[Samba] Problems runing kinit on a (wannabe) secondary DC
Rowland Penny
rpenny at samba.org
Fri Jul 15 15:10:50 UTC 2022
On Fri, 2022-07-15 at 16:47 +0200, Lorenzo Milesi via samba wrote:
> We cannot even join clients to the domain, on the Win10 client I see
> error code 64 - event id 4097.
>
> The client uses 192.168.8.1 as only DNS, and has wdc.domain.it as dns
> suffix.
> On the server I see a successful krb auth as Administrator, and no
> errors.
>
> It looks like there's something wrong on the DC... Can this be
> related to the wrong Bind9 .so used?
> If so, can I deactivate Bind9 and try with the builtin Samba4 DNS? Is
> the DNS "db" stored into Samba or in Bind?
Each DC must be authoritative for the AD dns domain and there must be
no other dns server running on the computer, except for Bind9 and this
must be set up correctly.
When you set up Samba (either by provisioning a new domain or by
joining as a DC to an existing Domain), a file should be created in
/var/lib/samba/bind-dns if BIND_DLZ is used. If you add this line to
/etc/bind/named.conf.local:
include "/var/lib/samba/bind-dns/named.conf";
Then the correct .so should be used.
No matter which of the supported dns server is used (internal or
BIND_DLZ), the dns records are stored in AD, so you can switch between
dns servers by either adding 'server services = -dns' to the DC's
smb.conf (this will use Bind9) or by commenting any 'server services'
line (this will use the internal dns server)
When joining a new DC, /etc/resolv.conf must have an existing DC's
ipaddress as the first nameserver until the new DC is joined. After the
join, the first nameserver must point to its own ipaddress and Samba
restarted.
Rowland
More information about the samba
mailing list