samba-tool gpo not finding DC's
Alecsandru Chirosca
alecsandru.chirosca at gmail.com
Thu Jan 27 14:04:22 UTC 2022
I have a strange issue with samba 4.13.14 on Ubuntu 20.04 LTS where almost
all samba-tool functionalities are OK but the GPO options are not working
with the following exception
# samba-tool gpo listall -U Administrator -d3
...
dns child failed to find name '_ldap._tcp.INOE.LAN' of type SRV
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.INOE.LAN<0x0>
finddcs: Failed to find SRV record for _ldap._tcp.INOE.LAN
ERROR(runtime): uncaught exception - ('Could not find a DC for domain',
NTSTATUSError(3221225524, 'The object name is not found.'))
File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 186,
in _run
return self.run(*args, **kwargs)
File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line 464, in
run
self.url = dc_url(self.lp, self.creds, H)
File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line 127, in
dc_url
raise RuntimeError("Could not find a DC for domain", e)
DNS is resolved against the integrated samba DNS server (127.0.0.1 and LAN
address).
Dig, on the other hand works as expected:
# dig SRV _ldap._tcp.inoe.lan
; <<>> DiG 9.16.1-Ubuntu <<>> SRV _ldap._tcp.inoe.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22559
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;_ldap._tcp.inoe.lan. IN SRV
;; ANSWER SECTION:
_ldap._tcp.inoe.lan. 900 IN SRV 0 100 389 adc.inoe.lan.
_ldap._tcp.inoe.lan. 900 IN SRV 0 100 389 adc1.inoe.lan.
;; AUTHORITY SECTION:
inoe.lan. 3600 IN SOA adc.inoe.lan.
hostmaster.inoe.lan. 134 900 600 86400 3600
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Jan 27 15:50:07 EET 2022
;; MSG SIZE rcvd: 133
same for samba-tool dns
# samba-tool dns query 127.0.0.1 inoe.lan adc.inoe.lan ALL -U Administrator
Password for [INOE\Administrator]:
Name=, Records=1, Children=0
A: xx.xxx.xx.xxx (flags=f0, serial=110, ttl=900)
I am pursuing an issue related to the GPO's not being applied to domain
computers (regarding department shares) when I encountered this issue.
Can you please point me in the right direction regarding this issue?
smb.conf (relevant part)
[global]
dns forwarder = 8.8.8.8
netbios name = ADC
realm = INOE.LAN
server role = active directory domain controller
workgroup = INOE
idmap_ldb:use rfc2307 = yes
allow dns updates = nonsecure
full_audit: failure = none
full_audit: success = pwrite write
full_audit: prefix = IP=%I | USER=%u | MACHINE=%m | VOLUME=%S
full_audit: facility = local7
full_audit: priority = NOTICE
interfaces = xx.xxx.xx.xxx/25 eno1 lo
ldap server require strong auth = no
log level = 1 auth_audit:3 dsdb_audit:3 dsdb_password_audit:3
dsdb_transaction_audit:3
min protocol = SMB2
name resolve order = host wins lmhosts bcast
samba-tool ntacl sysvolcheck and
samba-tool ntacl sysvolreset
work without any issues.
RSAT does not report any issues.
The main issue with GPO's is only related to new computers joining the
domain (Windows 10), old computers work as expected.
Best Regards,
Alecsandru Chirosca
More information about the samba-technical
mailing list