Joining second Samba4 DC

Ryan Whelan rcwhelan at gmail.com
Wed May 30 13:17:56 MDT 2012


that was it- the system seems to be much happier now.

Now i need to figure out how to add a second DNS server :)

On Wed, May 30, 2012 at 2:35 PM, Aaron E. <ssureshot at gmail.com> wrote:

> Come to think of it I had to add the entry in the flatfile configuration
> also..
>
>
> On 05/30/2012 02:22 PM, Aaron E. wrote:
>
>> I'm using the flatfile right now but in my testing of this in the past I
>> did have to create the entry in dns manually, Once I created it would
>> start working right away..
>>
>> It isn't a standard A record though, if you look through the dns
>> management console you'll fine where the primary is defined and add the
>> secondary just the same..
>>
>> Sorry I don't have exact directions and there may be an easier way..
>> This is just how I corrected the scenario..
>>
>> On 05/30/2012 01:43 PM, Ryan Whelan wrote:
>>
>>> I can't figure out how to completely add a second samba4 DC to a first
>>> samba4 domain. When I follow the how-to to create a samba4 domain, it
>>> goes
>>> as i would expect. I can add windows clients and dynamic DNS updates
>>> work. However, when I follow the howto add a second DC, DNS never gets
>>> updated and replication only looks like it is getting setup in a single
>>> direction.
>>>
>>> On first host I provision with:
>>> provision --realm=CNGTEST.LOCAL --domain=cngtest
>>> --adminpass=somethingsimple --server-role="domain controller"
>>>
>>> Once thats done and I start samba, I can verify the DNS zone with:
>>> dig cngtest.local axfr @127.0.0.1
>>> (im not an AD expert, but it looks ok. I can see all the SRV and A
>>> records)
>>>
>>> On the second machine (the machine to add as a second DC) I try to join
>>> with:
>>> samba-tool domain join cngtest.local DC --realm=CNGTEST.LOCAL
>>> -Uadministrator
>>>
>>> the join seems to work fine. As soon as i start samba on the second
>>> machine, and run a `samba-tool drs showrepl`, all I see are connections
>>> under the 'Inbound header'
>>>
>>>
>>> Default-First-Site-Name\SMB2
>>> DSA Options: 0x00000001
>>> DSA object GUID: 38296f7a-5964-4e85-94d6-**47cedd5adffc
>>> DSA invocationId: e2e50339-a7af-47f4-810b-**e85627efc750
>>>
>>> ==== INBOUND NEIGHBORS ====
>>>
>>> CN=Configuration,DC=cngtest,**DC=local
>>> Default-First-Site-Name\SMB1 via RPC
>>> DSA object GUID: bd37bcf3-9d3d-48c4-b008-**8aad5b99f887
>>> Last attempt @ Wed May 30 13:14:23 2012 EDT was successful
>>> 0 consecutive failure(s).
>>> Last success @ Wed May 30 13:14:23 2012 EDT
>>>
>>> CN=Schema,CN=Configuration,DC=**cngtest,DC=local
>>> Default-First-Site-Name\SMB1 via RPC
>>> DSA object GUID: bd37bcf3-9d3d-48c4-b008-**8aad5b99f887
>>> Last attempt @ Wed May 30 13:14:23 2012 EDT was successful
>>> 0 consecutive failure(s).
>>> Last success @ Wed May 30 13:14:23 2012 EDT
>>>
>>> DC=cngtest,DC=local
>>> Default-First-Site-Name\SMB1 via RPC
>>> DSA object GUID: bd37bcf3-9d3d-48c4-b008-**8aad5b99f887
>>> Last attempt @ Wed May 30 13:14:24 2012 EDT was successful
>>> 0 consecutive failure(s).
>>> Last success @ Wed May 30 13:14:24 2012 EDT
>>>
>>> ==== OUTBOUND NEIGHBORS ====
>>>
>>> ==== KCC CONNECTION OBJECTS ====
>>>
>>> Connection --
>>> Connection name: 611dcc37-8acc-4a16-8fa1-**94eb673aa45a
>>> Enabled : TRUE
>>> Server DNS name : SMB2.cngtest.local
>>> Server DN name : CN=NTDS
>>> Settings,CN=SMB1,CN=Servers,**CN=Default-First-Site-Name,CN=**
>>> Sites,CN=Configuration,DC=**cngtest,DC=local
>>>
>>> TransportType: RPC
>>> options: 0x00000001
>>> Warning: No NC replicated for Connection!
>>>
>>>
>>> Looking back at the first machine (SMB1) it is filling its logs with an
>>> error that is cant resolve the GUID of the second machine:
>>> dns child failed to find name
>>> '38296f7a-5964-4e85-94d6-**47cedd5adffc._msdcs.cngtest.**local' of type
>>> A
>>> dns child failed to find name
>>> '38296f7a-5964-4e85-94d6-**47cedd5adffc._msdcs.cngtest.**local' of type
>>> A
>>> dns child failed to find name
>>> '38296f7a-5964-4e85-94d6-**47cedd5adffc._msdcs.cngtest.**local' of type
>>> A
>>> dns child failed to find name
>>> '38296f7a-5964-4e85-94d6-**47cedd5adffc._msdcs.cngtest.**local' of type
>>> A
>>>
>>> Not a surprise I suppose since it never updated the DNS zone. I tried
>>> running samba_dnsupdate and restarting bind- the second host never shows
>>> up. I tried adding the record with `samba-tool dns`:
>>> samba-tool dns add -Uadministrator smb1 cngtest.local
>>> 38296f7a-5964-4e85-94d6-**47cedd5adffc._msdcs A 192.168.0.202
