[Samba] "failed to lookup DC info for domain over rpc" when joining samba4 domain

Rowland Penny rowlandpenny at googlemail.com
Mon Mar 9 16:36:21 MDT 2015 

On 09/03/15 22:16, Richard Connon wrote:
> On 09/03/2015 22:07, Rowland Penny wrote:
>> On 09/03/15 21:59, Richard Connon wrote:
>>> On 09/03/2015 21:59, Rowland Penny wrote:
>>>> How did you try to join the machine to the domain ? I think I know, 
>>>> but it would like you to confirm my suspicions.
>>>
>>> Hi Rowland,
>>>
>>> This output was generated with `net ads join 
>>> -Uprovisioning%<password> -d10
>>>
>>> Regards,
>>> Richard
>>
>> OK, well it isn't what I thought, moving on, what is in smb.conf 
>> (please do not post any commented lines), /etc/resolv.conf, 
>> /etc/krb5.conf, what OS etc
>>
>> Rowland
>>
> Hi Rowland,
>
> On all hosts of site CCPG-UK:
> resolv.conf contains:
> domain ads.connon.me.uk
> nameserver 10.10.0.250
> nameserver 10.10.0.252
> nameserver 10.10.0.251
>
> krb5.conf contains:
> [libdefaults]
>         default_realm = ADS.CONNON.ME.UK
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
>         rdns = false
>
> The DC smb.conf contains:
> [global]
>         netbios name = DC01
>         realm = ADS.CONNON.ME.UK
>         workgroup = CONNON
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> drepl, winbind, ntp_signd, kcc, dnsupdate
>         dedicated keytab file = /etc/krb5.keytab
>         kerberos method = dedicated keytab
>         dsdb:schema update allowed = Yes
>
> [netlogin]
>         path = /var/lib/samba/sysvol/ads.connon.me.uk/scripts
>         read only = No
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>
> The client smb.conf contains:
> [global]
>         security = ads
>         netbios name = SHELL01
>         realm = ADS.CONNON.ME.UK
>         workgroup = CONNON
>         dedicated keytab file = /etc/krb5.keytab
>         kerberos method = dedicated keytab
>
> The OS for all machines is debian 7. The DC is using samba 
> 4.1.17+dfsg-1~bpo70+1 from backports while the client is using 
> 3.6.6-6+deb7u5.
> I appreciate that samba 3.6 is now very old but I'd like to avoid 
> deviating from the standard install for clients. I'm reasonably sure 
> this should be fixable with a 3.6 client since it has worked so well 
> in the past.
>
> It is possible that the DC has received a minor (4.1.x) upgrade since 
> domain join last worked.
>
> Regards,
> Richard

Hmm, everything looks ok and it shouldn't matter whether you use the 
standard 3.6 from debian or 4.1.17 from backports except for the fact 
that 3.6 isn't just old, it is EOL , so you may have to rely on debian 
backporting any security updates themselves.

I take it that the three nameservers in the clients resolv.conf are all 
DC's, if not, I suggest you remove any that aren't, could you also have 
a look here:

  https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server

Rowland

More information about the samba mailing list