Joining second Samba4 DC

Ryan Whelan rcwhelan at gmail.com
Wed May 30 11:43:51 MDT 2012 

I can't figure out how to completely add a second samba4 DC to a first
samba4 domain.  When I follow the how-to to create a samba4 domain, it goes
as i would expect.  I can add windows clients and dynamic DNS updates
work.  However, when I follow the howto add a second DC, DNS never gets
updated and replication only looks like it is getting setup in a single
direction.

On first host I provision with:
provision --realm=CNGTEST.LOCAL --domain=cngtest
--adminpass=somethingsimple --server-role="domain controller"

Once thats done and I start samba, I can verify the DNS zone with:
dig cngtest.local axfr @127.0.0.1
(im not an AD expert, but it looks ok. I can see all the SRV and A records)

On the second machine (the machine to add as a second DC) I try to join
with:
samba-tool domain join cngtest.local DC --realm=CNGTEST.LOCAL
-Uadministrator

the join seems to work fine.  As soon as i start samba on the second
machine, and run a `samba-tool drs showrepl`, all I see are connections
under the 'Inbound header'


Default-First-Site-Name\SMB2
DSA Options: 0x00000001
DSA object GUID: 38296f7a-5964-4e85-94d6-47cedd5adffc
DSA invocationId: e2e50339-a7af-47f4-810b-e85627efc750

==== INBOUND NEIGHBORS ====

CN=Configuration,DC=cngtest,DC=local
    Default-First-Site-Name\SMB1 via RPC
        DSA object GUID: bd37bcf3-9d3d-48c4-b008-8aad5b99f887
        Last attempt @ Wed May 30 13:14:23 2012 EDT was successful
        0 consecutive failure(s).
        Last success @ Wed May 30 13:14:23 2012 EDT

CN=Schema,CN=Configuration,DC=cngtest,DC=local
    Default-First-Site-Name\SMB1 via RPC
        DSA object GUID: bd37bcf3-9d3d-48c4-b008-8aad5b99f887
        Last attempt @ Wed May 30 13:14:23 2012 EDT was successful
        0 consecutive failure(s).
        Last success @ Wed May 30 13:14:23 2012 EDT

DC=cngtest,DC=local
    Default-First-Site-Name\SMB1 via RPC
        DSA object GUID: bd37bcf3-9d3d-48c4-b008-8aad5b99f887
        Last attempt @ Wed May 30 13:14:24 2012 EDT was successful
        0 consecutive failure(s).
        Last success @ Wed May 30 13:14:24 2012 EDT

==== OUTBOUND NEIGHBORS ====

==== KCC CONNECTION OBJECTS ====

Connection --
    Connection name: 611dcc37-8acc-4a16-8fa1-94eb673aa45a
    Enabled        : TRUE
    Server DNS name : SMB2.cngtest.local
    Server DN name  : CN=NTDS
Settings,CN=SMB1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cngtest,DC=local
        TransportType: RPC
        options: 0x00000001
Warning: No NC replicated for Connection!


Looking back at the first machine (SMB1) it is filling its logs with an
error that is cant resolve the GUID of the second machine:
dns child failed to find name
'38296f7a-5964-4e85-94d6-47cedd5adffc._msdcs.cngtest.local' of type A
dns child failed to find name
'38296f7a-5964-4e85-94d6-47cedd5adffc._msdcs.cngtest.local' of type A
dns child failed to find name
'38296f7a-5964-4e85-94d6-47cedd5adffc._msdcs.cngtest.local' of type A
dns child failed to find name
'38296f7a-5964-4e85-94d6-47cedd5adffc._msdcs.cngtest.local' of type A

Not a surprise I suppose since it never updated the DNS zone.  I tried
running samba_dnsupdate and restarting bind- the second host never shows
up.  I tried adding the record with `samba-tool dns`:
samba-tool dns add -Uadministrator smb1 cngtest.local
38296f7a-5964-4e85-94d6-47cedd5adffc._msdcs A 192.168.0.202