>>>
>>> This reports no issue and I can see the record if I do a zone transfer:
>>> dig cngtest.local axfr @127.0.0.1
>>> ....
>>> 38296f7a-5964-4e85-94d6-**47cedd5adffc._msdcs.cngtest.**local. 900 IN A
>>> 192.168.0.202
>>> ....
>>>
>>> however, if i try to do a resolution on that address, it fails!
>>> dig 38296f7a-5964-4e85-94d6-**47cedd5adffc._msdcs.cngtest.**local
>>> (status: NXDOMAIN)
>>>
>>> Also when I do run 'showrepl' on the secondary, the primary generates the
>>> following errors:
>>>
>>> Kerberos: AS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:45982 for
>>> krbtgt/CNGTEST.LOCAL at CNGTEST.**LOCAL
>>> Kerberos: No preauth found, returning PREAUTH-REQUIRED --
>>> SMB2$@CNGTEST.LOCAL
>>> Kerberos: AS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:33123 for
>>> krbtgt/CNGTEST.LOCAL at CNGTEST.**LOCAL
>>> Kerberos: Client sent patypes: encrypted-timestamp
>>> Kerberos: Looking for PKINIT pa-data -- SMB2$@CNGTEST.LOCAL
>>> Kerberos: Looking for ENC-TS pa-data -- SMB2$@CNGTEST.LOCAL
>>> Kerberos: ENC-TS Pre-authentication succeeded -- SMB2$@CNGTEST.LOCAL
>>> using
>>> arcfour-hmac-md5
>>> Kerberos: AS-REQ authtime: 2012-05-30T13:20:12 starttime: unset endtime:
>>> 2012-05-30T23:20:12 renew till: unset
>>> Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
>>> aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5,
>>> using arcfour-hmac-md5/arcfour-hmac-**md5
>>> Kerberos: Requested flags: forwardable
>>> Kerberos: TGS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:52989 for
>>> ldap/SMB2.CNGTEST.LOCAL@**CNGTEST.LOCAL [canonicalize]
>>> Kerberos: Searching referral for SMB2.CNGTEST.LOCAL
>>> Kerberos: Server not found in database:
>>> ldap/SMB2.CNGTEST.LOCAL@**CNGTEST.LOCAL: no such entry found in hdb
>>> Kerberos: Failed building TGS-REP to ipv4:192.168.0.202:52989
>>> Kerberos: TGS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:59067 for
>>> ldap/SMB2.CNGTEST.LOCAL@**CNGTEST.LOCAL
>>> Kerberos: Server not found in database:
>>> ldap/SMB2.CNGTEST.LOCAL@**CNGTEST.LOCAL: no such entry found in hdb
>>> Kerberos: Failed building TGS-REP to ipv4:192.168.0.202:59067
>>> Kerberos: TGS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:49944 for
>>> ldap/SMB2.CNGTEST.LOCAL@**CNGTEST.LOCAL [canonicalize]
>>> Kerberos: Searching referral for SMB2.CNGTEST.LOCAL
>>> Kerberos: Server not found in database:
>>> ldap/SMB2.CNGTEST.LOCAL@**CNGTEST.LOCAL: no such entry found in hdb
>>> Kerberos: Failed building TGS-REP to ipv4:192.168.0.202:49944
>>> Kerberos: TGS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:49478 for
>>> ldap/SMB2.CNGTEST.LOCAL@**CNGTEST.LOCAL
>>> Kerberos: Server not found in database:
>>> ldap/SMB2.CNGTEST.LOCAL@**CNGTEST.LOCAL: no such entry found in hdb
>>> Kerberos: Failed building TGS-REP to ipv4:192.168.0.202:49478
>>> Kerberos: TGS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:60929 for
>>> ldap/smb2.cngtest.local@**CNGTEST.LOCAL [canonicalize]
>>> Kerberos: Searching referral for smb2.cngtest.local
>>> Kerberos: Server not found in database:
>>> ldap/smb2.cngtest.local@**CNGTEST.LOCAL: no such entry found in hdb
>>> Kerberos: Failed building TGS-REP to ipv4:192.168.0.202:60929
>>> Kerberos: TGS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:47690 for
>>> ldap/smb2.cngtest.local@**CNGTEST.LOCAL
>>> Kerberos: Server not found in database:
>>> ldap/smb2.cngtest.local@**CNGTEST.LOCAL: no such entry found in hdb
>>> Kerberos: Failed building TGS-REP to ipv4:192.168.0.202:47690
>>> Kerberos: TGS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:41658 for
>>> ldap/smb2.cngtest.local@**CNGTEST.LOCAL [canonicalize]
>>> Kerberos: Searching referral for smb2.cngtest.local
>>> Kerberos: Server not found in database:
>>> ldap/smb2.cngtest.local@**CNGTEST.LOCAL: no such entry found in hdb
>>> Kerberos: Failed building TGS-REP to ipv4:192.168.0.202:41658
>>> Kerberos: TGS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:42830 for
>>> ldap/smb2.cngtest.local@**CNGTEST.LOCAL
>>> Kerberos: Server not found in database:
>>> ldap/smb2.cngtest.local@**CNGTEST.LOCAL: no such entry found in hdb
>>> Kerberos: Failed building TGS-REP to ipv4:192.168.0.202:42830
>>>
>>> I followed the how-tos by the letter, Ive tried a few times now and Im
>>> starting to really loose hope- What is wrong? What am I missing? We
>>> really would like to start testing Samba as a replacement for MS AD!
>>>
>>> ryan
>>>
>>>
>>
>>
>>
>
>


More information about the samba-technical mailing list