[Samba] Samba unable to find SRV record during join

Rowland Penny rpenny at samba.org
Tue Sep 6 16:05:55 UTC 2022 

On Tue, 2022-09-06 at 17:19 +0200, William Edwards via samba wrote:
> According to the documentation[1], I'm trying to join a to-be DC to
> an 
> existing domain with:
> 
>      samba-tool domain join cyberfusion.cloud DC -k yes 
> --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes'
> 

What version of Samba are you using ? From 4.15.0 '-k yes' has been
replaced with '--use-kerberos=required', though the earlier form should
still work.
Does /etc/resolv.conf point to an existing AD DC ?
What OS is this ?


> With debug level 5, this fails with:
> 
>      finddcs: searching for a DC by DNS domain cyberfusion.cloud
>      finddcs: looking for SRV records for
> _ldap._tcp.cyberfusion.cloud
>      resolve_lmhosts: Attempting lmhosts lookup for name 
> _ldap._tcp.cyberfusion.cloud<0x0>
>      startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error
> was 
> No such file or directory
>      dns child failed to find name '_ldap._tcp.cyberfusion.cloud' of
> type 
> SRV
>      finddcs: Failed to find SRV record for
> _ldap._tcp.cyberfusion.cloud
>      ERROR: Failed to find a writeable DC for domain
> 'cyberfusion.cloud': 
> The object name is not found.
>        File "/usr/lib/python3/dist-packages/samba/join.py", line 351,
> in 
> find_dc
>          ctx.cldap_ret = ctx.net.finddc(domain=domain, 
> flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS |
> nbt.NBT_SERVER_WRITABLE)
> 
> However, the lookup actually succeeds. I tcpdumped on the existing
> DC 
> that receives the DNS query, and on the to-be new DC. The SRV lookup 
> succeeds, and Samba looks up the AAAA and A records for the hosts in
> the 
> SRV RRSet. That also succeeds: the AAAA lookup returns the IPv6 
> addresses for the DCs, and the A lookups result in an empty RRSet,
> as 
> this is an IPv6-only setup.
> 
> I tried omitting --dns-backend and --option in the join command.

You do not need the dns one, it will used by default and the option
makes samba use any uidNumber & gidNumber attributes found in AD
instead of the xidNumber attributes found in idmap.ldb.

>  I also 
> tried using a username & password instead of Kerberos after kinit. 
> Getting a token with `kinit administrator` succeeds. That does not
> help.
> 
> Searching for the error messages "dns child failed to find name" and 
> "finddcs: Failed to find SRV record for" yielded a former post[2] on
> the 
> mailing list, which suggests to set 'interfaces'. That does not help 
> either.
> 
> I hope someone has some pointers!
> 

It sounds like a dns problem.

Rowland

More information about the samba mailing list