[Samba] "failed to lookup DC info for domain over rpc" when joining samba4 domain

[Tim]

Hey Richard,

here you are my _msdcs-dns-zone. I only have two dcs. I hope the text structure will be readable at your side.

Name									Type				Data
dc
+- _sites
	+- Default-First-Site-Name
		+- _tcp
			_kerberos					Service Identification (SRV)	[0][100][88] DC1.example.samdom.com.
			_kerberos					Service Identification (SRV)	[0][100][88] DC2.example.samdom.com.
			_ldap						Service Identification (SRV)	[0][100][389] DC1.example.samdom.com.
			_ldap						Service Identification (SRV)	[0][100][389] DC2.example.samdom.com.
+- _tcp
	_kerberos							Service Identification (SRV)	[0][100][88] DC1.example.samdom.com.	
	_kerberos							Service Identification (SRV)	[0][100][88] DC2.example.samdom.com.	
	_ldap								Service Identification (SRV)	[0][100][389] DC1.example.samdom.com.	
	_ldap								Service Identification (SRV)	[0][100][389] DC2.example.samdom.com.	
domains
+- <Domain-ID>
	_tcp
	+- 	_ldap
		 (identical with folder above)				Service Identification (SRV) 	[0][100][389] DC1.example.samdom.com.
		 (identical with folder above)				Service Identification (SRV) 	[0][100][389] DC2.example.samdom.com.
	_ldap								Service Identification (SRV)	[0][100][389] DC1.example.samdom.com.
	_ldap								Service Identification (SRV)	[0][100][389] DC2.example.samdom.com.
	
gc
+- _sites
	+- Default-First-Site-Name
		+- _tcp
			_ldap						Service Identification (SRV)	[0][100][389] DC1.example.samdom.com.
			_ldap						Service Identification (SRV)	[0][100][389] DC2.example.samdom.com.
+- _tcp
	_ldap								Service Identification (SRV)	[0][100][389] DC1.example.samdom.com.	
	_ldap								Service Identification (SRV)	[0][100][389] DC2.example.samdom.com.	
(identical with folder above)						Host (A)			<IP Adress DC1>
(identical with folder above)						Host (A)			<IP Adress DC2>

pdc
+- _tcp
	_ldap								Service Identification (SRV)	[0][100][389] DC1.example.samdom.com.	
		
<Unique ID of DC1>						Alias (CNAME)				DC1.example.samdom.com.
<Unique ID of DC2>						Alias (CNAME)				DC2.example.samdom.com.
(identical with folder above)					Authority Source (SOA)			[12], DC1.example.samdom.com., hostmaster.example.samdom.com.
(identical with folder above)					Nameserver (NS)				DC1.example.samdom.com.
(identical with folder above)					Nameserver (NS)				DC2.example.samdom.com.



Regards
Tim



Am 10.03.2015 00:19, schrieb Richard Connon:
> On 09/03/2015 22:36, Rowland Penny wrote:
>> Hmm, everything looks ok and it shouldn't matter whether you use the
>> standard 3.6 from debian or 4.1.17 from backports except for the fact
>> that 3.6 isn't just old, it is EOL , so you may have to rely on debian
>> backporting any security updates themselves.
>>
>> I take it that the three nameservers in the clients resolv.conf are
>> all DC's, if not, I suggest you remove any that aren't, could you also
>> have a look here:
>>
>>  https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>
>> Rowland
>
> Hi Rowland,
>
> I'm aware of 3.6's security status. I'm planning to count on debian
> backporting fixes for now and move to 4.1 (or 4.2) if and when required.
> I have just tried, as an experiment, upgrading this failing client to
> 4.1.17 to no avail.
>
> The nameservers in resolv.conf are just forwarders. They forward to my
> DCs for anything under ads.connon.me.uk.
> As an experiment I tried changing the resolv.conf on both the DC and the
> client to contain just the DC for this site rather than my normal
> recursive servers. Again, this didn't change the behaviour.
>
> I'm not familiar with the RPC protocol very much. Are there some tools I
> can use to perform some test queries against this DC?
>
> Regards,
> Richard