[Samba] Join AD fails DNS update

Rowland Penny rowlandpenny at googlemail.com
Thu Jun 26 04:28:34 MDT 2014 

On 26/06/14 11:18, Lars Hanke wrote:
> I dug into the code of bind to check where the error occurs, and it 
> seems we misinterpreted its meaning. Not an issue of bad wording, but 
> us ignoring proper punctuation. :(
>
> Jun 24 15:24:44 samba named[7248]: client 172.16.6.242#38702: updating 
> zone 'ad.microsult.de/NONE': update unsuccessful: 
> samba4.ad.microsult.de/A: 'RRset exists (value dependent)' 
> prerequisite not satisfied (NXRRSET)
>
> It does mean that some RRset is required to exist, but it does not! 
> (see RFC2136). Unfortunately, the message doesn't state which set 
> fails. Since prerequisites are optional, I assume that SAMBA_DLZ 
> explicitly sets these fields. Any idea why or what it requires?

What have you got in the systems main logfile (syslog on debian)

>
> Furthermore, I sent the original reply to Rowland's message from the 
> wrong e-mail address, i.e. it was not accepted by the list. Since it 
> has some useful information, I append it here to share my research:
>
> Thanks Rowland, this gives a more comprehensive view.
>
> > The problem is probably that you are only searching on port 389, try
> > this search:
> > ldbsearch -LLL -x -h localhost -p 3268 -b "DC=example,DC=com" -s sub -D
> > "CN=Administrator,CN=Users,DC=example,DC=com" -w <ADpassword>
>
> The syntax looks like ldapsearch instead of ldbsearch,

OOPS, yes you are right.

> but yes this search returns the DNS entries maintained by the AD DC. 
> It does not contain any entry for a machine called samba4, i.e. the 
> error that it cannot be added since it exists already is wrong, remember:
>
> client 172.16.6.242#40938: updating zone 'ad.microsult.de/NONE': 
> update unsuccessful: samba4.ad.microsult.de/A: 'RRset exists (value 
> dependent)' prerequisite not satisfied (NXRRSET)
>
> Still the only entity about the joined machine is:
>
> ldapsearch -LLL -x -h localhost -p 3268 -b "DC=ad,DC=microsult,DC=de" 
> -s sub -D "CN=Administrator,CN=Users,DC=ad,DC=microsult,DC=de" -W | 
> grep -i samba4 | grep ^dn:
> Enter LDAP Password:
> dn: CN=samba4,CN=Computers,DC=ad,DC=microsult,DC=de
>
> The process logging the error is named, but it claims to propagate an 
> error from within samba_dlz.
>
> ... and we learned that the DNS records except root servers are not 
> stored in sam.ldb. 

Yes they are, you just cannot see them in a normal search.

> However, a construct like:
>
> for f in `find / -type f -name '*.ldb'`; do echo File: $f; ldbsearch 
> --url="$f" | grep -i samba | grep ^dn: ; done
>
> showed it's in
>
> private/sam.ldb.d/DC=DOMAINDNSZONES,DC=AD,DC=MICROSULT,DC=DE.ldb
>
> but no, there's no trace of any machine called samba4 in it.

What ever you do, DO NOT EDIT

  'DC=DOMAINDNSZONES,DC=AD,DC=MICROSULT,DC=DE.ldb'

If you do, you will probably destroy your domain, only edit sam.ldb.

Rowland

More information about the samba mailing list