[Samba] Joining Linux Domain Member to Samba DC, issues
Rowland Penny
rpenny at samba.org
Sun Apr 28 17:41:07 UTC 2024
On Sun, 28 Apr 2024 12:53:32 -0400
Mark Foley via samba <samba at lists.samba.org> wrote:
> On Sun Apr 28 03:42:51 2024 Rowland Penny via samba
> <samba at lists.samba.org> wrote:
> >
> > On Sat, 27 Apr 2024 20:38:34 -0400
> > Mark Foley via samba <samba at lists.samba.org> wrote:
> >
> > > I've successfully joined two Linux Domain Members to two different
> > > Domains. Now, I'm joining a second Linux host as a Domain Member
> > > to a Samba4 (4.18.9) Domain. I'm having some possible issues this
> > > time.
> > >
> > > Issue #1 Reverse Zone
> > >
> > > On the SambaWiki:
> > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member,
> > > under 2.5 Forward Lookup, no problem:
> > >
> > > # host mail
> > > mail.hprs.local has address 192.168.0.2
> > >
> > > 2.6 Reverse Lookup is not working:
> > >
> > > # host 192.168.0.2
> > > Host 2.0.168.192.in-addr.arpa. not found: 3(NXDOMAIN)
> > >
> > > This is true for the other Linux domain member as well. I did
> > > create the reverse zone when provisioning the DC, and when I get
> > > a zonelist on the DC it does show the reverse zone (I think):
> > >
> > > # samba-tool dns zonelist mail
> > >
> > > pszZoneName : 0.168.192.in-addr.arpa <----
> > > Flags : DNS_RPC_ZONE_DSINTEGRATED
> > > DNS_RPC_ZONE_UPDATE_SECURE
> > > ZoneType : DNS_ZONE_TYPE_PRIMARY
> > > Version : 50
> > > dwDpFlags : DNS_DP_AUTOCREATED
> > > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> > > pszDpFqdn : DomainDnsZones.hprs.local
> > >
> > > What's up here and is this a problem?
> >
> > Linux dhcp has no direct method to add/update a computers reverse
> > record in AD, you either need to use a script called by your dhcp
> > server, or add them manually.
>
> So creating the reverse zone:
>
> samba-tool dns zonecreate mail 0.168.192.in-addr.arpa
>
> Per the WiKi
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Create_a_reverse_zone
> has no effect on subdomain members? I would have to create individual
> rDNS records for each host:
>
> samba-tool dns zonecreate mail 3.168.192.in-addr.arpa
NO and if I remember correctly we have been here before.
If your dns CIDR is 192.168.0.0/24 then your reversezone would be
0.168.192.in-addr.arpa and you would need to add dns records to this
reversezone, eg if the computers ip was 192.168.0.3:
samba-tool dns add 127.0.0.1 0.168.192.in-addr.arpa 3 PTR
mail.hprs.local
>
> right? What then is the point of creating the reverse zone for
> 192.168.0.0/24?
Every point, but there is no point in creating a reversezone for every
PTR record.
>
>
> > > Issue #2: "DNS Update failed"
> > >
> > > When joining the domain member, it joins (I think), but I get "DNS
> > > update failed" messages:
> > >
> > > # net ads join -U Administrator
> > > Using short domain name -- HPRS
> > > Joined 'WEBSERVER' to dns domain 'hprs.local'
> > > DNS Update for webserver.hprs.local failed:
> > > ERROR_DNS_UPDATE_FAILED DNS update failed: NT_STATUS_UNSUCCESSFUL
> > >
> > > I'm hoping this is just because I had added an A record for this
> > > host back when I provisioned the domain (and this host was not a
> > > domain member). In fact, at the time I added A records for all
> > > the non-Domain-Member Linux hosts and other devices (like network
> > > printers). I'm hopig this is not a real error, but is basically
> > > saying the A record already exists and it can't "update" the DNS.
> > > If so, a less scarey message would be nice. Please advise.
> > >
> >
> > This is probably down to a dns problem, I usually give my servers a
> > fixed IP and then add the machines dns info to /etc/hosts:
> >
> > IPADDRESS FQDN SHORT_HOSTNAME
> >
> > I never have the problem you are having.
