[Samba] changing server role = standalone server to 'member server'
Carl Wilhelm Soderstrom
chrome at real-time.com
Thu Apr 3 15:52:16 MDT 2014
Sorry about the length of this mail. I did try to test many iterations and
variations, and this is what I think is the relevant data.
To summarize the end, am I having a problem registering
samba-4.ad.example.com with the AD server's DNS instance?
On 04/03 10:31 , steve wrote:
> The fqdn of the machine you are joining is not sent over the net
> command. It's a good idea to get it registered in DNS as there are
> untold errors awaiting you if you do not. . .
Hmm, not sure what you mean here. All the hosts have DNS entries and static
IP addresses. Forward and reverse DNS match (I just double-checked).
> -unjoin the domain:
> net ads leave -UAdministrator
> -remove the keytab:
> rm /etc/krb5.keytab
Thanks for letting me know about that. I was not aware of that file.
> -add fqdn and hostname to /etc/hosts:
> 127.0.0.1 hostname.domain.name hostname localhost
Before I had in /etc/hosts:
127.0.0.1 localhost
192.XXX.XXX.77 ad.example.com ad
192.XXX.XXX.30 samba-4.example.com samba-4
Are you sure you mean that I should have it like this?
127.0.0.1 samba-4.example.com samba-4 localhost
192.XXX.XXX.77 ad.example.com ad
192.XXX.XXX.30 samba-4.example.com samba-4
since that doesn't square with DNS. (Also, if I do 'net ads join -U
Administrator -S ad.example.com -d 10, I find that I get an LDAP connection
error).
The AD server is my only DNS source apart from /etc/hosts. I've tested both
with and without avahi running.
root at samba-4:~# cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by
# resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 192.XXX.XXX.77
search example.com
root at samba-4:~# grep hosts /etc/nsswitch.conf
#hosts: files mdns4_minimal [NOTFOUND=return] dns
hosts: files dns
Leaving the domain:
root at samba-4:~# net ads leave -UAdministrator
Enter Administrator's password:
Deleted account for 'SAMBA-4' in realm 'AD.EXAMPLE.COM'
root at samba-4:~# wbinfo -t
checking the trust secret for domain EXAMPLEAD via RPC calls failed
error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
Could not check secret
root at samba-4:~# rm /etc/krb5.keytab
rm: remove regular file ‘/etc/krb5.keytab’? y
Now rejoining the domain, with debugging, it seems to all work except for
the DNS business:
root at samba-4:~# net ads join -U Administrator -d 5
<snip>
rpccli_netlogon_setup_creds: server AD.ad.example.com credential chain
established.
Bind RPC Pipe: host AD.ad.example.com auth_type 68, auth_level 6
rpc_api_pipe: host AD.ad.example.com
rpc_read_send: data_to_read: 72
check_bind_response: accepted!
seed 153e7d56:1ba8aab6
seed+time 687c514c:1ba8aab6
CLIENT c4d2cfb4:7c9d763b
seed+time+1 687c514d:1ba8aab6
SERVER 903a2b01:26ceaf0f
rpc_api_pipe: host AD.ad.example.com
rpc_read_send: data_to_read: 104
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : 'EXAMPLEAD'
dns_domain_name : 'ad.example.com'
forest_name : 'ad.example.com'
dn :
'CN=samba-4,CN=Computers,DC=ad,DC=example,DC=com'
domain_sid : *
domain_sid :
S-1-5-21-3579304287-3829738268-3886208222
modified_config : 0x00 (0)
error_string : NULL
domain_is_ad : 0x01 (1)
result : WERR_OK
Using short domain name -- EXAMPLEAD
Joined 'SAMBA-4' to dns domain 'ad.example.com'
added interface eth0 ip=192.XXX.XXX.30 bcast=192.XXX.XXX.255
netmask=255.255.255.0
ads_dns_lookup_ns: 2 records returned in the answer section.
retrying DNS update with next nameserver after receiving
ERROR_DNS_CONNECTION_FAILED
retrying DNS update with next nameserver after receiving
ERROR_DNS_CONNECTION_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL
return code = 0
root at samba-4:~# wbinfo -t
checking the trust secret for domain EXAMPLEAD via RPC calls succeeded
Am I having a problem registering the host's name with the AD server's DNS
instance?
root at samba-4:~# host samba-4.ad.example.com
Host samba-4.ad.example.com not found: 3(NXDOMAIN)
Some workstations are registered with the AD server's DNS (but not all).
root at samba-4:~# host workstation.ad.example.com
workstation.ad.example.com has address 192.77.113.119
But I'm not a Windows guy, so I have little idea what correct behavior
should be.
--
Carl Soderstrom
Systems Administrator
Real-Time Enterprises
www.real-time.com
More information about the samba
mailing list