[Samba] Member Join dnsupdate problem

Fri Dec 23 15:44:34 UTC 2022

Hello.

I have a problem when trying to add a samba as a member. I get the
samba authentication to work fine, but I can't get it to update the
dns records correctly.

root at fs06:~# samba-tool domain join EXAMPLE.COM.AR MEMBER
-Uadministrator --server=DC05 -v
Password for [EXAMPLE\administrator]:
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        in: struct libnet_JoinCtx
            dc_name                  : 'DC05'
            machine_name             : 'FS06'
            domain_name              : *
                domain_name              : 'EXAMPLE.COM.AR'
            domain_name_type         : JoinDomNameTypeDNS (1)
            account_ou               : NULL
            admin_account            : 'administrator'
            admin_domain             : NULL
            machine_password         : NULL
            join_flags               : 0x00000023 (35)
                   0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
                   0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
                   0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
                   0: WKSSVC_JOIN_FLAGS_DEFER_SPN
                   0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
                   0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
                   1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
                   0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
                   0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
                   1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
                   1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
            os_version               : NULL
            os_name                  : NULL
            os_servicepack           : NULL
            create_upn               : 0x00 (0)
            upn                      : NULL
            dnshostname              : 'FS06'
            modify_config            : 0x00 (0)
            ads                      : NULL
            debug                    : 0x01 (1)
            use_kerberos             : 0x01 (1)
            secure_channel_type      : SEC_CHAN_WKSTA (2)
            desired_encryption_types : 0x0000001f (31)
            provision_computer_account_only: 0x00 (0)
            odj_provision_data       : NULL
            request_offline_join     : 0x00 (0)
libnet_join_precreate_machine_acct: Machine account successfully created
     join: struct secrets_domain_infoB
        version                  : SECRETS_DOMAIN_INFO_VERSION_1 (1)
        reserved                 : 0x00000000 (0)
        info                     : union secrets_domain_infoU(case 1)
        info1                    : *
            info1: struct secrets_domain_info1
                reserved_flags           : 0x0000000000000000 (0)
                join_time                : Fri Dec 23 12:38:27 2022 -03
                computer_name            : 'FS06'
                account_name             : 'FS06$'
                secure_channel_type      : SEC_CHAN_WKSTA (2)
                domain_info: struct lsa_DnsDomainInfo
                    name: struct lsa_StringLarge
                        length                   : 0x0000 (0)
                        size                     : 0x0000 (0)
                        string                   : *
                            string                   : 'EXAMPLE'
                    dns_domain: struct lsa_StringLarge
                        length                   : 0x0000 (0)
                        size                     : 0x0000 (0)
                        string                   : *
                            string                   : 'example.com.ar'
                    dns_forest: struct lsa_StringLarge
                        length                   : 0x0000 (0)
                        size                     : 0x0000 (0)
                        string                   : *
                            string                   : 'example.com.ar'
                    domain_guid              :
83c96a45-1808-4bc2-9b58-0c535f3ed3da
                    sid                      : *
                        sid                      :
S-1-5-21-527077859-282153845-2196410814
                trust_flags              : 0x0000001a (26)
                       0: NETR_TRUST_FLAG_IN_FOREST
                       1: NETR_TRUST_FLAG_OUTBOUND
                       0: NETR_TRUST_FLAG_TREEROOT
                       1: NETR_TRUST_FLAG_PRIMARY
                       1: NETR_TRUST_FLAG_NATIVE
                       0: NETR_TRUST_FLAG_INBOUND
                       0: NETR_TRUST_FLAG_MIT_KRB5
                       0: NETR_TRUST_FLAG_AES
                trust_type               : LSA_TRUST_TYPE_UPLEVEL (2)
                trust_attributes         : 0x00000040 (64)
                       0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
                       0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY
                       0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN
                       0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
                       0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION
                       0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
                       1: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL
                       0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION
                       0:
LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION
                       0: LSA_TRUST_ATTRIBUTE_PIM_TRUST
                       0:
LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION
                reserved_routing         : NULL
                supported_enc_types      : 0x0000001f (31)
                       1: KERB_ENCTYPE_DES_CBC_CRC
                       1: KERB_ENCTYPE_DES_CBC_MD5
                       1: KERB_ENCTYPE_RC4_HMAC_MD5
                       1: KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96
                       1: KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96
                       0: KERB_ENCTYPE_FAST_SUPPORTED
                       0: KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED
                       0: KERB_ENCTYPE_CLAIMS_SUPPORTED
                       0: KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED
                salt_principal           : *
                    salt_principal           :
'host/fs06.example.com.ar at EXAMPLE.COM.AR'
                password_last_change     : Fri Dec 23 12:38:27 2022 -03
                password_changes         : 0x0000000000000001 (1)
                next_change              : NULL
                password                 : *
                    password: struct secrets_domain_info1_password
                        change_time              : Fri Dec 23 12:38:27 2022 -03
                        change_server            : 'dc05.example.com.ar'
                        cleartext_blob           : DATA_BLOB length=240
                        nt_hash: struct samr_Password
                            hash: ARRAY(16): <REDACTED SECRET VALUES>
                        salt_data                : *
                            salt_data                :
'EXAMPLE.COM.ARhostfs06.example.com.ar'
                        default_iteration_count  : 0x00001000 (4096)
                        num_keys                 : 0x0003 (3)
                        keys: ARRAY(3)
                            keys: struct secrets_domain_info1_kerberos_key
                                keytype                  : 0x00000012 (18)
                                iteration_count          : 0x00001000 (4096)
                                value                    : DATA_BLOB length=32
                            keys: struct secrets_domain_info1_kerberos_key
                                keytype                  : 0x00000011 (17)
                                iteration_count          : 0x00001000 (4096)
                                value                    : DATA_BLOB length=16
                            keys: struct secrets_domain_info1_kerberos_key
                                keytype                  : 0x00000017 (23)
                                iteration_count          : 0x00001000 (4096)
                                value                    : DATA_BLOB length=16
                old_password             : NULL
                older_password           : NULL
ldb: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such
file or directory
ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with
backend 'tdb': Unable to open tdb
'/var/lib/samba/private/secrets.ldb': No such file or directory
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            odj_provision_data       : NULL
            account_name             : 'FS06$'
            netbios_domain_name      : 'EXAMPLE'
            dns_domain_name          : 'example.com.ar'
            forest_name              : 'example.com.ar'
            dn                       :
'CN=FS06,CN=Computers,DC=example,DC=com,DC=ar'
            domain_guid              : 83c96a45-1808-4bc2-9b58-0c535f3ed3da
            domain_sid               : *
                domain_sid               :
S-1-5-21-527077859-282153845-2196410814
            modified_config          : 0x00 (0)
            error_string             : NULL
            domain_is_ad             : 0x01 (1)
            set_encryption_types     : 0x0000001f (31)
            krb5_salt                : 'host/fs06.example.com.ar at EXAMPLE.COM.AR'
            dcinfo                   : *
                dcinfo: struct netr_DsRGetDCNameInfo
                    dc_unc                   : *
                        dc_unc                   : '\\dc05.example.com.ar'
                    dc_address               : *
                        dc_address               : '\\192.168.50.55'
                    dc_address_type          : DS_ADDRESS_TYPE_INET (1)
                    domain_guid              :
83c96a45-1808-4bc2-9b58-0c535f3ed3da
                    domain_name              : *
                        domain_name              : 'example.com.ar'
                    forest_name              : *
                        forest_name              : 'example.com.ar'
                    dc_flags                 : 0xe00013fc (3758101500)
                           0: DS_SERVER_PDC
                           1: DS_SERVER_GC
                           1: DS_SERVER_LDAP
                           1: DS_SERVER_DS
                           1: DS_SERVER_KDC
                           1: DS_SERVER_TIMESERV
                           1: DS_SERVER_CLOSEST
                           1: DS_SERVER_WRITABLE
                           1: DS_SERVER_GOOD_TIMESERV
                           0: DS_SERVER_NDNC
                           0: DS_SERVER_SELECT_SECRET_DOMAIN_6
                           1: DS_SERVER_FULL_SECRET_DOMAIN_6
                           0: DS_SERVER_WEBSERV
                           0: DS_SERVER_DS_8
                           1: DS_DNS_CONTROLLER
                           1: DS_DNS_DOMAIN
                           1: DS_DNS_FOREST_ROOT
                    dc_site_name             : *
                        dc_site_name             : 'Default-First-Site-Name'
                    client_site_name         : *
                        client_site_name         : 'Default-First-Site-Name'
            account_rid              : 0x00001247 (4679)
            result                   : WERR_OK
Joined domain example.com.ar (S-1-5-21-527077859-282153845-2196410814)

