[Samba] inconsistent DNS information, windows domain member issues..

Jo j.o.l at live.com
Sun Jun 5 09:05:34 UTC 2016 

I joined a Windows 10 Pro system to my (still experimental) domain. The
windows system actually hosts DC2 as a VM, and another Windows (Server 2008
R2) at another location hosts DC1 also as a VM. The two locations are
connected via a VPN, both systems run only when needed. The windows system
does not directly use DC2 for DNS but instead talks to a DNS resolver that
delegates the samba Domain to DC2. DC2 uses itself as nameserver.

 

I am observing the following issues that may be related or not:

*       When I do a nslookup samba.domain DC2 I get the address of DC1,
nslookup DC2.sambadomain DC2 fails. Nslookup DC1.samba.domain DC2 works.
When I use dig @DC2 samba.domain it returns DC1 only. Dig samba.domain ANY
returns

;; ANSWER SECTION:

samba.domain.   3600    IN      SOA     dc2.samba. domain. hostmaster.samba.
domain. 1 900 600 86400 3600

samba. domain.   900     IN      NS      dc1.samba. domain.

samba. domain.   900     IN      A       192.168.177.21

 

;; ADDITIONAL SECTION:

dc1.samba. domain. 900   IN      A       192.168.177.21

Same information @DC2 or the local resolver of the network

*       On windows nslookup -type=ANY samba.domain. (note the .)

Server:  netgear.local

Address:  192.168.15.2

 

samba.domain

        primary name server = dc2.samba. domain

        responsible mail addr = hostmaster.samba.domain

        serial  = 1

        refresh = 900 (15 mins)

        retry   = 600 (10 mins)

        expire  = 86400 (1 day)

        default TTL = 3600 (1 hour)

samba. domain nameserver = dc1.samba. domain

samba. domain              internet address = 192.168.177.21

dc1.samba. domain       internet address = 192.168.177.21 

*       windows nslookup -type=ANY samba.domain (without .) looks for
samba.domain.domain. Is this OK or does it point to a problematic search
configuration?

*       When I use the DNS mmc snap-in I can see a host record for dc2. I
can also see a host record for the windows system reflecting the IP address
before the system moved to the other location. I tried to update that, but
got an error message (translated from German) like “the database of the
local security authority is internally inconsistent”. The snap-in is ultra
slow via VPN, but what makes me more nervous are the to me inconsistent
views on the DNS – nslookup showing DC2, mmc showing DC1 as the NS.

*       In windows management console, only some of the domain
users&principals are shown with the name domain\identity, most of them are
shown S-xxx. With the one use shown domain\user I can logon to the windows
system however (likely with cached credentials, but don´t dare to change
them to confirm)

*       When I try to modify folder permissions on the windows system, I get
a message “Unable to contact Active Directory to access or verify claim
types”

*       On DC2: kinit Administrator returns “kinit: Cannot contact any KDC
for realm ‘samba.domain’ while getting initial credentials. This one was
easy to fix by adding the domain to /etc/krb5.conf. I am putting this in as
I changed configuration at this point..

*       In an attempt to get Samba return DC2 as a nameserver I tried
samba-tool dns add dc2 samba.domain @ NS dc2.samba.domain.

Password for [Administrator at SAMBA.DOMAIN]:

ERROR(runtime): uncaught exception - (-1073741643, '{Device Timeout} The
specified I/O operation on %hs was not completed before the time-out period
expired.')

  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
175, in _run

    return self.run(*args, **kwargs)

  File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 1062, in
run

    dns_conn = dns_connect(server, self.lp, self.creds)

  File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 40, in
dns_connect

    dns_conn = dnsserver.dnsserver(binding_str, lp, creds)

in another attempt the command produced “Record added successfully”, but
using dig or nslookup I cannot find it. It is shown in the DNS mmc snap-in
(at least now). Restarting bind did not help.

*       Following
https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins I
tried 

root at dc2:/etc/bind# samba-tool dns add dc1 samba.domain DC2 A 192.168.15.22
-UAdministrator

Password for [SAMBA\Administrator]:

ERROR: Record already exists

root at dc2:/etc/bind# samba-tool dns add dc2 samba.domain DC2 A 192.168.15.22
-UAdministrator

Password for [SAMBA\Administrator]:

ERROR: Record already exists

root at dc2:/etc/bind# host -t A DC2.samba.domain 

Host DC2.samba.lindenberg.one not found: 3(NXDOMAIN)

              How should I proceed there?



I don´t know how to fix the inconsistent DNS entries and get windows to
work. Please advise.

Thanks, Joachim

More information about the samba mailing list