[Samba] Member join to Active Directory -> DNS-Update fails

Bestattungen Vitt - Thomas Reitelbach t.reitelbach at bestattungen-vitt.de
Sat Oct 28 09:05:11 UTC 2023 

Hello Rowland,

>> >> I guess this is because this specific machine has an old samba
>> >> version (4.6.4) which lacks the necessary functions.
>> >>
>> >> What are my options now?
>> >> a) update Samba on the old machine to a current version? (not
>> >> preferred)
>> > Excelent idea. Try:
>> 
>> Unfortunately this is complicated. Current samba configure scripts
>> need python3 which is unavailable for this old server. I would have
>> to compile python and all its dependencies as well. I'll try not to
>> do this ;-)
>> Well, I COULD do this, but this is my last choice...
> 
> I wouldn't bother, just transfer any FSMO roles to another DC, then
> demote this old DC and then, if required, create a new one.

This DC is also my main Fileserver as well (I know, bad decision 12 
years ago).
What will happen to the file service if I demote the DC. If I understand 
the docs I should turn off the server afer demoting it which means shut 
down file and print services as well. This is not possible at the time 
beeing because it holds the users home directories, folder redirection 
share and so on.

>> >> b) let the joining Fileserver choose a different AD-Server
>> >> preferred for
>> >> DNS-Updates? (how would I do that?? the other AD servers are
>> >> running on
>> >> debian 11 with samba 4.17.9) All FSMO-Roles are at the other AD
>> >> servers.
> 
> I suggest you upgrade Bullseye to Bookworm and then use Samba from
> backports.

Upgrade to Bookworm is planned. But what's the exact reason to use samba 
from backports with bookworm? Is here a known problem with the samba 
version packaged with bookworm? (besides that it is not always the 
newest version...)

>> > I don’t think you can do that unless you stop samba in the old
>> > server. Worth trying .
>> 
>> I'll test when the old server is unused. At the working hours this is
>> not possible.

Tried it today.
Stopped samba service on the old server. Now the new fileserver can be 
joined without the errors about failed DNS updates because it chooses 
one of the newer DCs for it's DNS update. Fine :)

>> > Review your member server config, just in case your missing
>> > something:
>> 
>> The config at time of the Join is very basic:
>> [global]
>> ### Grundkonfiguration ###
>>       security = ADS
>>       workgroup = ADVITT
>>       realm = ADVITT.SITE
>> 
>>       log file = /var/log/samba/%m.log
>>       log level = 1
>> 
>>       idmap config * : backend = autorid
>>       idmap config * : range = 10000-9999999
>> 
>>       vfs objects = acl_xattr
>>       map acl inherit = yes
> 
> Using the 'autorid' idmap backend is quite okay, but it has a
> limitation, you cannot set 'winbind use default domain = yes' in your
> smb.conf and then just use '$USERNAME' to logon, instead of
> '$DOMAIN\$USERNAME'.
> There are quite few extra lines I would add, 'winbind refresh tickets =
> yes' for one.

Thank you for your input, I'll read the docs regarding those options :)

>> Time Syncronization is pulled via NTP from the AD-DC Servers.
>> Name resolution is set to the three AD-DC servers and Name resolution
>> tests are OK.
> 
> When you move to Bookworm, use Chrony instead, ntpsec has replaced ntp
> and ntpsec isn't working with Samba at the present.

With "pulled via NTP" I referred to NTP as a network protocol, not the 
daemon with that name. Actually I'm using chrony on the DCs right now 
and systemd-timesyncd on the new File server (Member server) which 
should be fine I guess.

> How is /etc/hosts set up ?
> If you run 'hostname -f' in a terminal, does it return the computers
> FQDN ?

Yes, it does.
The hosts file is straight forward:
root at fs1:~# cat /etc/hosts
127.0.0.1       localhost
192.168.3.246   fs1.advitt.site fs1

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Thank you all on this list for helping me.
Stopping the old samba server was the easiest solution to join the new 
member. After beeing successful I restarted the old samba server.
Now I can migrate file- and print-services from the old to the new 
server and finally shut down the ancient one :)

Cheers
Thomas

-- 
Bestattungen Vitt oHG
Inhaber Willi & Thomas Reitelbach
Rochusstraße 176
53123 Bonn-Duisdorf
Registergericht: Amtsgericht Bonn, HRA 7958

Facebook:     http://www.facebook.de/bestattungenvitt
Gedenkportal: http://begleiten.bestattungen-vitt.de
Internet:     http://www.bestattungen-vitt.de

Telefon: 0228 - 62 68 68
Fax: 0228 - 978 30 36

More information about the samba mailing list