[Samba] Join AD fails DNS update

L.P.H. van Belle belle at bazuin.nl
Tue Jun 24 08:04:00 MDT 2014

What you can do is the following. 

setup the resolv.conf
	domain yourinternal.domain.tld
	search  yourinternal.domain.tld
	nameserver IP_OF_YOUR_AD_SERVER 

check you hosts file localhost localhost.localdomain.
	IP_OF_THIS_SERVER  hostname.yourinternal.domain.tld
( or put this in /etc/network/interfaces   dns-domain dns-search dns-nameserver ) 
( or if you use resolvconf /etc/resolvconf/resolv.conf.d  ) 

test ping hostname.domain.tld for your AD server. 
If that does not work, add the ip / FQHN of you server to the hosts file. 
but it should not be needed. 

 dns_lookup_realm = false
 dns_lookup_kdc = true
 default_realm = YOURINTERNAL.DOMAIN.TLD     <<  IN CAPS !  

setup your smb.conf  ( from a 4.1.7 debian backports samba ) 
   workgroup = INTERNAL
   security = ADS
   encrypt passwords = yes

   netbios name = HOSTNAME 			<< IN CAPS
   domain master = no
   host msdfs = no

   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab
   client signing = if_required

   ## map id's outside to domain to tdb files.
   idmap config *:backend = tdb
   idmap config *:range = 50001-80000
   ## map ids from the domain  the range may not overlap !
   idmap config INTERNAL:backend = ad
   idmap config INTERNAL:schema_mode = rfc2307
   idmap config INTERNAL:range = 10000-40000		

   winbind nss info = rfc2307
   winbind trusted domains only = no
   winbind use default domain = yes
   winbind enum users  = yes
   winbind enum groups = yes
   winbind refresh tickets = yes
   winbind offline logon = yes

net ads join -U Administrator

If you join and you get a dns error when adding.
Did you already added the hostname of the server in the AD DNS? 
If So, thats why you get and error. Ignore it, and check if your member server joined the domain in the AD.

Should works, im having also a samba 3.6.6 in my wheezy sernet setup. 
but if this still doesnt work, add wheezy-backport in your apt.sources 
and upgrade 3.6.6 to the latest backports version, that one im using for my proxy setup. 
for your sources.list if needed. 
deb http://ftp.debian.org/debian/ wheezy-backports main contrib non-free

apt-get update and check with apt-cache policy samba before upgradeing. 


>-----Oorspronkelijk bericht-----
>Van: debian at lhanke.de [mailto:samba-bounces at lists.samba.org] 
>Namens Lars Hanke
>Verzonden: dinsdag 24 juni 2014 15:35
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] Join AD fails DNS update
>This topic has been on the list two years ago, already, but apparently 
>to no conclusion.
>I'm trying to join a Debian Wheezy machine (Samba 3.6.6) to my freshly 
>made backports AD (Samba 4.1.7). This is what I see:
>root at samba4:/# net ads join -U Administrator at AD.MICROSULT.DE
>Enter Administrator at AD.MICROSULT.DE's password:
>Using short domain name -- AD
>Joined 'SAMBA4' to realm 'ad.microsult.de'
>DNS Update for samba4.ad.microsult.de failed: ERROR_DNS_INVALID_MESSAGE
>DNS update failed!
>root at samba4:/# host samba4.ad.microsult.de
>Host samba4.ad.microsult.de not found: 3(NXDOMAIN)
>root at samba4:/# net --version
>Version 3.6.6
>The old discussion (e.g. 
>http://www.spinics.net/lists/samba/msg102650.html) recommended 
>to ignore 
>the message, but it stipulates that at least sometimes the 
>client entry 
>was added. I didn't see any DNS update so far. I use DLZ like them.
>Any idea how to troubleshoot this situation?
>Kind regards,
>  - lars.
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list