[Samba] changing server role = standalone server to 'member server'

Carl Wilhelm Soderstrom chrome at real-time.com
Thu Apr 3 15:52:16 MDT 2014 

Sorry about the length of this mail. I did try to test many iterations and
variations, and this is what I think is the relevant data.

To summarize the end, am I having a problem registering
samba-4.ad.example.com with the AD server's DNS instance?

On 04/03 10:31 , steve wrote:
> The fqdn of the machine you are joining is not sent over the net
> command. It's a good idea to get it registered in DNS as there are
> untold errors awaiting you if you do not. . .

Hmm, not sure what you mean here. All the hosts have DNS entries and static
IP addresses. Forward and reverse DNS match (I just double-checked). 

> -unjoin the domain:
> net ads leave -UAdministrator
> -remove the keytab:
> rm /etc/krb5.keytab

Thanks for letting me know about that. I was not aware of that file.

> -add fqdn and hostname to /etc/hosts:
> 127.0.0.1 hostname.domain.name hostname localhost

Before I had in /etc/hosts:
127.0.0.1   localhost
192.XXX.XXX.77   ad.example.com  ad
192.XXX.XXX.30   samba-4.example.com samba-4


Are you sure you mean that I should have it like this?
127.0.0.1   samba-4.example.com samba-4 localhost
192.XXX.XXX.77   ad.example.com  ad
192.XXX.XXX.30   samba-4.example.com samba-4

since that doesn't square with DNS. (Also, if I do 'net ads join -U
Administrator -S ad.example.com -d 10, I find that I get an LDAP connection
error).

The AD server is my only DNS source apart from /etc/hosts. I've tested both
with and without avahi running.

root at samba-4:~# cat /etc/resolv.conf 
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by
# resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 192.XXX.XXX.77
search example.com
root at samba-4:~# grep hosts /etc/nsswitch.conf 
#hosts:          files mdns4_minimal [NOTFOUND=return] dns
hosts:          files dns

Leaving the domain:

root at samba-4:~# net ads leave -UAdministrator
Enter Administrator's password:
Deleted account for 'SAMBA-4' in realm 'AD.EXAMPLE.COM'
root at samba-4:~# wbinfo -t
checking the trust secret for domain EXAMPLEAD via RPC calls failed
error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
Could not check secret
root at samba-4:~# rm /etc/krb5.keytab 
rm: remove regular file ‘/etc/krb5.keytab’? y


Now rejoining the domain, with debugging, it seems to all work except for
the DNS business:

root at samba-4:~# net ads join -U Administrator -d 5
<snip>
rpccli_netlogon_setup_creds: server AD.ad.example.com credential chain
established.
Bind RPC Pipe: host AD.ad.example.com auth_type 68, auth_level 6
rpc_api_pipe: host AD.ad.example.com
rpc_read_send: data_to_read: 72
check_bind_response: accepted!
	seed        153e7d56:1ba8aab6
	seed+time   687c514c:1ba8aab6
	CLIENT      c4d2cfb4:7c9d763b
	seed+time+1 687c514d:1ba8aab6
	SERVER      903a2b01:26ceaf0f
rpc_api_pipe: host AD.ad.example.com
rpc_read_send: data_to_read: 104
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : NULL
            netbios_domain_name      : 'EXAMPLEAD'
            dns_domain_name          : 'ad.example.com'
            forest_name              : 'ad.example.com'
            dn                       :
'CN=samba-4,CN=Computers,DC=ad,DC=example,DC=com'
            domain_sid               : *
                domain_sid               :
S-1-5-21-3579304287-3829738268-3886208222
            modified_config          : 0x00 (0)
            error_string             : NULL
            domain_is_ad             : 0x01 (1)
            result                   : WERR_OK
Using short domain name -- EXAMPLEAD
Joined 'SAMBA-4' to dns domain 'ad.example.com'
added interface eth0 ip=192.XXX.XXX.30 bcast=192.XXX.XXX.255
netmask=255.255.255.0
ads_dns_lookup_ns: 2 records returned in the answer section.
retrying DNS update with next nameserver after receiving
ERROR_DNS_CONNECTION_FAILED
retrying DNS update with next nameserver after receiving
ERROR_DNS_CONNECTION_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL
return code = 0
root at samba-4:~# wbinfo -t
checking the trust secret for domain EXAMPLEAD via RPC calls succeeded


Am I having a problem registering the host's name with the AD server's DNS
instance? 

root at samba-4:~# host samba-4.ad.example.com
Host samba-4.ad.example.com not found: 3(NXDOMAIN)

Some workstations are registered with the AD server's DNS (but not all).
root at samba-4:~# host workstation.ad.example.com
workstation.ad.example.com has address 192.77.113.119

But I'm not a Windows guy, so I have little idea what correct behavior
should be.

-- 
Carl Soderstrom
Systems Administrator
Real-Time Enterprises
www.real-time.com

More information about the samba mailing list