[Samba] Joining a domain - missing SRV records
Brian Candler
b.candler at pobox.com
Tue Jun 17 05:32:48 MDT 2014
I joined a second Samba 4 controller to an existing test Samba 4 domain
by following
https://wiki.samba.org/index.php/Join_a_domain_as_a_DC
I found I had to create the A and GUID CNAME records for the second host
by hand, as the instructions said I might.
However, there were also missing SRV records, in particular
_kerberos._udp.<domain>
_ldap._tcp.<domain>
(they list only the first server)
As I understand it, the client won't be able to find a domain controller
if the primary fails and there's no SRV. Indeed, if I shut down the
primary, kinit says it's unable to contact any KDC for the realm.
I was able to fix it like this, after I'd worked out the unusual
ordering of the SRV record parameters that samba-tool expects:
# samba-tool dns add localhost example.com _kerberos._udp srv
"pc2.example.com. 88 0 100" -U administrator
# samba-tool dns add localhost example.com _ldap._tcp srv
"pc2.example.com. 389 0 100" -U administrator
# samba-tool dns add localhost example.com _kerberos._tcp srv
"pc2.example.com. 88 0 100" -U administrator
(note: kinit didn't work until _kerberos._tcp was added; I used tcpdump
to find out what queries it was doing)
Also I see there are about others like
_kpasswd._udp
_kpasswd._tcp
which presumably should be included as well.
Perhaps these steps should be added to the documentation too?
Regards,
Brian.
More information about the samba
mailing list