[Samba] changing server role = standalone server to 'member server'
steve
steve at steve-ss.com
Thu Apr 3 17:36:27 MDT 2014
On Thu, 2014-04-03 at 17:52 -0400, Carl Wilhelm Soderstrom wrote:
> Sorry about the length of this mail. I did try to test many iterations and
> variations, and this is what I think is the relevant data.
>
> To summarize the end, am I having a problem registering
> samba-4.ad.example.com with the AD server's DNS instance?
>
> On 04/03 10:31 , steve wrote:
> > The fqdn of the machine you are joining is not sent over the net
> > command. It's a good idea to get it registered in DNS as there are
> > untold errors awaiting you if you do not. . .
>
> Hmm, not sure what you mean here. All the hosts have DNS entries and static
> IP addresses. Forward and reverse DNS match (I just double-checked).
>
> > -unjoin the domain:
> > net ads leave -UAdministrator
> > -remove the keytab:
> > rm /etc/krb5.keytab
>
> Thanks for letting me know about that. I was not aware of that file.
>
> > -add fqdn and hostname to /etc/hosts:
> > 127.0.0.1 hostname.domain.name hostname localhost
>
> Before I had in /etc/hosts:
> 127.0.0.1 localhost
> 192.XXX.XXX.77 ad.example.com ad
> 192.XXX.XXX.30 samba-4.example.com samba-4
>
>
> Are you sure you mean that I should have it like this?
> 127.0.0.1 samba-4.example.com samba-4 localhost
> 192.XXX.XXX.77 ad.example.com ad
> 192.XXX.XXX.30 samba-4.example.com samba-4
>
> since that doesn't square with DNS. (Also, if I do 'net ads join -U
> Administrator -S ad.example.com -d 10, I find that I get an LDAP connection
> error).
>
> The AD server is my only DNS source apart from /etc/hosts. I've tested both
> with and without avahi running.
>
> root at samba-4:~# cat /etc/resolv.conf
> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
> # resolvconf(8)
> # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
> nameserver 192.XXX.XXX.77
> search example.com
> root at samba-4:~# grep hosts /etc/nsswitch.conf
> #hosts: files mdns4_minimal [NOTFOUND=return] dns
> hosts: files dns
>
> Leaving the domain:
>
> root at samba-4:~# net ads leave -UAdministrator
> Enter Administrator's password:
> Deleted account for 'SAMBA-4' in realm 'AD.EXAMPLE.COM'
> root at samba-4:~# wbinfo -t
> checking the trust secret for domain EXAMPLEAD via RPC calls failed
> error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
> failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
> Could not check secret
> root at samba-4:~# rm /etc/krb5.keytab
> rm: remove regular file ‘/etc/krb5.keytab’? y
>
>
> Now rejoining the domain, with debugging, it seems to all work except for
> the DNS business:
>
> root at samba-4:~# net ads join -U Administrator -d 5
> <snip>
> rpccli_netlogon_setup_creds: server AD.ad.example.com credential chain
> established.
> Bind RPC Pipe: host AD.ad.example.com auth_type 68, auth_level 6
> rpc_api_pipe: host AD.ad.example.com
> rpc_read_send: data_to_read: 72
> check_bind_response: accepted!
> seed 153e7d56:1ba8aab6
> seed+time 687c514c:1ba8aab6
> CLIENT c4d2cfb4:7c9d763b
> seed+time+1 687c514d:1ba8aab6
> SERVER 903a2b01:26ceaf0f
> rpc_api_pipe: host AD.ad.example.com
> rpc_read_send: data_to_read: 104
> libnet_Join:
> libnet_JoinCtx: struct libnet_JoinCtx
> out: struct libnet_JoinCtx
> account_name : NULL
> netbios_domain_name : 'EXAMPLEAD'
> dns_domain_name : 'ad.example.com'
> forest_name : 'ad.example.com'
> dn :
> 'CN=samba-4,CN=Computers,DC=ad,DC=example,DC=com'
> domain_sid : *
> domain_sid :
> S-1-5-21-3579304287-3829738268-3886208222
> modified_config : 0x00 (0)
> error_string : NULL
> domain_is_ad : 0x01 (1)
> result : WERR_OK
> Using short domain name -- EXAMPLEAD
> Joined 'SAMBA-4' to dns domain 'ad.example.com'
> added interface eth0 ip=192.XXX.XXX.30 bcast=192.XXX.XXX.255
> netmask=255.255.255.0
> ads_dns_lookup_ns: 2 records returned in the answer section.
> retrying DNS update with next nameserver after receiving
> ERROR_DNS_CONNECTION_FAILED
> retrying DNS update with next nameserver after receiving
> ERROR_DNS_CONNECTION_FAILED
> DNS update failed: NT_STATUS_UNSUCCESSFUL
> return code = 0
> root at samba-4:~# wbinfo -t
> checking the trust secret for domain EXAMPLEAD via RPC calls succeeded
>
>
> Am I having a problem registering the host's name with the AD server's DNS
> instance?
>
> root at samba-4:~# host samba-4.ad.example.com
> Host samba-4.ad.example.com not found: 3(NXDOMAIN)
>
> Some workstations are registered with the AD server's DNS (but not all).
> root at samba-4:~# host workstation.ad.example.com
> workstation.ad.example.com has address 192.77.113.119
>
> But I'm not a Windows guy, so I have little idea what correct behavior
> should be.
bind or internal dns? the join only works with bind for Linux boxes.
Steve
More information about the samba
mailing list