[Samba] "failed to lookup DC info for domain over rpc" when joining samba4 domain
Rowland Penny
rowlandpenny at googlemail.com
Tue Mar 10 08:25:50 MDT 2015
On 10/03/15 14:11, Richard Connon wrote:
> Hi Rowland,
>
> Please see comments inline.
>
> On 10/03/15 08:51, Rowland Penny wrote:
>> Your DC's must point to themselves for DNS and your domain clients must
>> point to the DC's, anything outside the domain the DC's will be obtain
>> from the forwarders set on them.
>
> This is contrary to what the wiki says.
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
> This page indicates that as long as the client can resolve names in
> the domain DNS zone (in my case ads.connon.me.uk) they should be fine.
>
I think that you are referring to this line:
Your DNS server(s) must be able to resolve the AD DNS zone, because
services, such as Kerberos, use it to locate other services in your
network.
Above that line in the wiki is this:
Configure your Member Servers /etc/resolv.conf to use the DNS server(s)
and search domain of your AD:
nameserver 192.168.1.1
search samdom.example.com
And if look further up 192.168.1.1 is the ip of a DC DNS server.
>> What I think is happening: your client is asking for the DC from your
>> forwarders, they do not know, so they ask the DC, who asks the
>> forwarder, who does not know and so on.
>
> I can confirm this isn't happening since I can resolve (for example)
> the SRV records on _ldap._tcp.ads.connon.me.uk through my forwarders,
> you can even test this yourself with `dig -t SRV
> _ldap._tcp.ads.connon.me.uk` or similar.
>
AGGHHHH, your Domain DCs are resolvable on the internet, *they shouldn't be*
rowland at ThinkPad ~ $ dig -t SRV _ldap._tcp.ads.connon.me.uk
; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> -t SRV _ldap._tcp.ads.connon.me.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42601
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_ldap._tcp.ads.connon.me.uk. IN SRV
;; ANSWER SECTION:
_ldap._tcp.ads.connon.me.uk. 899 IN SRV 0 100 389
dc02.ads.connon.me.uk.
_ldap._tcp.ads.connon.me.uk. 899 IN SRV 0 100 389
dc01.ads.connon.me.uk.
> I'm currently looking into whether there are any records missing.
>
> Regards,
> Richard
>
Probably not, it just seems to be set up incorrectly.
Your AD domain should be a sub domain of your registered domain (if you
have one) and should not be resolvable from the internet.
Rowland
More information about the samba
mailing list