> >
> > If you do not want to set a fixed ip, then ensure that your dhcp
> > server is supplying all the required dns data and that your server
> > knows it.
>
> I've never had this problem either. I've joined Linux members in the
> past to both Samba DCs and Windows DCs. I've tried unjoining and
> re-joining with:
>
> # samba-tool domain join hprs.local MEMBER -U administrator
>
> DNS Update for webserver.hprs.local failed: ERROR_DNS_UPDATE_FAILED
> DNS update failed: NT_STATUS_UNSUCCESSFUL
> Joined domain hprs.local (S-1-5-21-1179323223-1906255692-291620936)
>
> but still get that update failed message, even though it says,
> "Joined domain."
It isn't the join that is failing, it is the dns update.
If the computer is getting its dns via dhcp, then the computers info
shouldn't be in /etc/hosts, even if it doesn't point to the computers
IP.
>
> This host is set up for a fixed IP address.
>
> > I also hope that '.local' is a placeholder for the real TLD.
>
> Nope. No choice in that. This domain started originally as a Windows
> SBS domain and that hprs.local was the way it was configured, long
> before I arrived on the scene. I have posts on this list describing
> my efforts to change the domain when I re-provisioned from scratch,
> but the hprs.local is scatter-shotted throughout all the Windows
> domain members' registries and attempts to change that failed.
I remember now, though why you have that problem, I do not know.
>
> > >
> > > Issue #3: getent not working
> > >
> > > After joining this Domain Member I ran the getent test:
> > >
> > > # getent passwd HPRS\\mark
> > >
> > > Nothing came back. I do get results if I run it on the other
> > > Domain Member:
> > >
> > > # getent passwd HPRS\\mark
> > > HPRS\mark:*:11105:10513:Mark Foley:/home/mark:/bin/bash
> > >
> > > winbindd is running and the /etc/nsswitch.conf file has been
> > > appropriately modified. The only config different I know of
> > > between this member and the one where getent works is that in
> > > /etc/samba/smb.conf I added:
> > >
> > > username map = /var/lib/samba/etc/user.map
> > >
> > > and in /var/lib/samba/etc/user.map I have:
> > >
> > > !root = hprs\Administrator
> > > uid = 0
> > >
> > > wbinfo -u and wbinfo -g do work. Any idea why my getent doesn't
> > > work?
> >
> > If smb.conf is set up correctly and winbind is running (which it
> > seems it is), then, have you set up the libnss winbind links ?
> >
> > Rowland
>
> I've previously joined several Linux domain members and I've never
> had to manually set libnss links. The wiki
> https://wiki.samba.org/index.php/Libnss_winbind_Links says, "You only
> need to do this if you compiled Samba yourself, otherwise your distro
> will provide packages to do this for you."
>
> I did not compile samba myself. I am using the Slackware 15.0 distro
> of Samba 4.18.9. The lib /usr/lib64/libnss_winbind.so.2 is the only
> winbind.so* that exists on any of these computers and getent works on
> the DC and the other domain member. I don't think there is anything
> else I can link.
>
> # smbd -b | grep LIBDIR
> LIBDIR: /usr/lib64
>
> getent still doesn't work.
>
> In addition, the share I've created in smb.conf isn't working and I
> think it is related to this problem. Basically I moved another share
> definition from another domain member to this new member (which was
> the point of creating this new member). With the share hosted on the
> original member, there was no problem. Tha map-drive function used
> the users domain credentials without asking and the drive mapped. On
> this new domain member, Windows users mapping this drive are asked to
> enter credentials. And, once having done so the credentials are
> invalid -- even though they are valid domain user credentials. The
> windows computer says,
>
> "The mapped network drive could not be created because the following
> error has occured: The network login failed."
>
> I don't know what's going wrong. I joined this domain member exactly
> like the others as far as I can tell.
>
If 'wbinfo -u' and 'wbinfo -g' work and getent doesn't (provided you
are using 'getent passwd $USERNAME'), then it must be something that
connects nsswitch to the AD database (the libnss links) or a faulty
smb.conf
I suggest you post the smb.conf you are using on the Unix domain member
that doesn't work.
I have said this before, I do not use slackware, so I can only point
you in the direction of what works on Debian.
Rowland
More information about the samba
mailing list