samba-tool gpo not finding DC's

Alecsandru Chirosca alecsandru.chirosca at gmail.com
Thu Jan 27 14:04:22 UTC 2022 

I have a strange issue with samba 4.13.14 on Ubuntu 20.04 LTS where almost
all samba-tool functionalities are OK but the GPO options are not working
with the following exception

# samba-tool gpo listall -U Administrator -d3
...
dns child failed to find name '_ldap._tcp.INOE.LAN' of type SRV
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.INOE.LAN<0x0>
finddcs: Failed to find SRV record for _ldap._tcp.INOE.LAN
ERROR(runtime): uncaught exception - ('Could not find a DC for domain',
NTSTATUSError(3221225524, 'The object name is not found.'))
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 186,
in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line 464, in
run
    self.url = dc_url(self.lp, self.creds, H)
  File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line 127, in
dc_url
    raise RuntimeError("Could not find a DC for domain", e)

DNS is resolved against the integrated samba DNS server (127.0.0.1 and LAN
address).

Dig, on the other hand works as expected:

# dig SRV _ldap._tcp.inoe.lan

; <<>> DiG 9.16.1-Ubuntu <<>> SRV _ldap._tcp.inoe.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22559
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;_ldap._tcp.inoe.lan.           IN      SRV

;; ANSWER SECTION:
_ldap._tcp.inoe.lan.    900     IN      SRV     0 100 389 adc.inoe.lan.
_ldap._tcp.inoe.lan.    900     IN      SRV     0 100 389 adc1.inoe.lan.

;; AUTHORITY SECTION:
inoe.lan.               3600    IN      SOA     adc.inoe.lan.
hostmaster.inoe.lan. 134 900 600 86400 3600

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Jan 27 15:50:07 EET 2022
;; MSG SIZE  rcvd: 133

same for samba-tool dns

# samba-tool dns query 127.0.0.1 inoe.lan adc.inoe.lan ALL -U Administrator
Password for [INOE\Administrator]:
  Name=, Records=1, Children=0
    A: xx.xxx.xx.xxx (flags=f0, serial=110, ttl=900)


I am pursuing an issue related to the GPO's not being applied to domain
computers (regarding department shares) when I encountered this issue.
Can you please point me in the right direction regarding this issue?

smb.conf (relevant part)

[global]
        dns forwarder = 8.8.8.8
        netbios name = ADC
        realm = INOE.LAN
        server role = active directory domain controller
        workgroup = INOE
        idmap_ldb:use rfc2307 = yes
        allow dns updates = nonsecure
        full_audit: failure = none
        full_audit: success = pwrite write
        full_audit: prefix = IP=%I | USER=%u | MACHINE=%m | VOLUME=%S
        full_audit: facility = local7
        full_audit: priority = NOTICE
        interfaces = xx.xxx.xx.xxx/25 eno1 lo
        ldap server require strong auth = no
        log level = 1 auth_audit:3 dsdb_audit:3 dsdb_password_audit:3
dsdb_transaction_audit:3
        min protocol = SMB2
        name resolve order = host wins lmhosts bcast

samba-tool ntacl sysvolcheck and
samba-tool ntacl sysvolreset
work without any issues.

RSAT does not report any issues.
The main issue with GPO's is only related to new computers joining the
domain (Windows 10), old computers work as expected.

Best Regards,
Alecsandru Chirosca

More information about the samba-technical mailing list