[Samba] Debian Jessie AD DC w. BIND9 : DNS update fails for debian squeezy member server

Rowland Penny rowlandpenny at googlemail.com
Mon Mar 23 03:40:48 MDT 2015

On 23/03/15 08:02, Timo Altun wrote:
> Hello Samba Crowd,
> finally had some more time to work on the problem today. I set up the 
> Wheezy VM, installed Samba, Winbind, Krb5-user and did the domain 
> join. With the configs from the wiki 
> <https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server> I 
> could join the domain and retrieve the users, they are shown with 
> getent passwd. Problem is, the DNS update still does not work with 
> Samba 3.6.6. and the windows users can't access the shares (password 
> dialog is shown, but credentials do not work). The DNS failure I get 
> on the wheezy VM says a bit more than on the squeeze with Samba 3.5.6. 
> <http://3.5.6.>:
> net ads join -Uadministrator
> Enter administrator's password:
> Using short domain name -- MAYWEG.NET <http://MAYWEG.NET>
> Joined 'WHEEZYTEST' to realm 'intranet.mayweg.net 
> <http://intranet.mayweg.net>'
> DNS Update for wheezytest.intranet.mayweg.net 
> <http://wheezytest.intranet.mayweg.net> failed: ERROR_DNS_INVALID_MESSAGE
> DNS update failed!

I take it that your clients are getting their ipaddress via DHCP, what 
you could try is to run Bind9 on the DC along with DHCP.

As for the shares problem, this is probably a permissions problem, have 
a look here:


> I also can't logon onto the wheezy machine with domain users...says 
> authentication error for administrator and "Could not update 
> ICEAuthority file /home/[user]/.ICEauthority", but that might be gnome 
> related. As the DNS issue doesn't seem to be caused by the older Samba 
> version, I'll continue trying to make it work on the Squeeze with 3.5.6..
> The old smb.conf on that machine, where I had everything working but 
> the DNS updates, did not use a keytab and security = ADS. It used 
> security = domain. Is there any disadvantage to that?

Well, I surprised it works, 'security = domain' means that you are 
connecting to a NT-4 style PDC, 'security = ADS' means that you want to 
connect to an active directory server via kerberos. For more info see 
'man smb.conf'

> I did not know, that once the clients see the AC DC, that there's no 
> going back. Once I test it in the live environment, I'll expose it to 
> a small portion of the network first then.

More information about the samba mailing list