[Samba] "failed to lookup DC info for domain over rpc" when joining samba4 domain

Rowland Penny rowlandpenny at googlemail.com
Tue Mar 10 08:25:50 MDT 2015

On 10/03/15 14:11, Richard Connon wrote:
> Hi Rowland,
> Please see comments inline.
> On 10/03/15 08:51, Rowland Penny wrote:
>> Your DC's must point to themselves for DNS and your domain clients must
>> point to the DC's, anything outside the domain the DC's will be obtain
>> from the forwarders set on them.
> This is contrary to what the wiki says.
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
> This page indicates that as long as the client can resolve names in 
> the domain DNS zone (in my case ads.connon.me.uk) they should be fine.

I think that you are referring to this line:

Your DNS server(s) must be able to resolve the AD DNS zone, because 
services, such as Kerberos, use it to locate other services in your 

Above that line in the wiki is this:

Configure your Member Servers /etc/resolv.conf to use the DNS server(s) 
and search domain of your AD:

search samdom.example.com

And if look further up is the ip of a DC DNS server.

>> What I think is happening: your client is asking for the DC from your
>> forwarders, they do not know, so they ask the DC, who asks the
>> forwarder, who does not know and so on.
> I can confirm this isn't happening since I can resolve (for example) 
> the SRV records on _ldap._tcp.ads.connon.me.uk through my forwarders, 
> you can even test this yourself with `dig -t SRV 
> _ldap._tcp.ads.connon.me.uk` or similar.

AGGHHHH, your Domain DCs are resolvable on the internet, *they shouldn't be*

rowland at ThinkPad ~ $ dig -t SRV _ldap._tcp.ads.connon.me.uk

; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> -t SRV _ldap._tcp.ads.connon.me.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42601
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
;_ldap._tcp.ads.connon.me.uk.    IN    SRV

_ldap._tcp.ads.connon.me.uk. 899 IN    SRV    0 100 389 
_ldap._tcp.ads.connon.me.uk. 899 IN    SRV    0 100 389 

> I'm currently looking into whether there are any records missing.
> Regards,
> Richard

Probably not, it just seems to be set up incorrectly.

Your AD domain should be a sub domain of your registered domain (if you 
have one) and should not be resolvable from the internet.


More information about the samba mailing list