samba-tool gpo not finding DC's

L.P.H. van Belle belle at bazuin.nl
Thu Jan 27 14:57:04 UTC 2022


 
If you have this in nsswitch.conf 

hosts:     files mdns4_minimal [NOTFOUND=return] dns

Change it to 

hosts:     files dns mdns4_minimal [NOTFOUND=return]

Since .lan is "also" a registered TLD for mDNS.

For these GPO problems, what is windows event viewer telling? 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba-technical 
> [mailto:samba-technical-bounces at lists.samba.org] Namens 
> Alecsandru Chirosca via samba-technical
> Verzonden: donderdag 27 januari 2022 15:04
> Aan: samba-technical at lists.samba.org
> Onderwerp: samba-tool gpo not finding DC's
> 
> I have a strange issue with samba 4.13.14 on Ubuntu 20.04 LTS 
> where almost
> all samba-tool functionalities are OK but the GPO options are 
> not working
> with the following exception
> 
> # samba-tool gpo listall -U Administrator -d3
> ...
> dns child failed to find name '_ldap._tcp.INOE.LAN' of type SRV
> resolve_lmhosts: Attempting lmhosts lookup for name 
> _ldap._tcp.INOE.LAN<0x0>
> finddcs: Failed to find SRV record for _ldap._tcp.INOE.LAN
> ERROR(runtime): uncaught exception - ('Could not find a DC 
> for domain',
> NTSTATUSError(3221225524, 'The object name is not found.'))
>   File 
> "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 186,
> in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", 
> line 464, in
> run
>     self.url = dc_url(self.lp, self.creds, H)
>   File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", 
> line 127, in
> dc_url
>     raise RuntimeError("Could not find a DC for domain", e)
> 
> DNS is resolved against the integrated samba DNS server 
> (127.0.0.1 and LAN
> address).
> 
> Dig, on the other hand works as expected:
> 
> # dig SRV _ldap._tcp.inoe.lan
> 
> ; <<>> DiG 9.16.1-Ubuntu <<>> SRV _ldap._tcp.inoe.lan
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22559
> ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 1, 
> ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;_ldap._tcp.inoe.lan.           IN      SRV
> 
> ;; ANSWER SECTION:
> _ldap._tcp.inoe.lan.    900     IN      SRV     0 100 389 
> adc.inoe.lan.
> _ldap._tcp.inoe.lan.    900     IN      SRV     0 100 389 
> adc1.inoe.lan.
> 
> ;; AUTHORITY SECTION:
> inoe.lan.               3600    IN      SOA     adc.inoe.lan.
> hostmaster.inoe.lan. 134 900 600 86400 3600
> 
> ;; Query time: 0 msec
> ;; SERVER: ::1#53(::1)
> ;; WHEN: Thu Jan 27 15:50:07 EET 2022
> ;; MSG SIZE  rcvd: 133
> 
> same for samba-tool dns
> 
> # samba-tool dns query 127.0.0.1 inoe.lan adc.inoe.lan ALL -U 
> Administrator
> Password for [INOE\Administrator]:
>   Name=, Records=1, Children=0
>     A: xx.xxx.xx.xxx (flags=f0, serial=110, ttl=900)
> 
> 
> I am pursuing an issue related to the GPO's not being applied 
> to domain
> computers (regarding department shares) when I encountered this issue.
> Can you please point me in the right direction regarding this issue?
> 
> smb.conf (relevant part)
> 
> [global]
>         dns forwarder = 8.8.8.8
>         netbios name = ADC
>         realm = INOE.LAN
>         server role = active directory domain controller
>         workgroup = INOE
>         idmap_ldb:use rfc2307 = yes
>         allow dns updates = nonsecure
>         full_audit: failure = none
>         full_audit: success = pwrite write
>         full_audit: prefix = IP=%I | USER=%u | MACHINE=%m | VOLUME=%S
>         full_audit: facility = local7
>         full_audit: priority = NOTICE
>         interfaces = xx.xxx.xx.xxx/25 eno1 lo
>         ldap server require strong auth = no
>         log level = 1 auth_audit:3 dsdb_audit:3 dsdb_password_audit:3
> dsdb_transaction_audit:3
>         min protocol = SMB2
>         name resolve order = host wins lmhosts bcast
> 
> samba-tool ntacl sysvolcheck and
> samba-tool ntacl sysvolreset
> work without any issues.
> 
> RSAT does not report any issues.
> The main issue with GPO's is only related to new computers joining the
> domain (Windows 10), old computers work as expected.
> 
> Best Regards,
> Alecsandru Chirosca
> 
> 




More information about the samba-technical mailing list