Joining second Samba4 DC

Aaron E. ssureshot at gmail.com
Wed May 30 12:22:45 MDT 2012 

I'm using the flatfile right now but in my testing of this in the past I 
did have to create the entry in dns manually, Once I created it would 
start working right away..

It isn't a standard A record though, if you look through the dns 
management console you'll fine where the primary is defined and add the 
secondary just the same..

Sorry I don't have exact directions and there may be an easier way.. 
This is just how I corrected the scenario..

On 05/30/2012 01:43 PM, Ryan Whelan wrote:
> I can't figure out how to completely add a second samba4 DC to a first
> samba4 domain.  When I follow the how-to to create a samba4 domain, it goes
> as i would expect.  I can add windows clients and dynamic DNS updates
> work.  However, when I follow the howto add a second DC, DNS never gets
> updated and replication only looks like it is getting setup in a single
> direction.
>
> On first host I provision with:
> provision --realm=CNGTEST.LOCAL --domain=cngtest
> --adminpass=somethingsimple --server-role="domain controller"
>
> Once thats done and I start samba, I can verify the DNS zone with:
> dig cngtest.local axfr @127.0.0.1
> (im not an AD expert, but it looks ok. I can see all the SRV and A records)
>
> On the second machine (the machine to add as a second DC) I try to join
> with:
> samba-tool domain join cngtest.local DC --realm=CNGTEST.LOCAL
> -Uadministrator
>
> the join seems to work fine.  As soon as i start samba on the second
> machine, and run a `samba-tool drs showrepl`, all I see are connections
> under the 'Inbound header'
>
>
> Default-First-Site-Name\SMB2
> DSA Options: 0x00000001
> DSA object GUID: 38296f7a-5964-4e85-94d6-47cedd5adffc
> DSA invocationId: e2e50339-a7af-47f4-810b-e85627efc750
>
> ==== INBOUND NEIGHBORS ====
>
> CN=Configuration,DC=cngtest,DC=local
>      Default-First-Site-Name\SMB1 via RPC
>          DSA object GUID: bd37bcf3-9d3d-48c4-b008-8aad5b99f887
>          Last attempt @ Wed May 30 13:14:23 2012 EDT was successful
>          0 consecutive failure(s).
>          Last success @ Wed May 30 13:14:23 2012 EDT
>
> CN=Schema,CN=Configuration,DC=cngtest,DC=local
>      Default-First-Site-Name\SMB1 via RPC
>          DSA object GUID: bd37bcf3-9d3d-48c4-b008-8aad5b99f887
>          Last attempt @ Wed May 30 13:14:23 2012 EDT was successful
>          0 consecutive failure(s).
>          Last success @ Wed May 30 13:14:23 2012 EDT
>
> DC=cngtest,DC=local
>      Default-First-Site-Name\SMB1 via RPC
>          DSA object GUID: bd37bcf3-9d3d-48c4-b008-8aad5b99f887
>          Last attempt @ Wed May 30 13:14:24 2012 EDT was successful
>          0 consecutive failure(s).
>          Last success @ Wed May 30 13:14:24 2012 EDT
>
> ==== OUTBOUND NEIGHBORS ====
>
> ==== KCC CONNECTION OBJECTS ====
>
> Connection --
>      Connection name: 611dcc37-8acc-4a16-8fa1-94eb673aa45a
>      Enabled        : TRUE
>      Server DNS name : SMB2.cngtest.local
>      Server DN name  : CN=NTDS
> Settings,CN=SMB1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cngtest,DC=local
>          TransportType: RPC
>          options: 0x00000001
> Warning: No NC replicated for Connection!
>
>
> Looking back at the first machine (SMB1) it is filling its logs with an
> error that is cant resolve the GUID of the second machine:
> dns child failed to find name
> '38296f7a-5964-4e85-94d6-47cedd5adffc._msdcs.cngtest.local' of type A
> dns child failed to find name
> '38296f7a-5964-4e85-94d6-47cedd5adffc._msdcs.cngtest.local' of type A
> dns child failed to find name
> '38296f7a-5964-4e85-94d6-47cedd5adffc._msdcs.cngtest.local' of type A
> dns child failed to find name
> '38296f7a-5964-4e85-94d6-47cedd5adffc._msdcs.cngtest.local' of type A
>
> Not a surprise I suppose since it never updated the DNS zone.  I tried
> running samba_dnsupdate and restarting bind- the second host never shows
> up.  I tried adding the record with `samba-tool dns`:
> samba-tool dns add -Uadministrator smb1 cngtest.local
> 38296f7a-5964-4e85-94d6-47cedd5adffc._msdcs A 192.168.0.202
>
> This reports no issue and I can see the record if I do a zone transfer:
> dig cngtest.local axfr @127.0.0.1
