[Samba] FW: samba_kcc issue after joining the domain as a DC

L.P.H. van Belle belle at bazuin.nl
Wed Feb 12 10:32:49 UTC 2020


Failed DNS update with exit code 2
...  Hmm, i dont know that exit code 2 is.. Rowland you? 

But as far i know you can ignore them, however personaly I would suggest to
upgrade now to bind9_DLZ dns. Much more flexible, only bit more work to setup.

But what does ; 
/usr/local/samba/sbin/samba_dnsupdate -d10 
Or ; 
/usr/local/samba/sbin/samba_dnsupdate --use-samba-tool -d10 tell you. 

Show you because its actively : REFUSED 
So maybe the debug output tells a bit more. 


Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Alex 
> via samba
> Verzonden: woensdag 12 februari 2020 11:16
> Aan: Rowland penny
> CC: Alex
> Onderwerp: Re: [Samba] FW: samba_kcc issue after joining the 
> domain as a DC
> 
> Rowland,
> 
> Just to confirm: after changing the zone to a domain-wide, Samba has
> successfully performed the join.
> 
> Samba daemon has also started well, but printed these errors 
> in the log:
> [2020/02/12 13:03:34.097665,  0] 
> ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
>   /usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with 
> server: tsig verify failure
> [2020/02/12 13:03:34.169520,  0] 
> ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
>   /usr/local/samba/sbin/samba_dnsupdate: update failed: REFUSED
> [2020/02/12 13:03:41.624259,  0] 
> ../../source4/dsdb/dns/dns_update.c:331(dnsupdate_nameupdate_done)
>   dnsupdate_nameupdate_done: Failed DNS update with exit code 2
> 
> Is  there  anything I should worry about? According to some 
> posts, this seems to
> be expected for SAMBA_INTERNAL backened. Can you confirm pls?
> 
> Anyway, thank you for your help very much!
> 
> > I'm  sorry,  after  double-checking  the Louis's link I've 
> found that the domain
> > zone  should  be domain-wide, while the _msdcs stuff should 
> be forest wide. I'll
> > change it and try again. Apologies.
> 
> >>>>>> # samba-tool dns zonelist 172.26.1.81
> >>>>>> Password for [administrator at domain.com]:
> >>>>>>     2 zone(s) found
> >>>>>>
> >>>>>>     pszZoneName                 : _msdcs.domain.com
> >>>>>>     Flags                       : 
> DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
> >>>>>>     ZoneType                    : DNS_ZONE_TYPE_PRIMARY
> >>>>>>     Version                     : 50
> >>>>>>     dwDpFlags                   : DNS_DP_AUTOCREATED 
> DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
> >>>>>>     pszDpFqdn                   : ForestDnsZones.domain.com
> >>>>>>
> >>>>>>     pszZoneName                 : domain.com
> >>>>>>     Flags                       : 
> DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
> >>>>>>     ZoneType                    : DNS_ZONE_TYPE_PRIMARY
> >>>>>>     Version                     : 50
> >>>>>>     dwDpFlags                   : DNS_DP_AUTOCREATED 
> DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
> >>>>>>     pszDpFqdn                   : ForestDnsZones.domain.com
> >>>>>>
> >>>>> I have three zones, one being the reverse zone, but my 
> domain zone is this:
> >>>>>     pszZoneName        : samdom.example.com
> >>>>>     Flags                       : DNS_RPC_ZONE_DSINTEGRATED
> >>>>> DNS_RPC_ZONE_UPDATE_SECURE
> >>>>>     ZoneType                : DNS_ZONE_TYPE_PRIMARY
> >>>>>     Version                    : 50
> >>>>>     dwDpFlags               : DNS_DP_AUTOCREATED 
> DNS_DP_DOMAIN_DEFAULT
> >>>>> DNS_DP_ENLISTED
> >>>>>     pszDpFqdn               : DomainDnsZones.samdom.example.com
> >>>>> Notice the difference in the last line.
> >>>> I see the difference. I guess it's b/c you didn't 
> upgrade the zone to
> >>>> forest-wide. Should I revert my zones to be domain-wide?
> >>>>
> >>> Alex, mine is correct, yours is wrong.
> 
> >> Rowland,  I really appreciate your help and you're 
> probably right. But could you
> >> please  shed  some  light  on why yours is correct (or why 
> mine is not)? At this
> >> moment, my AD is fully functional, no issues at all.
> 
> >> In my humble opinion, this looks more like a bug in Samba 
> joining procedure, b/c
> >> it should work well the existing AD configuration. 
> However, it doesn't.
> 
> >>> I could probably dump a list of dns DN's if needed.
> 
> >> Yes, please do.
> 
> -- 
> Best regards,
> Alex
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 




More information about the samba mailing list