[Samba] wbinfo -u/-g does not query AD DC [SOLVED]

steve steve at steve-ss.com
Wed Aug 6 09:00:36 MDT 2014


On Wed, 2014-08-06 at 16:44 +0200, Lars Hanke wrote:
> Am 06.08.2014 14:09, schrieb steve:
> 
> It seems I just did not restart the winbindd after some crucial change. 
> After restarting the service, wbinfo runs as expected.
> 
> The rest is supplied as an information for others troubleshooting 
> similar issues.
> 
>  >> I can do "kinit user" and I can query the samba LDAP to see domain
>  >> users. I did a "net ads join" and added the DNS for the machine
>  >> manually, since this fails with the 3.6.6 join script.
>  > It fails because you do not have DNS set correctly. The machine you are
>  > joining is not sending its correct hostname.
> 
> The join failed with the same error on the other system, which is 
> running correctly. I investigated that situation and found that the 
> error is probably unrelated to the AD DC. I dropped that matter since 
> 3.6.6 phases out and everything else was running nicely.
> 
> It queries the correct DNS and another machine works nicely with this 
> DNS. Any other DNS would not resolve the AD DC FQDN in the first place.
> 
>  > Try the dns checklist:
>  > 
> http://linuxcostablanca.blogspot.com.es/2014/05/dns-good-enough-for-kerberos.html
>  > That's on Debian. When that doesn't work, try putting only the hostname
>  > in /etc/hostname.
> 
> As said, Kerberos runs fine. The DNS items of the winbind checklist have 
> been verified. BTW: Using the FQDN for 127.0.0.1 didn't work for the 
> other system.
> 
>  > Go no further if the join throws errors.
> 
> root at nfs4:~# net ads join -UAdministrator
> Enter Administrator's password:
> Using short domain name -- AD
> Joined 'NFS4' to realm 'ad.microsult.de'
> DNS Update for nfs4.ad.microsult.de failed: ERROR_DNS_INVALID_MESSAGE
> DNS update failed!
> root at nfs4:~#
> 
> So the join is reported as successful, the DNS update failed. But I 
> added the machine record manually on the DC. And during the last 
> discussion it was claimed that this wasn't even necessary for a client 
> machine.
Hi
If it's OK with you then fine. We're not allowed to go to production
with that error. You may get away with it on a client but I wouldn't
risk it with a file server. Also, once you've added the A record by
hand, you're stuck with it since if the join errors out in DNS it means
that nsupdate won't work from that client either. If you're on DHCP that
can be (would be for us) disastrous. As an admin, sitting at a DC and
not knowing which client has which IP is just not it. Our advice is to
get it right now rather than have long debugging sessions later;)
Just our 0.02
HTH,
Steve




More information about the samba mailing list