[Samba] Join AD fails DNS update
Rowland Penny
rowlandpenny at googlemail.com
Tue Jun 24 08:37:22 MDT 2014
On 24/06/14 15:04, L.P.H. van Belle wrote:
> What you can do is the following.
>
> setup the resolv.conf
> domain yourinternal.domain.tld
> search yourinternal.domain.tld
> nameserver IP_OF_YOUR_AD_SERVER
>
> second.
> check you hosts file
> 127.0.0.1 localhost localhost.localdomain.
> IP_OF_THIS_SERVER hostname.yourinternal.domain.tld
>
> ( or put this in /etc/network/interfaces dns-domain dns-search dns-nameserver )
> ( or if you use resolvconf /etc/resolvconf/resolv.conf.d )
>
> test ping hostname.domain.tld for your AD server.
> If that does not work, add the ip / FQHN of you server to the hosts file.
> but it should not be needed.
>
> third.
> krb5.conf
> [libdefaults]
> dns_lookup_realm = false
> dns_lookup_kdc = true
> default_realm = YOURINTERNAL.DOMAIN.TLD << IN CAPS !
>
>
> setup your smb.conf ( from a 4.1.7 debian backports samba )
> [global]
> workgroup = INTERNAL
> security = ADS
> realm = YOURINTERNAL.DOMAIN.TLD << IN CAPS
> encrypt passwords = yes
>
> netbios name = HOSTNAME << IN CAPS
> domain master = no
> host msdfs = no
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> client signing = if_required
>
> ## map id's outside to domain to tdb files.
> idmap config *:backend = tdb
> idmap config *:range = 50001-80000
> ## map ids from the domain the range may not overlap !
> idmap config INTERNAL:backend = ad
> idmap config INTERNAL:schema_mode = rfc2307
> idmap config INTERNAL:range = 10000-40000
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = yes
> winbind offline logon = yes
>
>
> net ads join -U Administrator
>
> If you join and you get a dns error when adding.
> Did you already added the hostname of the server in the AD DNS?
> If So, thats why you get and error. Ignore it, and check if your member server joined the domain in the AD.
>
> Should works, im having also a samba 3.6.6 in my wheezy sernet setup.
> but if this still doesnt work, add wheezy-backport in your apt.sources
> and upgrade 3.6.6 to the latest backports version, that one im using for my proxy setup.
> for your sources.list if needed.
> deb http://ftp.debian.org/debian/ wheezy-backports main contrib non-free
>
> apt-get update and check with apt-cache policy samba before upgradeing.
>
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: debian at lhanke.de [mailto:samba-bounces at lists.samba.org]
>> Namens Lars Hanke
>> Verzonden: dinsdag 24 juni 2014 15:35
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] Join AD fails DNS update
>>
>> This topic has been on the list two years ago, already, but apparently
>> to no conclusion.
>>
>> I'm trying to join a Debian Wheezy machine (Samba 3.6.6) to my freshly
>> made backports AD (Samba 4.1.7). This is what I see:
>>
>> root at samba4:/# net ads join -U Administrator at AD.MICROSULT.DE
>> Enter Administrator at AD.MICROSULT.DE's password:
>> Using short domain name -- AD
>> Joined 'SAMBA4' to realm 'ad.microsult.de'
>> DNS Update for samba4.ad.microsult.de failed: ERROR_DNS_INVALID_MESSAGE
>> DNS update failed!
>> root at samba4:/# host samba4.ad.microsult.de
>> Host samba4.ad.microsult.de not found: 3(NXDOMAIN)
>> root at samba4:/# net --version
>> Version 3.6.6
>>
>> The old discussion (e.g.
>> http://www.spinics.net/lists/samba/msg102650.html) recommended
>> to ignore
>> the message, but it stipulates that at least sometimes the
>> client entry
>> was added. I didn't see any DNS update so far. I use DLZ like them.
>>
>> Any idea how to troubleshoot this situation?
>>
>> Kind regards,
>> - lars.
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
Er Louis, I think that I have told you this before, but anyway, if you
read 'man resolv.conf' you will find this:
The domain and search keywords are mutually exclusive. If more than one
instance of these keywords is present, the last instance wins.
So in the resolv.conf that you suggested, the line 'domain
yourinternal.domain.tld' will be ignored, so why add it??
Rowland
More information about the samba
mailing list