[Samba] Problems joining station in domain

Marcio Demetrio Bacci marciobacci at gmail.com
Wed Aug 28 13:57:05 UTC 2019 

Hi,

>What is in /etc/ldap/ldap.conf
>Does it have : TLS_REQCERT allow ?
>If not add it.
Do I add this to all DC's?

>You installed a new server, why did you not choose debian buster but
installed debian stretch?
Because our Debian distribution is customized and packaged according to the
institution's security rules. I depend on making this distribution
available in Debian 10.

Regards,

Márcio Bacci

Em qua, 28 de ago de 2019 às 05:09, L.P.H. van Belle via samba <
samba at lists.samba.org> escreveu:

> Hai,
>
> I re-checked your config that looks all good, few minor things.
>
> Now, i noticed this in Andrews comment.
> Quote:
> The problem here is that Samba's python libraries are trying to find
> the DNS record they just added over RPC, but can't using LDAP.  They do
> this to fix the ownership of the records, as otherwise they will be
> owed by the administrator, not the DC.
>
> What is in /etc/ldap/ldap.conf
> Does it have : TLS_REQCERT allow ?
> If not add it.
>
> Then one small thing..  /etc/hosts  , rowland also mentioned it.
> Remove the # from the localhost line, enable it, its the default keep it
> there.
> I also notice you removed the IPv6 parts, that is not wrong, but for
> future things, is suggest leave it in.
> I dont have seen problem with distro upgrades with samba, but i have seen
> it with mail/spamassassin.
> That if ipv6 was disabled, dist-upgrades failed but easy to fix if you
> know how.
>
> That is why I really suggest you setup your hosts file like this.
>
> /etc/hosts
> 127.0.0.1 localhost
> 192.168.1.19 samba4-dc3.empresa.com.br samba4-dc3
>
> # The following lines are desirable for IPv6 capable hosts
> ::1     localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> Can you try to join like this.
> The verbose and -d output might show bit more, i might help finding what
> is off.
>
> kinit administrator
> samba-tool domain join empresa.com.br DC -k yes --server=
> samba4-dc1.empresa.com.br --verbose -d5
>
> One more options to try is, set in both DC's this parameter.
>         ldap server require strong auth = no
>
> Purely for this join test.
>
> If that all fails, post the output and all i can say then is:
>   you have, as far i can tell atm, 2 options left.
>
> 1) try a join with bind9_dlz as backend, follow the steps below.
> I never used internal dns of samba, i use bind9_dlz as of samba 4.1, why,
> because i needs bind. Simple.
>
> Setup the bind config, i'll show a minimal bind9 setup so we can test this
> also.
> apt install bind9 bind9utils
>
> cp -R /etc/bind{,.org-debian}
>
> editor /etc/bind/named.conf.options
>
> And set the following in "global/options" ( adjust the defaults, keep
> everything else as is ).
>
> dnssec-validation no;
> listen-on-v6 { "none"; };
> empty-zones-enable no;
> auth-nxdomain yes;
>
> // DNS dynamic updates via Kerberos (optional, but recommended)
> // check where you dns.keytab is and enable that line.
> //tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
>
>
> Then add this just below the global part, this matches the debian
> defaults.
>
> include "/etc/bind/rndc.key";
>     controls {
>      inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
> //     inet ::1 allow { ::1; } keys { rndc-key; };
> };
>
> Save it.
>
> cat << EOF >> /etc/bind/named.conf.local
> // Adding the dlopen ( Bind DLZ ) module for samba.
> // At install debian already sets the correct bind9.XX version in this
> file below.
> // Source installs might need to change the path to named.conf and check
> if the content matched the bind version.
> include "/var/lib/samba/private/named.conf";
>
> EOF
>
> Adjust bind so it starts with ipv4 only to match above settings.
> sed -i 's/OPTIONS="-u bind"/OPTIONS="-u bind -4"/g' /etc/default/bind9
>
> # avoid bind reload problems with samba.
> echo "[Service]
> ExecReload=
> > /etc/systemd/system/bind9.service.d/override.conf
>
> systemctl daemon-reload
> systemctl restart bind9
>
> And check the startup.
> systemctl status bind9
>
> Now lets try to join again.
> samba-tool domain join empresa.com.br DC -k yes --server=
> samba4-dc1.empresa.com.br --dns-backend=BIND9_DLZ --verbose -d3
>
>
> 2) upgrade the samba-ad-dc from 4.5.16 to 4.8 then 4.9 then to 4.10.
> I know the upgrade path is save, all my servers have done this,
> i upgrade from 4.1 all the way up to 4.10 now.
> You enabled my repo, then enable the stretch-samba48
> Upgrade.
> Run : samba-tool dbcheck --cross-nc
> Fix if needed.
>
