[Samba] DNS names for AD joined samba server

Orion Poplawski orion at nwra.com
Tue May 26 16:06:06 UTC 2020 

On 20/05/2020 Rowland penny wrote:
> On 20/05/2020 19:29, Orion Poplawski via samba wrote:
>> I'm trying to figure out a puzzling thing that we are seeing with some
>> recently joined or re-joined samba servers.  Our linux servers are in a
>> different DNS domain than our AD machines

> Then they cannot join the domain.

Interesting.

>>   (nwra.com or cora.nwra.com vs
>> ad.nwra.com for the AD machines).  Generally when we've joined a machine to AD
>> the DNS name recorded in AD is their regular linux FQDN.

> If this is happening, then we need to know just how you are doing the 
> join, so we can open a bug report. All AD machines must be in the same 
> DNS domain.

I'm doing:

# sudo net ads join -U DOMAINADMIN
Enter DOMAINADMIN's password:

Using short domain name -- NWRA

Joined 'STOR-BOULDER01' to dns domain 'ad.nwra.com'

DNS Update for stor-boulder01.cora.nwra.com failed: ERROR_DNS_GSS_ERROR

DNS update failed: NT_STATUS_UNSUCCESSFUL


[global]
        workgroup = NWRA
        security = ads
        realm = AD.NWRA.COM
        idmap config * : backend = tdb
        idmap config * : range = 1000000-1999999
        idmap config NWRA : backend = nss
        idmap config NWRA : range = 1000-999999
        winbind scan trusted domains = no
        preferred master = no

This machine ends up with a cora.nwra.com SPN as usual:

# kvno cifs/stor-boulder01.cora.nwra.com at AD.NWRA.COM
cifs/stor-boulder01.cora.nwra.com at AD.NWRA.COM: kvno = 5


>>    But a couple
>> machines have ended up with the "ad.nwra.com" domain.

> That is what is supposed to happen.

>> In some way this is preferred as it allow for easier lookup of the appropriate
>> SPNs.  But I have no idea what is controlling this.  Could it possibly be a
>> change between 4.9.1-10.el7_7 and 4.10.4-10.el7 (but not in 4.10.4-101.el8_1) ?
> 
> Doubt it, you seem to have found a bug, you shouldn't be able to join a 
> machine if it isn't in the same dns domain.
> 
> Rowland

Happy to file a bug if needed.

Thanks,

  Orion


-- 
Orion Poplawski
Manager of NWRA Technical Systems          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                 https://www.nwra.com/

More information about the samba mailing list