[Samba] Join AD fails DNS update
Harry Jede
walk2sun at arcor.de
Thu Jun 26 04:00:29 MDT 2014
On 11:32:09 wrote Lars Hanke:
> Hi,
>
> > setup the resolv.conf
>
> My resolv.conf looks okay and I can resolve other AD specific stuff.
>
> > check you hosts file
> >
> > 127.0.0.1 localhost localhost.localdomain.
> > IP_OF_THIS_SERVER hostname.yourinternal.domain.tld
>
> It looks like that, but has hostname as second alternative. This is
> strange, since /etc/nsswitch.conf has:
>
> hosts: files dns
>
> and is still unable to resolve hostname.yourinternal.domain.tld. This
> doesn't change, if I remove the hostname alias.
>
> > test ping hostname.domain.tld for your AD server.
>
> works fine!
>
> > krb5.conf
>
> I added:
> > [libdefaults]
> >
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
>
> but no change. However, I can do 'kinit Administrator' successfully,
> i.e. the Kerberos subsystem seems to work.
>
> > setup your smb.conf ( from a 4.1.7 debian backports samba )
>
> My smb.conf is a little leaner still, but I guess that some of the
> options are for more advanced usage than a simple join. I hate to add
> configuration options, which I do not understand. But I'll use it as
> a guide when I advance further.
>
> > net ads join -U Administrator
> >
> > If you join and you get a dns error when adding.
> > Did you already added the hostname of the server in the AD DNS?
> > If So, thats why you get and error. Ignore it, and check if your
> > member server joined the domain in the AD.
>
> Okay, here we probably come closer. The syslog of the AD DC has:
>
> Jun 24 15:24:44 samba named[7248]: samba_dlz: starting transaction on
> zone ad.microsult.de
> Jun 24 15:24:44 samba named[7248]: client 172.16.6.242#38702:
> updating zone 'ad.microsult.de/NONE': update unsuccessful:
> samba4.ad.microsult.de/A: 'RRset exists (value dependent)'
> prerequisite not satisfied (NXRRSET)
> Jun 24 15:24:44 samba named[7248]: samba_dlz: cancelling transaction
> on zone ad.microsult.de
> Jun 24 15:24:44 samba named[7248]: samba_dlz: starting transaction on
> zone ad.microsult.de
> Jun 24 15:24:44 samba named[7248]: samba_dlz: spnego update failed
> Jun 24 15:24:44 samba named[7248]: client 172.16.6.242#38702:
> updating zone 'ad.microsult.de/NONE': update failed: rejected by
> secure update (REFUSED)
> Jun 24 15:24:44 samba named[7248]: samba_dlz: cancelling transaction
> on zone ad.microsult.de
>
> BUT:
>
> root at samba:/# dig @samba samba4.ad.microsult.de
>
> ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @samba samba4.ad.microsult.de
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40150
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;samba4.ad.microsult.de. IN A
>
> ;; AUTHORITY SECTION:
> ad.microsult.de. 0 IN SOA
> samba.ad.microsult.de. hostmaster.ad.microsult.de. 1 900 600 86400 0
>
> ;; Query time: 27 msec
> ;; SERVER: 172.16.6.240#53(172.16.6.240)
> ;; WHEN: Tue Jun 24 18:02:18 2014
> ;; MSG SIZE rcvd: 93
>
> So DLZ claims that the entry exists, but it cannot be accessed by
> Bind. Any ideas?
Yes,
you do not interpret the dig output in a correct manner!
1.
Your commandline tells dig to query the server "samba" for the record
"samba4.ad.microsult.de". But did you get an "Answer SECTION"?
No!
2.
The "AUTHORITY SECTION" returns a SOA record instead of a NS record.
Conclusion:
Your bind server @samba has no knowlege which nameserver he should
consult to retrieve or update a record in zone "ad.microsult.de".
So add a NS record to your zone declaration. In flat file format it
should look like this:
@ IN SOA ad.microsult.de. root.kronprinz.xx. (
505061645
10800
3600
604800
86400 )
NS samba.ad.microsult.de.
$ORIGIN ad.microsult.de.
samba A 172.16.6.240
>
> Kind regards,
>
> - lars.
--
Regards
Harry Jede
More information about the samba
mailing list