[Samba] Problems joining station in domain

L.P.H. van Belle belle at bazuin.nl
Wed Aug 28 08:08:24 UTC 2019 

Hai, 

I re-checked your config that looks all good, few minor things. 

Now, i noticed this in Andrews comment. 
Quote: 
The problem here is that Samba's python libraries are trying to find
the DNS record they just added over RPC, but can't using LDAP.  They do
this to fix the ownership of the records, as otherwise they will be
owed by the administrator, not the DC.

What is in /etc/ldap/ldap.conf
Does it have : TLS_REQCERT allow ? 
If not add it. 

Then one small thing..  /etc/hosts  , rowland also mentioned it. 
Remove the # from the localhost line, enable it, its the default keep it there. 
I also notice you removed the IPv6 parts, that is not wrong, but for future things, is suggest leave it in.
I dont have seen problem with distro upgrades with samba, but i have seen it with mail/spamassassin.
That if ipv6 was disabled, dist-upgrades failed but easy to fix if you know how. 

That is why I really suggest you setup your hosts file like this.

/etc/hosts
127.0.0.1 localhost
192.168.1.19 samba4-dc3.empresa.com.br samba4-dc3

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Can you try to join like this. 
The verbose and -d output might show bit more, i might help finding what is off.

kinit administrator 
samba-tool domain join empresa.com.br DC -k yes --server=samba4-dc1.empresa.com.br --verbose -d5

One more options to try is, set in both DC's this parameter.
	ldap server require strong auth = no 

Purely for this join test. 

If that all fails, post the output and all i can say then is:
  you have, as far i can tell atm, 2 options left.  

1) try a join with bind9_dlz as backend, follow the steps below. 
I never used internal dns of samba, i use bind9_dlz as of samba 4.1, why, because i needs bind. Simple.

Setup the bind config, i'll show a minimal bind9 setup so we can test this also. 
apt install bind9 bind9utils

cp -R /etc/bind{,.org-debian}

editor /etc/bind/named.conf.options

And set the following in "global/options" ( adjust the defaults, keep everything else as is ).

dnssec-validation no;
listen-on-v6 { "none"; }; 
empty-zones-enable no;
auth-nxdomain yes;

// DNS dynamic updates via Kerberos (optional, but recommended)
// check where you dns.keytab is and enable that line. 
//tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";


Then add this just below the global part, this matches the debian defaults. 

include "/etc/bind/rndc.key";
    controls {
     inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
//     inet ::1 allow { ::1; } keys { rndc-key; };
};

Save it. 

cat << EOF >> /etc/bind/named.conf.local
// Adding the dlopen ( Bind DLZ ) module for samba.
// At install debian already sets the correct bind9.XX version in this file below.
// Source installs might need to change the path to named.conf and check if the content matched the bind version. 
include "/var/lib/samba/private/named.conf";

EOF

Adjust bind so it starts with ipv4 only to match above settings. 
sed -i 's/OPTIONS="-u bind"/OPTIONS="-u bind -4"/g' /etc/default/bind9

# avoid bind reload problems with samba. 
echo "[Service]
ExecReload=
> /etc/systemd/system/bind9.service.d/override.conf

systemctl daemon-reload
systemctl restart bind9

And check the startup. 
systemctl status bind9

Now lets try to join again. 
samba-tool domain join empresa.com.br DC -k yes --server=samba4-dc1.empresa.com.br --dns-backend=BIND9_DLZ --verbose -d3 


2) upgrade the samba-ad-dc from 4.5.16 to 4.8 then 4.9 then to 4.10. 
I know the upgrade path is save, all my servers have done this, 
i upgrade from 4.1 all the way up to 4.10 now. 
You enabled my repo, then enable the stretch-samba48
Upgrade. 
Run : samba-tool dbcheck --cross-nc 
Fix if needed. 

systemctl stop samba-ad-dc && systemctl start samba-ad-dc
Run again : samba-tool dbcheck --cross-nc 
All fixed, 0 errors. 

Upgrade to 4.9.
Repeat for 4.10. 

Your configs are checked, if you want a re-check on that before you upgrade, 
to be more convinced these are good, then get the debug script again and and post the output again. 

