[Samba] Member join to Active Directory -> DNS-Update fails

Rowland Penny rpenny at samba.org
Sat Oct 28 10:13:01 UTC 2023 

On Sat, 28 Oct 2023 11:05:11 +0200
Bestattungen Vitt - Thomas Reitelbach via samba <samba at lists.samba.org>
wrote:

> Hello Rowland,
> 
> >> >> I guess this is because this specific machine has an old samba
> >> >> version (4.6.4) which lacks the necessary functions.
> >> >>
> >> >> What are my options now?
> >> >> a) update Samba on the old machine to a current version? (not
> >> >> preferred)
> >> > Excelent idea. Try:
> >> 
> >> Unfortunately this is complicated. Current samba configure scripts
> >> need python3 which is unavailable for this old server. I would have
> >> to compile python and all its dependencies as well. I'll try not to
> >> do this ;-)
> >> Well, I COULD do this, but this is my last choice...
> > 
> > I wouldn't bother, just transfer any FSMO roles to another DC, then
> > demote this old DC and then, if required, create a new one.
> 
> This DC is also my main Fileserver as well (I know, bad decision 12 
> years ago).
> What will happen to the file service if I demote the DC. If I
> understand the docs I should turn off the server afer demoting it
> which means shut down file and print services as well. This is not
> possible at the time beeing because it holds the users home
> directories, folder redirection share and so on.

That complicates it somewhat, if you were using the 'ad' idmap backend,
then that would simplify things, you could have demoted the DC and
turned it it a Unix domain member, but as you seem to have been using
the DCs standard idmap_ldb, all your users and groups will have IDs in
the '3000000' range.
I suppose you could use the IDs to set uidNumber & gidNumber attributes
in AD, demote the DC and then make it a Unix domain member using the
'ad' idmap backend, but that would be a lot of work for just one
machine.
 
> 
> >> >> b) let the joining Fileserver choose a different AD-Server
> >> >> preferred for
> >> >> DNS-Updates? (how would I do that?? the other AD servers are
> >> >> running on
> >> >> debian 11 with samba 4.17.9) All FSMO-Roles are at the other AD
> >> >> servers.
> > 
> > I suggest you upgrade Bullseye to Bookworm and then use Samba from
> > backports.
> 
> Upgrade to Bookworm is planned. But what's the exact reason to use
> samba from backports with bookworm? Is here a known problem with the
> samba version packaged with bookworm? (besides that it is not always
> the newest version...)

Mainly just to get the latest possible version of Samba (newer is
always better, things get fixed and added).

> 
> >> > I don’t think you can do that unless you stop samba in the old
> >> > server. Worth trying .
> >> 
> >> I'll test when the old server is unused. At the working hours this
> >> is not possible.
> 
> Tried it today.
> Stopped samba service on the old server. Now the new fileserver can
> be joined without the errors about failed DNS updates because it
> chooses one of the newer DCs for it's DNS update. Fine :)
>

Glad to hear that :-)
 
> >> > Review your member server config, just in case your missing
> >> > something:
> >> 
> >> The config at time of the Join is very basic:
> >> [global]
> >> ### Grundkonfiguration ###
> >>       security = ADS
> >>       workgroup = ADVITT
> >>       realm = ADVITT.SITE
> >> 
> >>       log file = /var/log/samba/%m.log
> >>       log level = 1
> >> 
> >>       idmap config * : backend = autorid
> >>       idmap config * : range = 10000-9999999
> >> 
> >>       vfs objects = acl_xattr
> >>       map acl inherit = yes
> > 
> > Using the 'autorid' idmap backend is quite okay, but it has a
> > limitation, you cannot set 'winbind use default domain = yes' in
> > your smb.conf and then just use '$USERNAME' to logon, instead of
> > '$DOMAIN\$USERNAME'.
> > There are quite few extra lines I would add, 'winbind refresh
> > tickets = yes' for one.
> 
> Thank you for your input, I'll read the docs regarding those options
> :)
> 
> >> Time Syncronization is pulled via NTP from the AD-DC Servers.
> >> Name resolution is set to the three AD-DC servers and Name
> >> resolution tests are OK.
> > 
> > When you move to Bookworm, use Chrony instead, ntpsec has replaced
> > ntp and ntpsec isn't working with Samba at the present.
> 
> With "pulled via NTP" I referred to NTP as a network protocol, not
> the daemon with that name. Actually I'm using chrony on the DCs right
> now and systemd-timesyncd on the new File server (Member server)
> which should be fine I guess.

Best to say what you mean in plain English, I took it as you were
running NTP.

> 
> > How is /etc/hosts set up ?
> > If you run 'hostname -f' in a terminal, does it return the computers
> > FQDN ?
> 
> Yes, it does.
> The hosts file is straight forward:
> root at fs1:~# cat /etc/hosts
> 127.0.0.1       localhost
> 192.168.3.246   fs1.advitt.site fs1
> 
> # The following lines are desirable for IPv6 capable hosts
> ::1     localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters

I have seen them were the ipaddress only points to the short hostname,
that can be one cause of the problem you were having.

> 
> Thank you all on this list for helping me.
> Stopping the old samba server was the easiest solution to join the
> new member. After beeing successful I restarted the old samba server.
> Now I can migrate file- and print-services from the old to the new 
> server and finally shut down the ancient one :)
> 
> Cheers
> Thomas

Can I suggest that you try to keep more up to date, Samba is a rapidly
changing program, things get added with every major update.

Rowland
 
>

More information about the samba mailing list