[Samba] Debian Jessie AD DC w. BIND9 : DNS update fails for debian squeezy member server

Timo Altun olol13.samba at the-1337.org
Fri Mar 20 12:28:47 MDT 2015

Yes, it was/is an NT-4 style PDC with Samba 3.2.5 on lenny. I did a clean
install of jessie and installed samba 4.1.17 from jessie repositories. Is
there a better way?

Strangely the domain join, shares and users did work before on the squeezy
member against the Samba4 AD DC with security = domain and no keytab
defined, nor created.

The only thing that didn't work, was setting the dns record during 'net ads
join -Uadministrator'. I'll probably go back to the old, ugly, overloaded
smb.conf, so that I have the users working and add the dns entries manually
for the other linux machines.


On 20 March 2015 at 18:11, Rowland Penny <rowlandpenny at googlemail.com>

> On 20/03/15 16:56, Timo Altun wrote:
>> On 20 March 2015 at 17:00, Rowland Penny <rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>> wrote:
>>     On 20/03/15 15:47, Timo Altun wrote:
>>         I'm sorry it got confusing, changed the topic and I'll try to
>>         explain. I am using Jessie on the DC. Server13 is a linux file
>>         server and domain member, it is on squeeze. If possible, I do
>>         not want to upgrade it. The problem here is, that it does not
>>         seem to generate a DNS record when joining the domain and,
>>         after setting up the new smb.conf, the users aren't passed on
>>         from winbind to the local authentication tools. It also caused
>>         the single share I set up in the smb.conf to be unaccessible
>>         by user administrator. Maybe something with the keytab file is
>>         not working.
>>     You were confused :-D
>> And I most definitely still am :)
>> In general, am I right, that Kerberos is working as intended, when I am
>> able to get tickets?
>> Further, my old smb.conf used security = domain and no keytab...might
>> this be the reason for the winbind users not being transferred?
>> Maybe it's also necessary for DNS updates to have that part working.
> Was your old domain server an NT-4 style PDC ? you didn't use kerberos
> with this type of server. Now that you are using a Samba4 AD DC, you have
> to use 'security = ADS' and keytabs, the main keytab (usually
> /etc/krb5.keytab) is created for you when you run 'net ads join -U
> Administrator', the join should create the dns record for the client but
> sometimes it doesn't. This is not a problem, you just have to create them
> manually on the DC with 'samba-tool dns add <server> <zone> <name>
> <A|AAAA|PTR|CNAME|NS|MX|SRV|TXT> <data>'. See samba-tool dns add --help'
> for more info.
> Having said all that, one thing that I don't think has been raised yet,
> how did you install samba on the DC ?
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list