This reports no issue and I can see the record if I do a zone transfer:
dig cngtest.local axfr @127.0.0.1
....
38296f7a-5964-4e85-94d6-47cedd5adffc._msdcs.cngtest.local. 900 IN A
192.168.0.202
....

however, if i try to do a resolution on that address, it fails!
dig 38296f7a-5964-4e85-94d6-47cedd5adffc._msdcs.cngtest.local
(status: NXDOMAIN)

Also when I do run 'showrepl' on the secondary, the primary generates the
following errors:

Kerberos: AS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:45982 for
krbtgt/CNGTEST.LOCAL at CNGTEST.LOCAL
Kerberos: No preauth found, returning PREAUTH-REQUIRED --
SMB2$@CNGTEST.LOCAL
Kerberos: AS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:33123 for
krbtgt/CNGTEST.LOCAL at CNGTEST.LOCAL
Kerberos: Client sent patypes: encrypted-timestamp
Kerberos: Looking for PKINIT pa-data -- SMB2$@CNGTEST.LOCAL
Kerberos: Looking for ENC-TS pa-data -- SMB2$@CNGTEST.LOCAL
Kerberos: ENC-TS Pre-authentication succeeded -- SMB2$@CNGTEST.LOCAL using
arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2012-05-30T13:20:12 starttime: unset endtime:
2012-05-30T23:20:12 renew till: unset
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5,
using arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: forwardable
Kerberos: TGS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:52989 for
ldap/SMB2.CNGTEST.LOCAL at CNGTEST.LOCAL [canonicalize]
Kerberos: Searching referral for SMB2.CNGTEST.LOCAL
Kerberos: Server not found in database:
ldap/SMB2.CNGTEST.LOCAL at CNGTEST.LOCAL: no such entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.0.202:52989
Kerberos: TGS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:59067 for
ldap/SMB2.CNGTEST.LOCAL at CNGTEST.LOCAL
Kerberos: Server not found in database:
ldap/SMB2.CNGTEST.LOCAL at CNGTEST.LOCAL: no such entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.0.202:59067
Kerberos: TGS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:49944 for
ldap/SMB2.CNGTEST.LOCAL at CNGTEST.LOCAL [canonicalize]
Kerberos: Searching referral for SMB2.CNGTEST.LOCAL
Kerberos: Server not found in database:
ldap/SMB2.CNGTEST.LOCAL at CNGTEST.LOCAL: no such entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.0.202:49944
Kerberos: TGS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:49478 for
ldap/SMB2.CNGTEST.LOCAL at CNGTEST.LOCAL
Kerberos: Server not found in database:
ldap/SMB2.CNGTEST.LOCAL at CNGTEST.LOCAL: no such entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.0.202:49478
Kerberos: TGS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:60929 for
ldap/smb2.cngtest.local at CNGTEST.LOCAL [canonicalize]
Kerberos: Searching referral for smb2.cngtest.local
Kerberos: Server not found in database:
ldap/smb2.cngtest.local at CNGTEST.LOCAL: no such entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.0.202:60929
Kerberos: TGS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:47690 for
ldap/smb2.cngtest.local at CNGTEST.LOCAL
Kerberos: Server not found in database:
ldap/smb2.cngtest.local at CNGTEST.LOCAL: no such entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.0.202:47690
Kerberos: TGS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:41658 for
ldap/smb2.cngtest.local at CNGTEST.LOCAL [canonicalize]
Kerberos: Searching referral for smb2.cngtest.local
Kerberos: Server not found in database:
ldap/smb2.cngtest.local at CNGTEST.LOCAL: no such entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.0.202:41658
Kerberos: TGS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:42830 for
ldap/smb2.cngtest.local at CNGTEST.LOCAL
Kerberos: Server not found in database:
ldap/smb2.cngtest.local at CNGTEST.LOCAL: no such entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.0.202:42830

I followed the how-tos by the letter, Ive tried a few times now and Im
starting to really loose hope-  What is wrong?  What am I missing?  We
really would like to start testing Samba as a replacement for MS AD!

ryan

More information about the samba-technical mailing list