[Samba] Join AD fails DNS update
Rowland Penny
rowlandpenny at googlemail.com
Thu Jun 26 04:28:34 MDT 2014
On 26/06/14 11:18, Lars Hanke wrote:
> I dug into the code of bind to check where the error occurs, and it
> seems we misinterpreted its meaning. Not an issue of bad wording, but
> us ignoring proper punctuation. :(
>
> Jun 24 15:24:44 samba named[7248]: client 172.16.6.242#38702: updating
> zone 'ad.microsult.de/NONE': update unsuccessful:
> samba4.ad.microsult.de/A: 'RRset exists (value dependent)'
> prerequisite not satisfied (NXRRSET)
>
> It does mean that some RRset is required to exist, but it does not!
> (see RFC2136). Unfortunately, the message doesn't state which set
> fails. Since prerequisites are optional, I assume that SAMBA_DLZ
> explicitly sets these fields. Any idea why or what it requires?
What have you got in the systems main logfile (syslog on debian)
>
> Furthermore, I sent the original reply to Rowland's message from the
> wrong e-mail address, i.e. it was not accepted by the list. Since it
> has some useful information, I append it here to share my research:
>
> Thanks Rowland, this gives a more comprehensive view.
>
> > The problem is probably that you are only searching on port 389, try
> > this search:
> > ldbsearch -LLL -x -h localhost -p 3268 -b "DC=example,DC=com" -s sub -D
> > "CN=Administrator,CN=Users,DC=example,DC=com" -w <ADpassword>
>
> The syntax looks like ldapsearch instead of ldbsearch,
OOPS, yes you are right.
> but yes this search returns the DNS entries maintained by the AD DC.
> It does not contain any entry for a machine called samba4, i.e. the
> error that it cannot be added since it exists already is wrong, remember:
>
> client 172.16.6.242#40938: updating zone 'ad.microsult.de/NONE':
> update unsuccessful: samba4.ad.microsult.de/A: 'RRset exists (value
> dependent)' prerequisite not satisfied (NXRRSET)
>
> Still the only entity about the joined machine is:
>
> ldapsearch -LLL -x -h localhost -p 3268 -b "DC=ad,DC=microsult,DC=de"
> -s sub -D "CN=Administrator,CN=Users,DC=ad,DC=microsult,DC=de" -W |
> grep -i samba4 | grep ^dn:
> Enter LDAP Password:
> dn: CN=samba4,CN=Computers,DC=ad,DC=microsult,DC=de
>
> The process logging the error is named, but it claims to propagate an
> error from within samba_dlz.
>
> ... and we learned that the DNS records except root servers are not
> stored in sam.ldb.
Yes they are, you just cannot see them in a normal search.
> However, a construct like:
>
> for f in `find / -type f -name '*.ldb'`; do echo File: $f; ldbsearch
> --url="$f" | grep -i samba | grep ^dn: ; done
>
> showed it's in
>
> private/sam.ldb.d/DC=DOMAINDNSZONES,DC=AD,DC=MICROSULT,DC=DE.ldb
>
> but no, there's no trace of any machine called samba4 in it.
What ever you do, DO NOT EDIT
'DC=DOMAINDNSZONES,DC=AD,DC=MICROSULT,DC=DE.ldb'
If you do, you will probably destroy your domain, only edit sam.ldb.
Rowland
More information about the samba
mailing list