> ....
> 38296f7a-5964-4e85-94d6-47cedd5adffc._msdcs.cngtest.local. 900 IN A
> 192.168.0.202
> ....
>
> however, if i try to do a resolution on that address, it fails!
> dig 38296f7a-5964-4e85-94d6-47cedd5adffc._msdcs.cngtest.local
> (status: NXDOMAIN)
>
> Also when I do run 'showrepl' on the secondary, the primary generates the
> following errors:
>
> Kerberos: AS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:45982 for
> krbtgt/CNGTEST.LOCAL at CNGTEST.LOCAL
> Kerberos: No preauth found, returning PREAUTH-REQUIRED --
> SMB2$@CNGTEST.LOCAL
> Kerberos: AS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:33123 for
> krbtgt/CNGTEST.LOCAL at CNGTEST.LOCAL
> Kerberos: Client sent patypes: encrypted-timestamp
> Kerberos: Looking for PKINIT pa-data -- SMB2$@CNGTEST.LOCAL
> Kerberos: Looking for ENC-TS pa-data -- SMB2$@CNGTEST.LOCAL
> Kerberos: ENC-TS Pre-authentication succeeded -- SMB2$@CNGTEST.LOCAL using
> arcfour-hmac-md5
> Kerberos: AS-REQ authtime: 2012-05-30T13:20:12 starttime: unset endtime:
> 2012-05-30T23:20:12 renew till: unset
> Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
> aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5,
> using arcfour-hmac-md5/arcfour-hmac-md5
> Kerberos: Requested flags: forwardable
> Kerberos: TGS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:52989 for
> ldap/SMB2.CNGTEST.LOCAL at CNGTEST.LOCAL [canonicalize]
> Kerberos: Searching referral for SMB2.CNGTEST.LOCAL
> Kerberos: Server not found in database:
> ldap/SMB2.CNGTEST.LOCAL at CNGTEST.LOCAL: no such entry found in hdb
> Kerberos: Failed building TGS-REP to ipv4:192.168.0.202:52989
> Kerberos: TGS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:59067 for
> ldap/SMB2.CNGTEST.LOCAL at CNGTEST.LOCAL
> Kerberos: Server not found in database:
> ldap/SMB2.CNGTEST.LOCAL at CNGTEST.LOCAL: no such entry found in hdb
> Kerberos: Failed building TGS-REP to ipv4:192.168.0.202:59067
> Kerberos: TGS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:49944 for
> ldap/SMB2.CNGTEST.LOCAL at CNGTEST.LOCAL [canonicalize]
> Kerberos: Searching referral for SMB2.CNGTEST.LOCAL
> Kerberos: Server not found in database:
> ldap/SMB2.CNGTEST.LOCAL at CNGTEST.LOCAL: no such entry found in hdb
> Kerberos: Failed building TGS-REP to ipv4:192.168.0.202:49944
> Kerberos: TGS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:49478 for
> ldap/SMB2.CNGTEST.LOCAL at CNGTEST.LOCAL
> Kerberos: Server not found in database:
> ldap/SMB2.CNGTEST.LOCAL at CNGTEST.LOCAL: no such entry found in hdb
> Kerberos: Failed building TGS-REP to ipv4:192.168.0.202:49478
> Kerberos: TGS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:60929 for
> ldap/smb2.cngtest.local at CNGTEST.LOCAL [canonicalize]
> Kerberos: Searching referral for smb2.cngtest.local
> Kerberos: Server not found in database:
> ldap/smb2.cngtest.local at CNGTEST.LOCAL: no such entry found in hdb
> Kerberos: Failed building TGS-REP to ipv4:192.168.0.202:60929
> Kerberos: TGS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:47690 for
> ldap/smb2.cngtest.local at CNGTEST.LOCAL
> Kerberos: Server not found in database:
> ldap/smb2.cngtest.local at CNGTEST.LOCAL: no such entry found in hdb
> Kerberos: Failed building TGS-REP to ipv4:192.168.0.202:47690
> Kerberos: TGS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:41658 for
> ldap/smb2.cngtest.local at CNGTEST.LOCAL [canonicalize]
> Kerberos: Searching referral for smb2.cngtest.local
> Kerberos: Server not found in database:
> ldap/smb2.cngtest.local at CNGTEST.LOCAL: no such entry found in hdb
> Kerberos: Failed building TGS-REP to ipv4:192.168.0.202:41658
> Kerberos: TGS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:42830 for
> ldap/smb2.cngtest.local at CNGTEST.LOCAL
> Kerberos: Server not found in database:
> ldap/smb2.cngtest.local at CNGTEST.LOCAL: no such entry found in hdb
> Kerberos: Failed building TGS-REP to ipv4:192.168.0.202:42830
>
> I followed the how-tos by the letter, Ive tried a few times now and Im
> starting to really loose hope-  What is wrong?  What am I missing?  We
> really would like to start testing Samba as a replacement for MS AD!
>
> ryan
>

More information about the samba-technical mailing list