[Samba] changing server role = standalone server to 'member server'

steve steve at steve-ss.com
Thu Apr 3 17:36:27 MDT 2014 

On Thu, 2014-04-03 at 17:52 -0400, Carl Wilhelm Soderstrom wrote:
> Sorry about the length of this mail. I did try to test many iterations and
> variations, and this is what I think is the relevant data.
> 
> To summarize the end, am I having a problem registering
> samba-4.ad.example.com with the AD server's DNS instance?
> 
> On 04/03 10:31 , steve wrote:
> > The fqdn of the machine you are joining is not sent over the net
> > command. It's a good idea to get it registered in DNS as there are
> > untold errors awaiting you if you do not. . .
> 
> Hmm, not sure what you mean here. All the hosts have DNS entries and static
> IP addresses. Forward and reverse DNS match (I just double-checked). 
> 
> > -unjoin the domain:
> > net ads leave -UAdministrator
> > -remove the keytab:
> > rm /etc/krb5.keytab
> 
> Thanks for letting me know about that. I was not aware of that file.
> 
> > -add fqdn and hostname to /etc/hosts:
> > 127.0.0.1 hostname.domain.name hostname localhost
> 
> Before I had in /etc/hosts:
> 127.0.0.1   localhost
> 192.XXX.XXX.77   ad.example.com  ad
> 192.XXX.XXX.30   samba-4.example.com samba-4
> 
> 
> Are you sure you mean that I should have it like this?
> 127.0.0.1   samba-4.example.com samba-4 localhost
> 192.XXX.XXX.77   ad.example.com  ad
> 192.XXX.XXX.30   samba-4.example.com samba-4
> 
> since that doesn't square with DNS. (Also, if I do 'net ads join -U
> Administrator -S ad.example.com -d 10, I find that I get an LDAP connection
> error).
> 
> The AD server is my only DNS source apart from /etc/hosts. I've tested both
> with and without avahi running.
> 
> root at samba-4:~# cat /etc/resolv.conf 
> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
> # resolvconf(8)
> #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
> nameserver 192.XXX.XXX.77
> search example.com
> root at samba-4:~# grep hosts /etc/nsswitch.conf 
> #hosts:          files mdns4_minimal [NOTFOUND=return] dns
> hosts:          files dns
> 
> Leaving the domain:
> 
> root at samba-4:~# net ads leave -UAdministrator
> Enter Administrator's password:
> Deleted account for 'SAMBA-4' in realm 'AD.EXAMPLE.COM'
> root at samba-4:~# wbinfo -t
> checking the trust secret for domain EXAMPLEAD via RPC calls failed
> error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
> failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
> Could not check secret
> root at samba-4:~# rm /etc/krb5.keytab 
> rm: remove regular file ‘/etc/krb5.keytab’? y
> 
> 
> Now rejoining the domain, with debugging, it seems to all work except for
> the DNS business:
> 
> root at samba-4:~# net ads join -U Administrator -d 5
> <snip>
> rpccli_netlogon_setup_creds: server AD.ad.example.com credential chain
> established.
> Bind RPC Pipe: host AD.ad.example.com auth_type 68, auth_level 6
> rpc_api_pipe: host AD.ad.example.com
> rpc_read_send: data_to_read: 72
> check_bind_response: accepted!
> 	seed        153e7d56:1ba8aab6
> 	seed+time   687c514c:1ba8aab6
> 	CLIENT      c4d2cfb4:7c9d763b
> 	seed+time+1 687c514d:1ba8aab6
> 	SERVER      903a2b01:26ceaf0f
> rpc_api_pipe: host AD.ad.example.com
> rpc_read_send: data_to_read: 104
> libnet_Join:
>     libnet_JoinCtx: struct libnet_JoinCtx
>         out: struct libnet_JoinCtx
>             account_name             : NULL
>             netbios_domain_name      : 'EXAMPLEAD'
>             dns_domain_name          : 'ad.example.com'
>             forest_name              : 'ad.example.com'
>             dn                       :
> 'CN=samba-4,CN=Computers,DC=ad,DC=example,DC=com'
>             domain_sid               : *
>                 domain_sid               :
> S-1-5-21-3579304287-3829738268-3886208222
>             modified_config          : 0x00 (0)
>             error_string             : NULL
>             domain_is_ad             : 0x01 (1)
>             result                   : WERR_OK
> Using short domain name -- EXAMPLEAD
> Joined 'SAMBA-4' to dns domain 'ad.example.com'
> added interface eth0 ip=192.XXX.XXX.30 bcast=192.XXX.XXX.255
> netmask=255.255.255.0
> ads_dns_lookup_ns: 2 records returned in the answer section.
> retrying DNS update with next nameserver after receiving
> ERROR_DNS_CONNECTION_FAILED
> retrying DNS update with next nameserver after receiving
> ERROR_DNS_CONNECTION_FAILED
> DNS update failed: NT_STATUS_UNSUCCESSFUL
> return code = 0
> root at samba-4:~# wbinfo -t
> checking the trust secret for domain EXAMPLEAD via RPC calls succeeded
> 
> 
> Am I having a problem registering the host's name with the AD server's DNS
> instance? 
> 
> root at samba-4:~# host samba-4.ad.example.com
> Host samba-4.ad.example.com not found: 3(NXDOMAIN)
> 
> Some workstations are registered with the AD server's DNS (but not all).
> root at samba-4:~# host workstation.ad.example.com
> workstation.ad.example.com has address 192.77.113.119
> 
> But I'm not a Windows guy, so I have little idea what correct behavior
> should be.

bind or internal dns? the join only works with bind for Linux boxes.
Steve

More information about the samba mailing list