[Samba] linux client DNS issues

Patrick Goetz pgoetz at math.utexas.edu
Mon Feb 7 15:24:56 UTC 2022


Save for the issue of PTR DNS records not being automatically created 
when joining a linux client to a Samba AD, I've had no problems joining 
Ubuntu + Louis van Belle linux clients to a Samba domain using the 
internal Samba DNS server.

At the moment, I'm working on joining an Arch linux client to a Samba 
AD, and have run into an issue I didn't see on Ubuntu and want to find 
out what the difference is. Note: nearly identical smb.conf files (only 
the Shares differ) and same krb5.conf file.

When I attempt to join the Arch linux machine to the domain using `net 
ads join`:

[root at erap-gnome samba]# net ads join -U administrator
Password for [EA\administrator]:
Using short domain name -- EA
Joined 'ERAP-GNOME' to dns domain 'ea.linuxcs.com'
No DNS domain configured for erap-gnome. Unable to perform DNS Update.
DNS update failed: NT_STATUS_INVALID_PARAMETER


I looked up NT_STATUS_INVALID_PARAMETER in the wiki, and the suggestion 
was a missing or invalid host entry in /etc/hosts. I did indeed have a 
typo in the machine's entry in /etc/hosts, but fixing the typo did not 
resolve the issue. I get the same (or similar) error message when 
attempting to rejoin the machine to the domain. The machine is added to 
the domain, but no DNS A record is generated for it.

I also tried using:

   # samba-tool domain join ea.linuxcs.com MEMBER -U Administrator

Using samba-tool there's no error message, but also no DNS entry:

root at samba-dc:/var/log/samba# samba-tool dns query samba-dc 
ea.linuxcs.com erap-gnome ALL -U administrator
Password for [EA\administrator]:
ERROR: Record or zone does not exist.


All the domain tests like `wbinfo -g` work properly on the Arch client, 
so I'm fairly confident I can just create the DNS records for this host 
by hand, but am still wondering what the difference is between the 
Ubuntu installs and this Arch linux install.

Also, following the suggestion here: 
https://wiki.samba.org/index.php/Testing_Dynamic_DNS_Updates, in particular

   # samba_dnsupdate --verbose --all-names

I get confusing output.  On the one hand:

   ...
   ...
   force update: A ForestDnsZones.ea.linuxcs.com 192.168.1.80
force update: SRV _ldap._tcp.ForestDnsZones.ea.linuxcs.com 
samba-dc.ea.linuxcs.com 389
force update: SRV 
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ea.linuxcs.com 
samba-dc.ea.linuxcs.com 389
29 DNS updates and 0 DNS deletes needed
Successfully obtained Kerberos ticket to DNS/samba-dc.ea.linuxcs.com as 
SAMBA-DC$
update(nsupdate): A samba-dc.ea.linuxcs.com 192.168.1.80
Calling nsupdate for A samba-dc.ea.linuxcs.com 192.168.1.80 (add)
Successfully obtained Kerberos ticket to DNS/samba-dc.ea.linuxcs.com as 
SAMBA-DC$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
samba-dc.ea.linuxcs.com. 900	IN	A	192.168.1.80


but then followed by

; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): CNAME 
cdea986f-1d6f-4126-a4db-75507155bf68._msdcs.ea.linuxcs.com 
samba-dc.ea.linuxcs.com
Calling nsupdate for CNAME 
cdea986f-1d6f-4126-a4db-75507155bf68._msdcs.ea.linuxcs.com 
samba-dc.ea.linuxcs.com (add)
Successfully obtained Kerberos ticket to DNS/samba-dc.ea.linuxcs.com as 
SAMBA-DC$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
cdea986f-1d6f-4126-a4db-75507155bf68._msdcs.ea.linuxcs.com. 900	IN CNAME 
samba-dc.ea.linuxcs.com.

...

; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV 
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ea.linuxcs.com 
samba-dc.ea.linuxcs.com 389
Calling nsupdate for SRV 
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ea.linuxcs.com 
samba-dc.ea.linuxcs.com 389 (add)
Successfully obtained Kerberos ticket to DNS/samba-dc.ea.linuxcs.com as 
SAMBA-DC$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ea.linuxcs.com. 
900 IN	SRV 0 100 389 samba-dc.ea.linuxcs.com.

; TSIG error with server: tsig verify failure
Failed nsupdate: 2
Failed update of 29 entries


Not sure what all that is about.




More information about the samba mailing list