[Samba] changing server role = standalone server to 'member server'
L.P.H. van Belle
belle at bazuin.nl
Fri Apr 4 00:41:29 MDT 2014
Wel,
i've seen this behavor multiple times the last few days.
This is how i got to fix this.
stop the smbd nmbd winbind processes.
Remove the "old" dns record from your dns use samba-tool
Make sure you restore this this is correct
>Before I had in /etc/hosts:
>127.0.0.1 localhost
>192.XXX.XXX.77 ad.example.com ad
>192.XXX.XXX.30 samba-4.example.com samba-4
remove the files ( im thinking your a debian/ubuntu user )
( and if unsure, backup this )
/var/lib/samba/*.tdb and /var/lib/samba/private/*.tdb
/var/cache/samba/* ( incl dirs )
this is your error causing this.
>ads_dns_lookup_ns: 2 records returned in the answer section.
2 records returned, now samba cant fix it, it dont know which one to fix.
thats why you need to remove manualy, and maybe multiple times.
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: chrome at real-time.com
>[mailto:samba-bounces at lists.samba.org] Namens Carl Wilhelm Soderstrom
>Verzonden: donderdag 3 april 2014 23:52
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] changing server role = standalone
>server to 'member server'
>
>Sorry about the length of this mail. I did try to test many
>iterations and
>variations, and this is what I think is the relevant data.
>
>To summarize the end, am I having a problem registering
>samba-4.ad.example.com with the AD server's DNS instance?
>
>On 04/03 10:31 , steve wrote:
>> The fqdn of the machine you are joining is not sent over the net
>> command. It's a good idea to get it registered in DNS as there are
>> untold errors awaiting you if you do not. . .
>
>Hmm, not sure what you mean here. All the hosts have DNS
>entries and static
>IP addresses. Forward and reverse DNS match (I just double-checked).
>
>> -unjoin the domain:
>> net ads leave -UAdministrator
>> -remove the keytab:
>> rm /etc/krb5.keytab
>
>Thanks for letting me know about that. I was not aware of that file.
>
>> -add fqdn and hostname to /etc/hosts:
>> 127.0.0.1 hostname.domain.name hostname localhost
>
>Before I had in /etc/hosts:
>127.0.0.1 localhost
>192.XXX.XXX.77 ad.example.com ad
>192.XXX.XXX.30 samba-4.example.com samba-4
>
>
>Are you sure you mean that I should have it like this?
>127.0.0.1 samba-4.example.com samba-4 localhost
>192.XXX.XXX.77 ad.example.com ad
>192.XXX.XXX.30 samba-4.example.com samba-4
>
>since that doesn't square with DNS. (Also, if I do 'net ads join -U
>Administrator -S ad.example.com -d 10, I find that I get an
>LDAP connection
>error).
>
>The AD server is my only DNS source apart from /etc/hosts.
>I've tested both
>with and without avahi running.
>
>root at samba-4:~# cat /etc/resolv.conf
># Dynamic resolv.conf(5) file for glibc resolver(3) generated by
># resolvconf(8)
># DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
>nameserver 192.XXX.XXX.77
>search example.com
>root at samba-4:~# grep hosts /etc/nsswitch.conf
>#hosts: files mdns4_minimal [NOTFOUND=return] dns
>hosts: files dns
>
>Leaving the domain:
>
>root at samba-4:~# net ads leave -UAdministrator
>Enter Administrator's password:
>Deleted account for 'SAMBA-4' in realm 'AD.EXAMPLE.COM'
>root at samba-4:~# wbinfo -t
>checking the trust secret for domain EXAMPLEAD via RPC calls failed
>error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
>failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
>Could not check secret
>root at samba-4:~# rm /etc/krb5.keytab
>rm: remove regular file ‘/etc/krb5.keytab’? y
>
>
>Now rejoining the domain, with debugging, it seems to all work
>except for
>the DNS business:
>
>root at samba-4:~# net ads join -U Administrator -d 5
><snip>
>rpccli_netlogon_setup_creds: server AD.ad.example.com credential chain
>established.
>Bind RPC Pipe: host AD.ad.example.com auth_type 68, auth_level 6
>rpc_api_pipe: host AD.ad.example.com
>rpc_read_send: data_to_read: 72
>check_bind_response: accepted!
> seed 153e7d56:1ba8aab6
> seed+time 687c514c:1ba8aab6
> CLIENT c4d2cfb4:7c9d763b
> seed+time+1 687c514d:1ba8aab6
> SERVER 903a2b01:26ceaf0f
>rpc_api_pipe: host AD.ad.example.com
>rpc_read_send: data_to_read: 104
>libnet_Join:
> libnet_JoinCtx: struct libnet_JoinCtx
> out: struct libnet_JoinCtx
> account_name : NULL
> netbios_domain_name : 'EXAMPLEAD'
> dns_domain_name : 'ad.example.com'
> forest_name : 'ad.example.com'
> dn :
>'CN=samba-4,CN=Computers,DC=ad,DC=example,DC=com'
> domain_sid : *
> domain_sid :
>S-1-5-21-3579304287-3829738268-3886208222
> modified_config : 0x00 (0)
> error_string : NULL
> domain_is_ad : 0x01 (1)
> result : WERR_OK
>Using short domain name -- EXAMPLEAD
>Joined 'SAMBA-4' to dns domain 'ad.example.com'
>added interface eth0 ip=192.XXX.XXX.30 bcast=192.XXX.XXX.255
>netmask=255.255.255.0
>ads_dns_lookup_ns: 2 records returned in the answer section.
>retrying DNS update with next nameserver after receiving
>ERROR_DNS_CONNECTION_FAILED
>retrying DNS update with next nameserver after receiving
>ERROR_DNS_CONNECTION_FAILED
>DNS update failed: NT_STATUS_UNSUCCESSFUL
>return code = 0
>root at samba-4:~# wbinfo -t
>checking the trust secret for domain EXAMPLEAD via RPC calls succeeded
>
>
>Am I having a problem registering the host's name with the AD
>server's DNS
>instance?
>
>root at samba-4:~# host samba-4.ad.example.com
>Host samba-4.ad.example.com not found: 3(NXDOMAIN)
>
>Some workstations are registered with the AD server's DNS (but
>not all).
>root at samba-4:~# host workstation.ad.example.com
>workstation.ad.example.com has address 192.77.113.119
>
>But I'm not a Windows guy, so I have little idea what correct behavior
>should be.
>
>--
>Carl Soderstrom
>Systems Administrator
>Real-Time Enterprises
>www.real-time.com
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list