[Samba] Join AD fails DNS update

Lars Hanke debian at lhanke.de
Tue Jun 24 10:06:21 MDT 2014 

Hi,

 > setup the resolv.conf
My resolv.conf looks okay and I can resolve other AD specific stuff.

> check you hosts file
> 	127.0.0.1 localhost localhost.localdomain.
> 	IP_OF_THIS_SERVER  hostname.yourinternal.domain.tld

It looks like that, but has hostname as second alternative. This is 
strange, since /etc/nsswitch.conf has:

hosts:          files dns

and is still unable to resolve hostname.yourinternal.domain.tld. This 
doesn't change, if I remove the hostname alias.

> test ping hostname.domain.tld for your AD server.
works fine!

> krb5.conf
I added:
> [libdefaults]
>   dns_lookup_realm = false
>   dns_lookup_kdc = true
but no change. However, I can do 'kinit Administrator' successfully, 
i.e. the Kerberos subsystem seems to work.

> setup your smb.conf  ( from a 4.1.7 debian backports samba )
My smb.conf is a little leaner still, but I guess that some of the 
options are for more advanced usage than a simple join. I hate to add 
configuration options, which I do not understand. But I'll use it as a 
guide when I advance further.

> net ads join -U Administrator
>
> If you join and you get a dns error when adding.
> Did you already added the hostname of the server in the AD DNS?
> If So, thats why you get and error. Ignore it, and check if your member server joined the domain in the AD.

Okay, here we probably come closer. The syslog of the AD DC has:

Jun 24 15:24:44 samba named[7248]: samba_dlz: starting transaction on 
zone ad.microsult.de
Jun 24 15:24:44 samba named[7248]: client 172.16.6.242#38702: updating 
zone 'ad.microsult.de/NONE': update unsuccessful: 
samba4.ad.microsult.de/A: 'RRset exists (value dependent)' prerequisite 
not satisfied (NXRRSET)
Jun 24 15:24:44 samba named[7248]: samba_dlz: cancelling transaction on 
zone ad.microsult.de
Jun 24 15:24:44 samba named[7248]: samba_dlz: starting transaction on 
zone ad.microsult.de
Jun 24 15:24:44 samba named[7248]: samba_dlz: spnego update failed
Jun 24 15:24:44 samba named[7248]: client 172.16.6.242#38702: updating 
zone 'ad.microsult.de/NONE': update failed: rejected by secure update 
(REFUSED)
Jun 24 15:24:44 samba named[7248]: samba_dlz: cancelling transaction on 
zone ad.microsult.de

BUT:

root at samba:/# dig @samba samba4.ad.microsult.de

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @samba samba4.ad.microsult.de
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40150
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;samba4.ad.microsult.de.                IN      A

;; AUTHORITY SECTION:
ad.microsult.de.        0       IN      SOA     samba.ad.microsult.de. 
hostmaster.ad.microsult.de. 1 900 600 86400 0

;; Query time: 27 msec
;; SERVER: 172.16.6.240#53(172.16.6.240)
;; WHEN: Tue Jun 24 18:02:18 2014
;; MSG SIZE  rcvd: 93

So DLZ claims that the entry exists, but it cannot be accessed by Bind. 
Any ideas?

Kind regards,

- lars.

More information about the samba mailing list