And just one last question. 
You installed a new server, why did you not choose debian buster but installed debian stretch? 
Just interested in you answer here, because i would have installed debian buster. 
It would have saved you from one release upgrade, as said, just wondering. 


Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marcio Demetrio Bacci via samba
> Verzonden: woensdag 28 augustus 2019 1:26
> Aan: Andrew Bartlett
> CC: sambalist
> Onderwerp: Re: [Samba] Problems joining station in domain
> 
> Hi,
> 
>  >What is the original source of this domain?  Did it come 
> from Windows or
> was it provisioned by Samba?
> I had two Windows Server 2008 and I had many problems to join 
>  in domain
> the Samba 4 DC .
> 
> The Samba 4.10, 4.9 and 4.8 (compiled or packges of the 
> Debian) didn't get
> join the domain, this way I had use the Samba 4.5.16 and got it.
> 
> I previously thought of joining a new Samba 4.10.7 DC in the 
> domain and if
> all went well, upgrade my production DCs.
> 
> Now I don't know if I'd better upgrade the production DC 
> first and then add
> a new DC with Samba 4.10 later.
> 
> I'm afraid to "break" the production DC.
> 
> >We need to improve this area, and we need to allow some of 
> this to fail
> >more gracefully.  So much work to do!
> The work of the Samba 4 team is very good! Congratulations!
> 
> Regards,
> 
> Márcio Bacci
> 
> Em ter, 27 de ago de 2019 às 19:28, Andrew Bartlett 
> <abartlet at samba.org>
> escreveu:
> 
> > On Tue, 2019-08-27 at 16:28 -0300, Marcio Demetrio Bacci via samba
> > wrote:
> > > ERROR(runtime): uncaught exception - (9003,
> > > 'WERR_DNS_ERROR_RCODE_NAME_ERROR')
> > >   File
> > > 
> "/usr/local/samba/lib/python3.5/site-packages/samba/netcmd/__i
> nit__.py",
> > > line 185, in _run
> > >     return self.run(*args, **kwargs)
> > >   File
> > > 
> "/usr/local/samba/lib/python3.5/site-packages/samba/netcmd/domain.py",
> > line
> > > 700, in run
> > >     backend_store=backend_store)
> > >   File 
> "/usr/local/samba/lib/python3.5/site-packages/samba/join.py", line
> > > 1544, in join_DC
> > >     ctx.do_join()
> > >   File 
> "/usr/local/samba/lib/python3.5/site-packages/samba/join.py", line
> > > 1445, in do_join
> > >     ctx.join_add_dns_records()
> > >   File 
> "/usr/local/samba/lib/python3.5/site-packages/samba/join.py", line
> > > 1213, in join_add_dns_records
> > >     dns_partition=forestdns_zone_dn)
> > >   File 
> "/usr/local/samba/lib/python3.5/site-packages/samba/samdb.py",
> > line
> > > 1069, in dns_lookup
> > >     dns_partition=dns_partition)
> >
> > G'Day Marcio,
> >
> > Sorry about this.  What is the original source of this 
> domain?  Did it
> > come from Windows or was it provisioned by Samba?
> >
> > The problem here is that Samba's python libraries are trying to find
> > the DNS record they just added over RPC, but can't using 
> LDAP.  They do
> > this to fix the ownership of the records, as otherwise they will be
> > owed by the administrator, not the DC.
> >
> > This has become a weak point in our DC join process, but 
> replaces the
> > previous weak point where we didn't create the records 
> during the join
> > and hoped that they would get created and replicated 
> correctly on first
> > startup (this often failed).
> >
> > Sadly we have multiple different codebases involved here (the old
> > existing DC and new versions of Samba joining) and while the remote
> > server has found and created the records, the local codebase can't.
> >
> > None of this is a massive help to you right now, sorry!
> >
> > We need to improve this area, and we need to allow some of 
> this to fail
> > more gracefully.  So much work to do!
> >
> > Sorry,
> >
> > Andrew Bartlett
> >
> > --
> > Andrew Bartlett
> > https://samba.org/~abartlet/
> > Authentication Developer, Samba Team         https://samba.org
> > Samba Development and Support, Catalyst IT
> > https://catalyst.net.nz/services/samba
> >
> >
> >
> >
> >
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list