[Samba] Confirmed inconsistency between `samba-tool domain join` and `net ads join`

Patrick Goetz pgoetz at math.utexas.edu
Thu Nov 4 10:14:28 UTC 2021 

OK, was able to confirm that samba-tool at best inconsistently updates 
DNS when a machine joins the domain:

root at atomsmasher:~# samba-tool domain join ea.linuxcs.com MEMBER -U 
administrator
Password for [EA\administrator]:
Joined domain ea.linuxcs.com (S-1-5-21-2398640129-655337111-1434392923)


root at samba-dc:~# host atomsmasher
root at samba-dc:~#


root at atomsmasher:~# net ads leave -U Administrator
Password for [EA\Administrator]:
Deleted account for 'ATOMSMASHER' in realm 'EA.LINUXCS.COM'
root at atomsmasher:~# samba-tool domain join ea.linuxcs.com MEMBER -U 
administrator
Password for [EA\administrator]:
Joined domain ea.linuxcs.com (S-1-5-21-2398640129-655337111-1434392923)


root at samba-dc:~# host atomsmasher
root at samba-dc:~#

root at atomsmasher:~# net ads leave -U Administrator
Password for [EA\Administrator]:
Deleted account for 'ATOMSMASHER' in realm 'EA.LINUXCS.COM'
root at atomsmasher:~# net ads join -U administrator
Password for [EA\administrator]:
Using short domain name -- EA
Joined 'ATOMSMASHER' to dns domain 'ea.linuxcs.com'


root at samba-dc:~# host atomsmasher
atomsmasher.ea.linuxcs.com has address 192.168.1.82


Also confirmed that the DNS entry is not removed when the machine leaves 
the domain. As mentioned previously, if the DNS entry is created 
automatically, then it also needs to be removed automatically. Since 
it's automatic, it's not inconvenient to the admin who takes a machine 
out of the domain and adds it back soon thereafter.  Also, consequences:

root at atomsmasher:~# net ads join -U administrator
Password for [EA\administrator]:
Using short domain name -- EA
Joined 'ATOMSMASHER' to dns domain 'ea.linuxcs.com'
DNS Update for atomsmasher.ea.linuxcs.com failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL


The PTR record is not added automatically:

root at samba-dc:~# samba-tool dns query samba-dc ea.linuxcs.com 
atomsmasher PTR -UAdministrator
Password for [EA\Administrator]:
   Name=, Records=0, Children=0

If the A record is added automatically, the PTR record probably should 
be too.  This would be consistent with Windows servers' behavior.

More information about the samba mailing list