[Samba] Join new DC to domain - advice to upgrade Samba 4.

Daniel Lopes de Carvalho daniel at cepetro.unicamp.br
Tue Apr 7 14:59:02 UTC 2020

Hi Rowland,

I'll consider the update. But I need to backup this host (adc02) before,
because it the only and the main DC on my network... =(

Find attached below the output of the script:

Config collected --- 2020-04-07-15:30 -----------

Hostname:   dcs01
DNS Domain: test.example.domain.br
FQDN:       dcs01.test.example.domain.br
ipaddress:  177.X.X.3


Kerberos SRV _kerberos._tcp.test.example.domain.br record(s) verified ok,
sample output:
Server: 177.X.X.69
Address: 177.X.X.69#53

_kerberos._tcp.test.example.domain.br service = 0 100 88


'kinit Administrator' checked successfully.


This computer is running Debian 9.12 x86_64


running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
    inet6 ::1/128 scope host
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
    link/ether 00:0c:29:aa:cc:e2 brd ff:ff:ff:ff:ff:ff
    inet 177.X.X.3/25 brd 177.X.X.127 scope global ens192
    inet6 fe80::20c:29ff:feaa:cce2/64 scope link


Checking file: /etc/hosts localhost
177.X.X.3 dcs01.test.example.domain.br dcs01

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters


Checking file: /etc/resolv.conf

search test.example.domain.br
nameserver 177.X.X.69


Checking file: /etc/krb5.conf

default_realm = TEST.EXAMPLE.DOMAIN.BR
dns_lookup_realm = false
dns_lookup_kdc = true


Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat
group:          compat
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis


Warning,  does not exist


Time on the DC with PDC Emulator role is: 2020-04-07T15:31:10

Time on this computer is:                 2020-04-07T15:31:10

Time verified ok, within the allowed 300sec margin.
Time offset is currently : 0 seconds


Installed packages:
ii  attr                          1:2.4.47-2+b2                     amd64
     Utilities for manipulating filesystem extended attributes
ii  krb5-config                   2.6                               all
     Configuration files for Kerberos Version 5
ii  krb5-locales                  1.15-1+deb9u1                     all
     internationalization support for MIT Kerberos
ii  krb5-user                     1.15-1+deb9u1                     amd64
     basic programs to authenticate using MIT Kerberos
ii  libacl1:amd64                 2.2.52-3+b1                       amd64
     Access control list shared library
ii  libattr1:amd64                1:2.4.47-2+b2                     amd64
     Extended attribute shared library
ii  libgssapi-krb5-2:amd64        1.15-1+deb9u1                     amd64
     MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-3:amd64               1.15-1+deb9u1                     amd64
     MIT Kerberos runtime libraries
ii  libkrb5support0:amd64         1.15-1+deb9u1                     amd64
     MIT Kerberos runtime libraries - Support library
ii  libnss-winbind:amd64          2:4.5.16+dfsg-1+deb9u2            amd64
     Samba nameservice integration plugins
ii  libpam-winbind:amd64          2:4.5.16+dfsg-1+deb9u2            amd64
     Windows domain authentication integration plugin
ii  libwbclient0:amd64            2:4.5.16+dfsg-1+deb9u2            amd64
     Samba winbind client library
ii  python-samba                  2:4.5.16+dfsg-1+deb9u2            amd64
     Python bindings for Samba
ii  samba                         2:4.5.16+dfsg-1+deb9u2            amd64
     SMB/CIFS file, print, and login server for Unix
ii  samba-common                  2:4.5.16+dfsg-1+deb9u2            all
     common files used by both the Samba server and client
ii  samba-common-bin              2:4.5.16+dfsg-1+deb9u2            amd64
     Samba common files used by both the server and the client
ii  samba-dsdb-modules            2:4.5.16+dfsg-1+deb9u2            amd64
     Samba Directory Services Database
ii  samba-libs:amd64              2:4.5.16+dfsg-1+deb9u2            amd64
     Samba core libraries
ii  samba-vfs-modules             2:4.5.16+dfsg-1+deb9u2            amd64
     Samba Virtual FileSystem plugins
ii  winbind                       2:4.5.16+dfsg-1+deb9u2            amd64
     service to resolve user and group information from Windows NT servers


Thanks again.

On Tue, Apr 7, 2020 at 11:09 AM Rowland penny via samba <
samba at lists.samba.org> wrote:

> On 07/04/2020 14:51, Daniel Lopes de Carvalho wrote:
> > Hi Rowland, thanks for your email.
> >
> > The working DC was installed around 2 years ago. It is the reason to
> > stick in Stretch. But if I can upgrade the working DC to Buster and
> > Samba 4.9.5 without any problem, it is OK to me.
> I would upgrade Debian and once you get everything working correctly,
> you can use Louis's repo:  http://apt.van-belle.nl/
> >
> >
> > Find below the output of samba-tool join command:
> >
> >  samba-tool domain join test.example.domain.br
> > <http://test.example.domain.br> DC -U"test/administrator" -d3
> >
> > Finding a writeable DC for domain 'test.example.domain.br
> > <http://test.example.domain.br>'
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > _ldap._tcp.test.example.domain.br <http://tcp.test.example.domain.br
> ><0x0>
> > Found DC adc02.test.example.domain.br
> > <http://adc02.test.example.domain.br>
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > adc02.test.example.domain.br <http://adc02.test.example.domain.br><0x20>
> > Password for [test\administrator]:
> > Cannot reach a KDC we require to contact
> > ldap/adc02.test.example.domain.br@ : kinit for administrator at test
> > failed (Cannot contact any KDC for requested realm)
> That looks like your problem, for some reason 'adc02.example.domain.br'
> cannot be found.
> Can you run the attached script on the machine you are trying to join as
> a DC and then post the output in a reply to the mailing list, do not
> attach it, this mailing list strips attachments.
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


Daniel Lopes de
19 3521-1221

More information about the samba mailing list