[Samba] FW: samba_kcc issue after joining the domain as a DC

Alex samba at abisoft.biz
Wed Feb 12 10:16:06 UTC 2020 

Rowland,

Just to confirm: after changing the zone to a domain-wide, Samba has
successfully performed the join.

Samba daemon has also started well, but printed these errors in the log:
[2020/02/12 13:03:34.097665,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure
[2020/02/12 13:03:34.169520,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_dnsupdate: update failed: REFUSED
[2020/02/12 13:03:41.624259,  0] ../../source4/dsdb/dns/dns_update.c:331(dnsupdate_nameupdate_done)
  dnsupdate_nameupdate_done: Failed DNS update with exit code 2

Is  there  anything I should worry about? According to some posts, this seems to
be expected for SAMBA_INTERNAL backened. Can you confirm pls?

Anyway, thank you for your help very much!

> I'm  sorry,  after  double-checking  the Louis's link I've found that the domain
> zone  should  be domain-wide, while the _msdcs stuff should be forest wide. I'll
> change it and try again. Apologies.

>>>>>> # samba-tool dns zonelist 172.26.1.81
>>>>>> Password for [administrator at domain.com]:
>>>>>>     2 zone(s) found
>>>>>>
>>>>>>     pszZoneName                 : _msdcs.domain.com
>>>>>>     Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
>>>>>>     ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>>>>>>     Version                     : 50
>>>>>>     dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
>>>>>>     pszDpFqdn                   : ForestDnsZones.domain.com
>>>>>>
>>>>>>     pszZoneName                 : domain.com
>>>>>>     Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
>>>>>>     ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>>>>>>     Version                     : 50
>>>>>>     dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
>>>>>>     pszDpFqdn                   : ForestDnsZones.domain.com
>>>>>>
>>>>> I have three zones, one being the reverse zone, but my domain zone is this:
>>>>>     pszZoneName        : samdom.example.com
>>>>>     Flags                       : DNS_RPC_ZONE_DSINTEGRATED
>>>>> DNS_RPC_ZONE_UPDATE_SECURE
>>>>>     ZoneType                : DNS_ZONE_TYPE_PRIMARY
>>>>>     Version                    : 50
>>>>>     dwDpFlags               : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
>>>>> DNS_DP_ENLISTED
>>>>>     pszDpFqdn               : DomainDnsZones.samdom.example.com
>>>>> Notice the difference in the last line.
>>>> I see the difference. I guess it's b/c you didn't upgrade the zone to
>>>> forest-wide. Should I revert my zones to be domain-wide?
>>>>
>>> Alex, mine is correct, yours is wrong.

>> Rowland,  I really appreciate your help and you're probably right. But could you
>> please  shed  some  light  on why yours is correct (or why mine is not)? At this
>> moment, my AD is fully functional, no issues at all.

>> In my humble opinion, this looks more like a bug in Samba joining procedure, b/c
>> it should work well the existing AD configuration. However, it doesn't.

>>> I could probably dump a list of dns DN's if needed.

>> Yes, please do.

-- 
Best regards,
Alex

More information about the samba mailing list