[Samba] Join AD fails DNS update

Lars Hanke debian at lhanke.de
Thu Jun 26 04:18:13 MDT 2014


I dug into the code of bind to check where the error occurs, and it 
seems we misinterpreted its meaning. Not an issue of bad wording, but us 
ignoring proper punctuation. :(

Jun 24 15:24:44 samba named[7248]: client 172.16.6.242#38702: updating 
zone 'ad.microsult.de/NONE': update unsuccessful: 
samba4.ad.microsult.de/A: 'RRset exists (value dependent)' prerequisite 
not satisfied (NXRRSET)

It does mean that some RRset is required to exist, but it does not! (see 
RFC2136). Unfortunately, the message doesn't state which set fails. 
Since prerequisites are optional, I assume that SAMBA_DLZ explicitly 
sets these fields. Any idea why or what it requires?

Furthermore, I sent the original reply to Rowland's message from the 
wrong e-mail address, i.e. it was not accepted by the list. Since it has 
some useful information, I append it here to share my research:

Thanks Rowland, this gives a more comprehensive view.

 > The problem is probably that you are only searching on port 389, try
 > this search:
 > ldbsearch -LLL -x -h localhost -p 3268 -b "DC=example,DC=com" -s sub -D
 > "CN=Administrator,CN=Users,DC=example,DC=com" -w <ADpassword>

The syntax looks like ldapsearch instead of ldbsearch, but yes this 
search returns the DNS entries maintained by the AD DC. It does not 
contain any entry for a machine called samba4, i.e. the error that it 
cannot be added since it exists already is wrong, remember:

client 172.16.6.242#40938: updating zone 'ad.microsult.de/NONE': update 
unsuccessful: samba4.ad.microsult.de/A: 'RRset exists (value dependent)' 
prerequisite not satisfied (NXRRSET)

Still the only entity about the joined machine is:

ldapsearch -LLL -x -h localhost -p 3268 -b "DC=ad,DC=microsult,DC=de" -s 
sub -D "CN=Administrator,CN=Users,DC=ad,DC=microsult,DC=de" -W | grep -i 
samba4 | grep ^dn:
Enter LDAP Password:
dn: CN=samba4,CN=Computers,DC=ad,DC=microsult,DC=de

The process logging the error is named, but it claims to propagate an 
error from within samba_dlz.

... and we learned that the DNS records except root servers are not 
stored in sam.ldb. However, a construct like:

for f in `find / -type f -name '*.ldb'`; do echo File: $f; ldbsearch 
--url="$f" | grep -i samba | grep ^dn: ; done

showed it's in

private/sam.ldb.d/DC=DOMAINDNSZONES,DC=AD,DC=MICROSULT,DC=DE.ldb

but no, there's no trace of any machine called samba4 in it.


More information about the samba mailing list