[Samba] samba dc dns issue

Alex samba at abisoft.biz
Fri Mar 13 15:44:19 UTC 2020


Hi,

After  joining samba DC (vm-dc4) to MS AD, I've discovered that most DNS entries
were not populated. Below are the only entries in the AD for the new DC:

domain.com:VM-DC4                  900  A       172.26.1.84
_msdcs.domain.com:d14c4206-79e3-441f-868a-6c693415256a 900      CNAME   vm-dc4.domain.com.

Please, help me figure out what's going on.

Here is the excerpt from log.samba:
# grep dnsup log.samba
  prefork_fork_master: Forking [dnsupdate] pre-fork master process
  prefork_fork_master: Forking [dnsupdate] pre-fork master process
[2020/03/13 17:48:19.938956,  3] ../../source4/dsdb/dns/dns_update.c:126(dnsupdate_check_names)
[2020/03/13 17:48:19.981617,  3] ../../source4/dsdb/dns/dns_update.c:141(dnsupdate_check_names)
  ...
    /usr/local/samba/sbin/samba_dnsupdate: Processing section "[sysvol]"
  /usr/local/samba/sbin/samba_dnsupdate: Processing section "[netlogon]"
  /usr/local/samba/sbin/samba_dnsupdate: pm_process() returned Yes
  /usr/local/samba/sbin/samba_dnsupdate: added interface ens18 ip=172.26.1.84 bcast=172.26.255.255 netmask=255.255.0.0
  /usr/local/samba/sbin/samba_dnsupdate: schema_fsmo_init: we are master[no] updates allowed[no]
  /usr/local/samba/sbin/samba_dnsupdate: schema_fsmo_init: we are master[no] updates allowed[no]
  /usr/local/samba/sbin/samba_dnsupdate: ldb_wrap open of secrets.ldb
[2020/03/13 17:48:22.992929,  3] ../../source4/dsdb/dns/dns_update.c:111(dnsupdate_spnupdate_done)
  /usr/local/samba/sbin/samba_dnsupdate: Received smb_krb5 packet of length 199
  /usr/local/samba/sbin/samba_dnsupdate: Received smb_krb5 packet of length 1449
  /usr/local/samba/sbin/samba_dnsupdate: GENSEC backend 'gssapi_spnego' registered
  /usr/local/samba/sbin/samba_dnsupdate: GENSEC backend 'gssapi_krb5' registered
  /usr/local/samba/sbin/samba_dnsupdate: GENSEC backend 'gssapi_krb5_sasl' registered
  /usr/local/samba/sbin/samba_dnsupdate: GENSEC backend 'spnego' registered
  /usr/local/samba/sbin/samba_dnsupdate: GENSEC backend 'schannel' registered
  /usr/local/samba/sbin/samba_dnsupdate: GENSEC backend 'naclrpc_as_system' registered
  /usr/local/samba/sbin/samba_dnsupdate: GENSEC backend 'sasl-EXTERNAL' registered
  /usr/local/samba/sbin/samba_dnsupdate: GENSEC backend 'ntlmssp' registered
  /usr/local/samba/sbin/samba_dnsupdate: GENSEC backend 'ntlmssp_resume_ccache' registered
  /usr/local/samba/sbin/samba_dnsupdate: GENSEC backend 'http_basic' registered
  /usr/local/samba/sbin/samba_dnsupdate: GENSEC backend 'http_ntlm' registered
  /usr/local/samba/sbin/samba_dnsupdate: GENSEC backend 'http_negotiate' registered
  /usr/local/samba/sbin/samba_dnsupdate: GENSEC backend 'krb5' registered
  /usr/local/samba/sbin/samba_dnsupdate: GENSEC backend 'fake_gssapi_krb5' registered
  /usr/local/samba/sbin/samba_dnsupdate: Starting GENSEC mechanism gssapi_krb5_sasl
  /usr/local/samba/sbin/samba_dnsupdate: Ticket in credentials cache for VM-DC4$@DOMAIN.COM will expire in 35998 secs
  /usr/local/samba/sbin/samba_dnsupdate: Starting GENSEC mechanism gssapi_krb5_sasl
  /usr/local/samba/sbin/samba_dnsupdate: GSSAPI credentials for VM-DC4$@DOMAIN.COM will expire in 35999 secs
  /usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure
  /usr/local/samba/sbin/samba_dnsupdate: update failed: SERVFAIL
...
  /usr/local/samba/sbin/samba_dnsupdate: Failed update of 25 entries
  samba_runcmd_io_handler: Child /usr/local/samba/sbin/samba_dnsupdate exited 25
[2020/03/13 17:58:24.726240,  0] ../../source4/dsdb/dns/dns_update.c:86(dnsupdate_nameupdate_done)
  dnsupdate_nameupdate_done: Failed DNS update with exit code 25

Join command was:
samba-tool domain join domain.com DC -k yes --server=vm-dc1.domain.com --dns-backend SAMBA_INTERNAL -v -d 5 2>&1 | tee join.txt

# cat smb.conf
[global]
        netbios name = VM-DC4
        realm = DOMAIN.COM
        server role = active directory domain controller
        workgroup = DOMAIN
        dns forwarder = 172.26.1.1
        ntlm auth = mschapv2-and-ntlmv2-only
        ldap server require strong auth = allow_sasl_over_tls
        log level = 5
        max log size = 5000

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/domain.com/scripts
        read only = No

# cat /etc/resolv.conf
# Generated by NetworkManager
search domain.com
nameserver 172.26.1.84
nameserver 172.26.1.81
nameserver 172.26.1.82

# samba -V
Version 4.12.0

# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
172.26.1.84     vm-dc4.domain.com      vm-dc4

-- 
Best regards,
Alex




More information about the samba mailing list