITT.SITE
> 
>       log file = /var/log/samba/%m.log
>       log level = 1
> 
>       idmap config * : backend = autorid
>       idmap config * : range = 10000-9999999
> 
>       vfs objects = acl_xattr
>       map acl inherit = yes

Using the 'autorid' idmap backend is quite okay, but it has a
limitation, you cannot set 'winbind use default domain = yes' in your
smb.conf and then just use '$USERNAME' to logon, instead of
'$DOMAIN\$USERNAME'.
There are quite few extra lines I would add, 'winbind refresh tickets =
yes' for one.

> 
> -> true, no shares at this point.
> 
> Kerberos config:
> [libdefaults]
>       default_realm = ADVITT.SITE
>       dns_lookup_realm = false
>       dns_lookup_kdc = true
> 
> Time Syncronization is pulled via NTP from the AD-DC Servers.
> Name resolution is set to the three AD-DC servers and Name resolution 
> tests are OK.

When you move to Bookworm, use Chrony instead, ntpsec has replaced ntp
and ntpsec isn't working with Samba at the present.

> 
> I don't think I'm missing something important so far.
> 
> Cheers
> Thomas
> 

How is /etc/hosts set up ?
If you run 'hostname -f' in a terminal, does it return the computers
FQDN ?

Rowland

More information about the samba mailing list