[Samba] Samba Migration and AD integration

Rowland Penny rpenny at samba.org
Wed Feb 7 10:55:44 UTC 2018 

On Wed, 7 Feb 2018 10:02:10 +0000
Praveen Ghimire <PGhimire at sundata.com.au> wrote:

> Hi Rowland,
> 
> Following the
> https://wiki.samba.org/index.php/Changing_the_DNS_Back_End_of_a_Samba_AD_DC,
> ran some tests migrating from Bind9 to Samba Internal with the
> following results
> 
> Stopped the BIND, Samba-AD-DC services
> 
> samba_upgradedns --dns-backend=SAMBA_INTERNAL
> Reading domain information
> DNS accounts already exist
> Reading records from zone
> file /var/lib/samba/private/dns/<REALMNAME>.zone DNS partitions
> already exist Finished upgrading DNS
> You have switched to using SAMBA_INTERNAL as your dns backend, but
> you still have samba starting looking for a BIND backend. Please
> remove the -dns from your server services line.

Did you remove the 'server services' line ?

> 
> Started the Samba-AD-DC service and left the Bind9 stopped.
> 
> The .zone file had the all the SOA records for the REALM. The issue
> (after the change from Bind9 to Samba and also from Samba Internal to
> Bind9) we get the following when trying to add a machine to the
> domain.
> 
> The error was: "This operation returned because the timeout period
> expired." (error code 0x000005B4 ERROR_TIMEOUT)
> The query was for the SRV record for _ldap._tcp.dc._msdcs.<realmname>
> The DNS servers used by this computer for name resolution are not
> responding. This computer is configured to use DNS servers with the
> following IP addresses: 172.16.24.1 Verify that this computer is
> connected to the network, that these are the correct DNS server IP
> addresses, and that at least one of the DNS servers is running.

Does the computer you are trying to join have an ipaddress in the
172.16.24.x range ?

Does the nameserver in /etc/resolv.conf point to the Samba DCs
ipaddress or '127.0.0.1' ?

try running this:

samba_dnsupdate --verbose --all-names

This should try to create/update all the required dns records, if it
errors out add '--use-samba-tool'

> 
> The SRV records are missing by the looks of it.
> 
> service --status-all
> [ + ]  apparmor

Have you tried turning apparmor off ?

> [ + ]  isc-dhcp-server

I could never get isc-dhcp-server to update the server records in AD
when using the internal dns server.

> [ + ]  ufw

Are all the required ports open ?

> 
> 
> Also, does the Realm name needs to be something like abcd.local
> instead of abcdef?
> 

It would probably better if it had a TLD (just don't use .local), but
should work without one.
 
Rowland

More information about the samba mailing list