> systemctl stop samba-ad-dc && systemctl start samba-ad-dc
> Run again : samba-tool dbcheck --cross-nc
> All fixed, 0 errors.
>
> Upgrade to 4.9.
> Repeat for 4.10.
>
> Your configs are checked, if you want a re-check on that before you
> upgrade,
> to be more convinced these are good, then get the debug script again and
> and post the output again.
>
> And just one last question.
> You installed a new server, why did you not choose debian buster but
> installed debian stretch?
> Just interested in you answer here, because i would have installed debian
> buster.
> It would have saved you from one release upgrade, as said, just wondering.
>
>
> Greetz,
>
> Louis
>
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Marcio Demetrio Bacci via samba
> > Verzonden: woensdag 28 augustus 2019 1:26
> > Aan: Andrew Bartlett
> > CC: sambalist
> > Onderwerp: Re: [Samba] Problems joining station in domain
> >
> > Hi,
> >
> >  >What is the original source of this domain?  Did it come
> > from Windows or
> > was it provisioned by Samba?
> > I had two Windows Server 2008 and I had many problems to join
> >  in domain
> > the Samba 4 DC .
> >
> > The Samba 4.10, 4.9 and 4.8 (compiled or packges of the
> > Debian) didn't get
> > join the domain, this way I had use the Samba 4.5.16 and got it.
> >
> > I previously thought of joining a new Samba 4.10.7 DC in the
> > domain and if
> > all went well, upgrade my production DCs.
> >
> > Now I don't know if I'd better upgrade the production DC
> > first and then add
> > a new DC with Samba 4.10 later.
> >
> > I'm afraid to "break" the production DC.
> >
> > >We need to improve this area, and we need to allow some of
> > this to fail
> > >more gracefully.  So much work to do!
> > The work of the Samba 4 team is very good! Congratulations!
> >
> > Regards,
> >
> > Márcio Bacci
> >
> > Em ter, 27 de ago de 2019 às 19:28, Andrew Bartlett
> > <abartlet at samba.org>
> > escreveu:
> >
> > > On Tue, 2019-08-27 at 16:28 -0300, Marcio Demetrio Bacci via samba
> > > wrote:
> > > > ERROR(runtime): uncaught exception - (9003,
> > > > 'WERR_DNS_ERROR_RCODE_NAME_ERROR')
> > > >   File
> > > >
> > "/usr/local/samba/lib/python3.5/site-packages/samba/netcmd/__i
> > nit__.py",
> > > > line 185, in _run
> > > >     return self.run(*args, **kwargs)
> > > >   File
> > > >
> > "/usr/local/samba/lib/python3.5/site-packages/samba/netcmd/domain.py",
> > > line
> > > > 700, in run
> > > >     backend_store=backend_store)
> > > >   File
> > "/usr/local/samba/lib/python3.5/site-packages/samba/join.py", line
> > > > 1544, in join_DC
> > > >     ctx.do_join()
> > > >   File
> > "/usr/local/samba/lib/python3.5/site-packages/samba/join.py", line
> > > > 1445, in do_join
> > > >     ctx.join_add_dns_records()
> > > >   File
> > "/usr/local/samba/lib/python3.5/site-packages/samba/join.py", line
> > > > 1213, in join_add_dns_records
> > > >     dns_partition=forestdns_zone_dn)
> > > >   File
> > "/usr/local/samba/lib/python3.5/site-packages/samba/samdb.py",
> > > line
> > > > 1069, in dns_lookup
> > > >     dns_partition=dns_partition)
> > >
> > > G'Day Marcio,
> > >
> > > Sorry about this.  What is the original source of this
> > domain?  Did it
> > > come from Windows or was it provisioned by Samba?
> > >
> > > The problem here is that Samba's python libraries are trying to find
> > > the DNS record they just added over RPC, but can't using
> > LDAP.  They do
> > > this to fix the ownership of the records, as otherwise they will be
> > > owed by the administrator, not the DC.
> > >
> > > This has become a weak point in our DC join process, but
> > replaces the
> > > previous weak point where we didn't create the records
> > during the join
> > > and hoped that they would get created and replicated
> > correctly on first
> > > startup (this often failed).
> > >
> > > Sadly we have multiple different codebases involved here (the old
> > > existing DC and new versions of Samba joining) and while the remote
> > > server has found and created the records, the local codebase can't.
> > >
> > > None of this is a massive help to you right now, sorry!
> > >
> > > We need to improve this area, and we need to allow some of
> > this to fail
> > > more gracefully.  So much work to do!
> > >
> > > Sorry,
> > >
> > > Andrew Bartlett
> > >
> > > --
> > > Andrew Bartlett
> > > https://samba.org/~abartlet/
> > > Authentication Developer, Samba Team         https://samba.org
> > > Samba Development and Support, Catalyst IT
> > > https://catalyst.net.nz/services/samba
> > >
> > >
> > >
> > >
> > >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list