[Samba] Debian Jessie AD DC w. BIND9 : DNS update fails for debian squeezy member server

Timo Altun olol13.samba at the-1337.org
Mon Mar 23 02:02:47 MDT 2015 

Hello Samba Crowd,

finally had some more time to work on the problem today. I set up the
Wheezy VM, installed Samba, Winbind, Krb5-user and did the domain join.
With the configs from the wiki
<https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server> I could
join the domain and retrieve the users, they are shown with getent passwd.
Problem is, the DNS update still does not work with Samba 3.6.6. and the
windows users can't access the shares (password dialog is shown, but
credentials do not work). The DNS failure I get on the wheezy VM says a bit
more than on the squeeze with Samba 3.5.6.:

net ads join -Uadministrator
Enter administrator's password:
Using short domain name -- MAYWEG.NET
Joined 'WHEEZYTEST' to realm 'intranet.mayweg.net'
DNS Update for wheezytest.intranet.mayweg.net failed:
ERROR_DNS_INVALID_MESSAGE
DNS update failed!

I also can't logon onto the wheezy machine with domain users...says
authentication error for administrator and "Could not update ICEAuthority
file /home/[user]/.ICEauthority", but that might be gnome related. As the
DNS issue doesn't seem to be caused by the older Samba version, I'll
continue trying to make it work on the Squeeze with 3.5.6..

The old smb.conf on that machine, where I had everything working but the
DNS updates, did not use a keytab and security = ADS. It used security =
domain. Is there any disadvantage to that?

I did not know, that once the clients see the AC DC, that there's no going
back. Once I test it in the live environment, I'll expose it to a small
portion of the network first then.

Greetings,
Timo

On 20 March 2015 at 22:05, Rowland Penny <rowlandpenny at googlemail.com>
wrote:

>  On 20/03/15 20:53, Timo Altun wrote:
>
>
> On 20 March 2015 at 20:24, Rowland Penny <rowlandpenny at googlemail.com>
> wrote:
>
>> On 20/03/15 19:08, Timo Altun wrote:
>>
>>>
>>> I did not run that command at all. I did run samba-tool classicupgrade
>>> on the DC after setting up ldap with my data. As far as I understand the
>>> provisioning of the domain is done during that process. And on the other
>>> machines provisioning must not be done, right?
>>>
>>>
>>>
>>  Sorry about this, but I am losing the plot here :-)
>>
>
> You did not lose the plot at all :)
>
>>
>> So, you upgraded from a NT-4 style domain to a Samba 4 AD DC with
>> classicupgrade, this AD DC is running on a Debian Jessie machine ?
>>
>
>  Yes. Tried dist-upgrading the old DC (Debian Lenny) first, but at some
> point did a clean install of Debian Jessie instead. Installed the newest
> ldap from jessie sources and imported the data from the old DC. Then
> installed Samba4, BIND9 and did the classicupgrade. I shutdown ldap, as
> Samba4 has its own backend, as described in the nice howto for the
> classicupgrade.
>
>
> OK
>
>
>> I take it (hope would probably be a better word) that you are doing this
>> in a test situation ?
>>
>
> Of course :) They are all virtual machines running in their own subnet
> right now. The Debian Jessie AD DC, a Debian Squeeze File Server running
> Samba 3.5.6., a WinXP Client and a Win7 Client with RSAT tools for DNS/AD
> Administration testing. This should represent the bulk of the machines on
> the actual network.
>
>>
>>
> Thank goodness for that, you do know that once your main clients do see
> the AD DC, there is no going back!
>
> Can you setup a VM with wheezy and then set up samba (this should get you
> 3.6.6) and try this, hopefully this should work and you may be able to work
> out why your squeeze machine isn't (my money is on 3.5.6)
>
>   You have set up a test Unix client using the smb.conf from the member
>> server page on the wiki, what version of samba is this running ?
>>
>
>  That would be the Debian Squeeze machine running Samba 3.5.6.
>
>>
>> Your users have uidNumbers inside the range set in smb.conf ?
>>
>
>  Yes, though I did not check every single one.
>
>
> Good, as long as you have at least one with a uidNumber 'getent passwd'
> should show it
>
>
>
>
>> The Domain Users group (at least) has a gidNumber inside the range set in
>> smb.conf ?
>>
>
>  Yes, that would be gidNumber 20001.
>
>>
>>
> Good
>
>   Your test Unix client is pointing to the AD DC for dns ?
>>
>
>  Yes, and only at the AD DC. Nslookup works for the other domain members
> hostnames. Not for its own hostname btw...I'm guessing because there is no
> dns record for its name :)
>
>>
>>
> OK, set up the new VM and try it, if you still need help we will pick it
> up from there tomorrow.
>
> Rowland
>
>   Answer the above and we will go from there :-)
>
>
>  Tried my best :) Again, thanks for this amazing help!
>
>>
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>
>

More information about the samba mailing list