[Samba] Debian Jessie AD DC w. BIND9 : DNS update fails for debian squeezy member server

Rowland Penny rowlandpenny at googlemail.com
Fri Mar 20 12:35:52 MDT 2015

On 20/03/15 18:28, Timo Altun wrote:
> Yes, it was/is an NT-4 style PDC with Samba 3.2.5 on lenny. I did a 
> clean install of jessie and installed samba 4.1.17 from jessie 
> repositories. Is there a better way?
> Strangely the domain join, shares and users did work before on the 
> squeezy member against the Samba4 AD DC with security = domain and no 
> keytab defined, nor created.
> The only thing that didn't work, was setting the dns record during 
> 'net ads join -Uadministrator'. I'll probably go back to the old, 
> ugly, overloaded smb.conf, so that I have the users working and add 
> the dns entries manually for the other linux machines.
> Greetings,
> Timo
> On 20 March 2015 at 18:11, Rowland Penny <rowlandpenny at googlemail.com 
> <mailto:rowlandpenny at googlemail.com>> wrote:
>     On 20/03/15 16:56, Timo Altun wrote:
>         On 20 March 2015 at 17:00, Rowland Penny
>         <rowlandpenny at googlemail.com
>         <mailto:rowlandpenny at googlemail.com>
>         <mailto:rowlandpenny at googlemail.com
>         <mailto:rowlandpenny at googlemail.com>>> wrote:
>             On 20/03/15 15:47, Timo Altun wrote:
>                 I'm sorry it got confusing, changed the topic and I'll
>         try to
>                 explain. I am using Jessie on the DC. Server13 is a
>         linux file
>                 server and domain member, it is on squeeze. If
>         possible, I do
>                 not want to upgrade it. The problem here is, that it
>         does not
>                 seem to generate a DNS record when joining the domain and,
>                 after setting up the new smb.conf, the users aren't
>         passed on
>                 from winbind to the local authentication tools. It
>         also caused
>                 the single share I set up in the smb.conf to be
>         unaccessible
>                 by user administrator. Maybe something with the keytab
>         file is
>                 not working.
>             You were confused :-D
>         And I most definitely still am :)
>         In general, am I right, that Kerberos is working as intended,
>         when I am able to get tickets?
>         Further, my old smb.conf used security = domain and no
>         keytab...might this be the reason for the winbind users not
>         being transferred?
>         Maybe it's also necessary for DNS updates to have that part
>         working.
>     Was your old domain server an NT-4 style PDC ? you didn't use
>     kerberos with this type of server. Now that you are using a Samba4
>     AD DC, you have to use 'security = ADS' and keytabs, the main
>     keytab (usually /etc/krb5.keytab) is created for you when you run
>     'net ads join -U Administrator', the join should create the dns
>     record for the client but sometimes it doesn't. This is not a
>     problem, you just have to create them manually on the DC with
>     'samba-tool dns add <server> <zone> <name>
>     <A|AAAA|PTR|CNAME|NS|MX|SRV|TXT> <data>'. See samba-tool dns add
>     --help' for more info.
>     Having said all that, one thing that I don't think has been raised
>     yet, how did you install samba on the DC ?
>     Rowland
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba

OK, have you run this command (on any of your computers):

samba-tool domain provision

and if so which


More information about the samba mailing list