root at fs06:~# samba_dnsupdate
The server update list was not found, and --update-list was not provided.
[Errno 2] No such file or directory: '/var/lib/samba/private/dns_update_list'

Usage: samba_dnsupdate [options]

Password for [EXAMPLE\administrator]:
DNS Update for fs06.example.com.ar failed: ERROR_DNS_UPDATE_FAILED
DNS update failed!

root at fs06:~# ls -la /var/lib/samba/
total 2228
drwxr-xr-x  7 root root            4096 dic 23 12:35 .
drwxr-xr-x 42 root root            4096 nov  3 00:28 ..
-rw-------  1 root root          421888 nov  2 10:24 account_policy.tdb
drwxr-xr-x  4 root root            4096 nov  2 10:16 DriverStore
-rw-------  1 root root          425984 nov  2 10:29 group_mapping.tdb
drwxr-xr-x 12 root root            4096 nov  2 10:16 printers
drwxr-xr-x  3 root root            4096 dic 23 12:32 private
-rw-------  1 root root          528384 nov  2 10:24 registry.tdb
-rw-------  1 root root          421888 nov  2 10:24 share_info.tdb
drwxrwx--T  2 root sambashare      4096 nov  2 10:16 usershares
-rw-------  1 root root           32768 dic 23 12:35 winbindd_cache.tdb
-rw-r--r--  1 root root          421888 nov  2 10:49 winbindd_idmap.tdb
drwxr-x---  2 root winbindd_priv   4096 dic 23 12:35 winbindd_privileged

root at fs06:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.1 LTS
Release:        22.04
Codename:       jammy

root at fs06:~# dpkg --list  | grep samba
ii  python3-samba                         2:4.15.9+dfsg-0ubuntu0.3
           amd64        Python 3 bindings for Samba
ii  samba                                 2:4.15.9+dfsg-0ubuntu0.3
           amd64        SMB/CIFS file, print, and login server for
Unix
ii  samba-common                          2:4.15.9+dfsg-0ubuntu0.3
           all          common files used by both the Samba server and
client
ii  samba-common-bin                      2:4.15.9+dfsg-0ubuntu0.3
           amd64        Samba common files used by both the server and
the client
ii  samba-dsdb-modules:amd64              2:4.15.9+dfsg-0ubuntu0.3
           amd64        Samba Directory Services Database
ii  samba-libs:amd64                      2:4.15.9+dfsg-0ubuntu0.3
           amd64        Samba core libraries
ii  samba-testsuite                       2:4.15.9+dfsg-0ubuntu0.3
           amd64        test suite from Samba
ii  samba-vfs-modules:amd64               2:4.15.9+dfsg-0ubuntu0.3
           amd64        Samba Virtual FileSystem plugins