[Samba] Join Samba to a Windows AD 'WERR_DS_NO_CROSSREF_FOR_NC'
Tim Beale
timbeale at catalyst.net.nz
Mon Jul 22 05:11:49 UTC 2019
On 21/07/19 9:41 PM, Rowland penny via samba wrote:
> On 21/07/2019 10:22, René Schmidt wrote:
>> Hello Rowland,
>>
>> I have started again:
>> - new Window Server 2012 R2 installed
>> - DNS server set up
>> - once again the Ubunut 18.04 freshly installed
>> - entered the IP of the Windows server as DNS server
>> - Installed the Samba Packet from the official Ubunut source:
>> dpkg -l | grep samba
>> ii python-samba
>> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Python bindings for Samba
>> ii samba
>> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 SMB/CIFS file, print,
>> and login server for Unix
>> ii samba-common
>> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 all common files used by
>> both the Samba server and client
>> ii samba-common-bin
>> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba common files
>> used by both the server and the client
>> ii samba-dsdb-modules 2:4.7.6+dfsg~ubuntu-0ubuntu2.11
>> amd64 Samba Directory Services Database
>> ii samba-libs:amd64 2:4.7.6+dfsg~ubuntu-0ubuntu2.11
>> amd64 Samba core libraries
>> ii samba-vfs-modules 2:4.7.6+dfsg~ubuntu-0ubuntu2.11
>> amd64 Samba Virtual FileSystem plugins
>>
>>
>> if I am now
>> samba-tool domain join mydom.local DC -U "MYDOM\administrator" -d3
>> I get the following message:
>> Adding 1 remote DNS records for SAD. mydom.local
>> Using binding ncacn_ip_tcp: WAD. mydom.local [, sign]
>> resolve_lmhosts: Attempting lmhosts lookup for name WAD. mydom.local
>> <0x20>
>> resolve_lmhosts: Attempting lmhosts lookup for name WAD. mydom.local
>> <0x20>
>> Adding DNS A record WAD.schmidthome.local for IPv4 IP: 192.168.159.98
>> Join failed - cleaning up
> Anything after this point is an artefact of the failure and can be
> ignored.
>> Do you have an idea?
>> The DNS entry is created on the Windows server for the Samba server.
>
> You are getting closer, the join is now failing at the last hurdle and
> we had this very recently with a user trying to join to Windows 2003 DC.
>
> The cure was to stop the join creating the DC records.
>
> Find 'join.py (/usr/lib/python2.7/dist-packages/samba/join.py on my
> DC) and open it in your favourite editor, find these lines:
>
> if ctx.dns_backend != "NONE":
> ctx.join_add_dns_records()
> ctx.join_replicate_new_dns_records()
>
> Line 1405 in my version, under ' def do_join(ctx):'
>
> just comment out those three lines, save & close, then try the join
> again.
>
I think in general Samba might be hitting this join_add_dns_records()
error case for 2 different reasons.
We've seen this problem recently because the DNS records on pre-2003
Windows DCs are in a different location. Denis kindly pointed out the
cause of this problem, along with the work-around:
https://lists.samba.org/archive/samba/2019-July/224515.html
However, this does not appear to be the problem here. It sounds like a
new 2012 DC, rather than a migrated domain.
In this case, Samba has actually already added the DNS records on the
Windows DC, but then fails to query them. Adding the records is done
over DCE/RPC, whereas querying the records is done over LDAP. We suspect
there may be some caching happening somewhere on the Windows DNS server.
So although the DNS DCE/RPC operation has completed/succeeded, the LDAP
database hasn't been updated.
So the solution here code-wise might be to add a delay/retry if the
first DNS lookup fails. So if someone hits this problem again, rather
than removing those lines completely, it'd be nice to try adding a delay
instead and see if that fixes it (e.g. attached).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: something-to-try.diff
Type: text/x-patch
Size: 1231 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20190722/46b11675/something-to-try.bin>
More information about the samba
mailing list